Pages: 1

WARNING - W32.Blaster.Worm is spreading

(Click here to view the original thread with full colors/images)

Posted by: admin

Quote:
Dear Valued Subscribers,



On August 12, 2003, a worm called "W32.Blaster.Worm" is spreading

on the internet. W32.Blaster.Worm is a worm that exploits the DCOM RPC

vulnerability (Windows Distributed Component Object Model

Remote Procedure Call or MS03-026) using TCP port 135.

This worm attempts to download and run the msblast.exe file.



Also known as : W32/Lovsan.worm [McAfee], Win32.Poza [CA],

Lovsan [F-Secure], WORM_MSBLAST.A [Trend],

W32/Blaster-A [Sophos], W32/Blaster [Panda]

Systems Affected: Windows 2000, Windows XP



The purpose of this virus is to spread to as many machines as possible.

By exploiting an unplugged hole in Windows, the worm attempts to

perform a Denial of Service (DoS) on Windows Update and prevent

you from applying a patch on your computer against the DCOM RPC

vulnerability. The worm also creates a remote access point, allowing

an attacker to run system commands at their choosing.



Our recommendation on this matter for your system security is you

should avoid opening attachment being sent with suspicious e-mail

and delete it immediately. Responding or forwarding the message can

cause more explosion of the virus.



For more information and advisories, please visit:

http://securityresponse.symantec.co...aster.worm.html

http://www.trendmicro.com/