Blaster Worm Virus

[XunknownX]

Full Article - Overclockers.Com

From The Article "A New Nasty" - Ed Stroligo - 8/12/03

The Inquirer reports on a new virus you should take very seriously.

The reason why is that you don't have to do anything dumb to get infected, like get happy fingers when you get email attachments.

Rather, it comes looking for you.

The Inquirer article provides the necessary links to find out more about the virus and the necessary patches/files you need to prevent this from happening and fixing it if it already has.

What it doesn't mention is that a minute or two after booting into Windows, it tells you it's going to shut your machine down after sixty seconds, gives you a countdown, and procedes to do just that.

If you have just one machine handy, it leaves you with a Catch-22. You can't retrieve the necessary files fast enough before the machine shuts down, and if you go into Safe Mode, the virus isn't the problem, but then you can't access the Internet to get the fix.

How do I know this? I just had to do a house call with someone with this problem. It was simple enough for me to go home and get the necessary files, but it may not be so easy for you.

In any event, better to prevent this from happening to begin with. You can get the Microsoft patch for WindowsXP here and Windows2000 here.

If you're already infected, go here for a fix tool and further instructions.

Before fixing an XP system, you ought to turn off System Restore first. The Symantec link on how to do so doesn't work, but this one does

NOTE: This Information Is Edited :- Reading The Full Article Is Recomended

1) What is your opinion of this virus and the people who created it ?
2) Can Microsoft do more to protect its users ?

 

[UnseenMenace]

** Quick Links **
links featured through this thread and others will be presented in a list here for quick future refrence.. feel free to PM UnseenMenace with a usefull link

a) Microsoft (Information On The Blaster Worm)... http://www.microsoft.com/security/incident/blast.asp

 

[UnseenMenace]

Comments Originally Posted By Labotomy Jack - Resposted after thread editing

I'm going to have to take the non sympathetic stand point here. The flaw the worm exploits has been known for I believe a month or two now and there has been a patch available. I don't see any excuse for not patching your system, and in any event one should at least have up to date antivirus software and should be running some sort of fire wall.

The fact the viruses and worms are able to become so widespread is that so many people are lax in protecting themselves -- however by not protecting themselves they are hurting others. Granted I realize that for a large portion of computer owners they have little concept, if any, of viruses/worms/etc or what they need to do to protect themselves and others. I personally despise the idea of Automatic Updates but for many people it may be a necessary thing.

As for my specific experience with this worm I have already helped one person I work with remove it from their computer at home. It was a pretty easy process, Symantec has a removal tool on their site. You don't even need to boot into safe mode I believe. I'm also not so sure about the "devestating" part as I understand that other than propagating itself the worm doesn't really do much in the way of destruciton. Well, until someone alters it...

 

[XWRed1]

I think the worm is pretty interesting, it has a good entertainment value.

There isn't much more Microsoft can do for their users, its already been pretty easy to patch this thing for the last 3 weeks, the users are just dumb and lazy. If MS tried to do more, like making the updates compulsory... well all of a sudden they are big brother and everyone gets mad.

 

[OC Detective]

It is not so much a case of making updates compulsory - however I do feel there is a question of effective communication if the vulnerability is a serious one. MS I feel have a duty to inform all of its legitimate customers in such circumstances. The question is whether MS did do enough to forewarn its customers and judging by the infection rate I would say no - whether one thinks the users are dumb and lazy or not. As for the virus itself it is not particularly nasty in this instance and quite clearly the originators are sending a message to Mr Gates abut serious flaws in his software so maybe that is not a bad thing?

 

[XWRed1]

How would you suggest they inform their customers? Besides putting it all over the television news, in the newspaper, and publicizing it enough so most computer-oriented websites pick it up?

Even after all that there's people who didn't patch. Hell, even if they only informed their legitimate customers, the majority of Windows users would still be uninformed.

 

[OC Detective]

Putting it in the newspapers and on TV? Dont seem to remember that - then again I dont live in the US.......
Dont XP users have to provide their email address upon registration? - if so that would seem a simple method - I dont have XP so maybe they did do that!
The point I am making is it is Microsoft's responsibility to alert users and obviously they did not do that well enough - and that applies to corporate businesses as well (something you would think would be much simpler to control) - hell IBM and Motorola were affected as well!

 

[Shadow ÒÓ]

actually the latest updates to my anti (which I'm religious about) nor the router saved me.

I was infected yesterday....15 mins later I was clean. Still the point I had to shut down all of my systems one by one to scan them urked me.........but I remain clean now.

what exactly is it that these guys are shooting for? Most famous virus or longest jail term?

 

[Milkman]

I had it on two machines, my main rig I did a reinstall and then I found the removal too at symantec and cleaned the second one, I found the little crapper again this morning on my main rig so I installed the patch and removed then added zone alarm.

 

[moorcito]

We got hit hard here at work. The virus came in early tuesday morning, and pretty much shut down the whole WAN because it overloaded the routers with traffic. Slowly, but surely we have been cleaning this up, but it's kind of hard to do when you have 3000+ PCs to deal with.

I seriously don't think Microsoft can do much more in this case. I got an email from them last week warning about the virus and to patch our PCs. Personally, I didn't think we'd be effected that bad since I'd hoped that the NetAdmins would have had the foresight to close the problematic ports on our firewall, but once it was inside that's when the real damage started. Since, I'm a SysAdmin that's not my realm, but I could have helped the problem if I'd have patched our boxes to begin with. So, in our case, I'd have to say the fault is with us.

Like XWRed1 said, what else can they do? I got an email from them and it went straight into the trash can. I heard about it on various computer-oriented websites and chose to do nothing. Yet, by some peoples' logic Microsoft is still to blame because they should have been calling eveyone in the phone book, sending out junk snail mail, and spammning every possible combination of email addresses till they blanketed the world with warnings.

I am no fan of Microsoft, and only use their products because I'm forced to at work, and still feel they were stupid to have those vunerabilities in the first place, but I didn't do my part to patch our systems when I knew about the problem. I learned a big lesson with this virus and won't be letting this happen a second time.

As far as the virus and the people who created it. The virus itself is pretty cool, I love how it uses tftp to download copies of itself. As far as the people who created it, I say since they gave us a virus we sould give them a virus, something like ebola or AIDS should do fine.

 

[Gregory_WE]

Just double checking... none of my systems have shutdown or have been doing any weird stuff so I'm assuming I didn't get it (yet)? I'm pretty sure I ran Windows Update a few weeks ago and also I'm going through my Linksys router.

Actually I'll just do a Norton scan...

 

[Crash893]

at work there completely fliping out about it

like every 10 min the head desktop guy would come threw telling us all to log of and log back on so the new update scripts would take hold

but concidering a) alot of people just lock there computer when they leave and b) of the desktop side alot of users are there at allllll hours of the day i wonder if they will all get the message


if you dont see a usatoday out then youll know what happned

 

[Zoilo]

Hmm...You know what...I've been hearing about this thing all week and I've yet to get infected. Then again, I'm running behind a linksys router with NAT and Sygate software firewall. Also, the only thing I've really been doing in terms of network are web surfing and AIM chatting so those are the only programs that I have allowed on my software firewall (in addition to the network services that are necessary of course). Plus I have no AV software.

 

[n17ikh]

I haven't got infected yet, but maybe it's my dialsuck connection... I'm running Trend PCCillin (Not the best, but free) but not actually scanning for anything. I also have no firewall...

 

[Christoph]

I think Dave Barry summed it up well in his blog:

IS IT JUST THIS BLOG, OR...
...does "The Blaster Worm" sound to you like an affectionate nickname a guy might give to his male unit?

If nothing else, this episode underscores the importance of updating windows frequently. Not that we Linux users don't need to update too.

 

[bubba gump]

Had to remove it from two boxes today, I just hope that it doesn't hit any of the computer's at my parent's work so I'm going to add the patches (becuase everyone there is computer ILitterate and expect someone else to update the stuff) coz I don't want them to lose a couple hours of work (real estate place) time, they can get a lot done in that....heh I'm not even a worker there I guess I could say I would have racked up my good deeds for a couple weeks

Fold and Frag on
Brian

 

[JoT]

Odd, everyone's saying that Microsoft doesn't inform their customers, but I recieved this email:

Date: 8/16/2003 09:43:36 -0700
From: "Microsoft" <0_51187_D9157AA8-8146-4620-AFC3-18C8B220AA38_US@Newsletters.Microsoft.com>
Reply-to: <3_51187_D9157AA8-8146-4620-AFC3-18C8B220AA38_US@Newsletters.Microsoft.com>
To: <[email protected]>
Subject: IMPORTANT SECURITY ANNOUNCEMENT - for Windows Users re: Blaster Worm All headers
This e-mail message is being sent to you by Microsoft Corporation. To verify the authenticity of this e-mail message, please visit: http://go.microsoft.com/?linkid=222103


Dear Microsoft Customer,

On August 11, 2003, Microsoft began investigating a report of a worm, known as W32.Blaster.Worm, that exploits the vulnerability addressed by Microsoft Security Bulletin MS03-026. Microsoft released this critical security bulletin and corresponding patch for Windows operating systems on July 16, 2003. While some customers may not notice the presence of the worm infection at all on their computer systems, typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input or Windows NT4 and Windows 2000 systems becoming unresponsive.

If you applied security patch MS03-026 prior to the discovery of the Blaster worm, your system is secure from the vulnerability that W32.Blaster is using. For the most current information on determining if your systems are infected and how to recover from the infection, please go to the following Web site and perform the prescribed steps: http://go.microsoft.com/?linkid=222104. This site will be updated as more information regarding the W32.blaster worm becomes available.

Our goal is to provide you with the information and tools you need to help run your company safely and reliably. When we become aware of these types of vulnerabilities, it is our goal to share protection and remediation information with you as quickly as is possible. In order to help protect your computing environment from security vulnerabilities, we encourage you to use the Windows Update service by going to http://go.microsoft.com/?linkid=222105 and also subscribe to Microsoft's security notification service at http://go.microsoft.com/?linkid=222106. By using these two services you will automatically receive information on the latest software updates and the latest security notifications, thereby improving the likelihood that your computing environment will be safe from the worms and viruses that occur.

Thank you,

Microsoft Corporation

For information about Microsoft's privacy policies, please go to http://go.microsoft.com/?linkid=222102

I'm not exactly sure if this is 100% legit, as I haven't opened any of the links, mainly because I don't need to patch (what's that, a responsible windows user? ; I patched weeks ago).

I do not run XP, and the times that I have, I did not register it. Their are only two times I have given MS my email, one was when I registered to recieve a demo of their 2003 Server, and I THINK once when I was surveyed on the site.

 

[Audioaficionado]

actually the latest updates to my anti (which I'm religious about) nor the router saved me.

I was infected yesterday....15 mins later I was clean. Still the point I had to shut down all of my systems one by one to scan them urked me.........but I remain clean now.

what exactly is it that these guys are shooting for? Most famous virus or longest jail term?

How in the heck does it get past a NAT router firewall?

 

[XWRed1]

How in the heck does it get past a NAT router firewall?

NAT wouldn't help if you had a vulnerable box in the dmz, or were some reason forwarding port 135 to it, or someone put an infected computer on your lan.

 

[Audioaficionado]

I'm not sure how the patch works, but all someone would have to do is redirect the worm to another port/ports to nullify the patch?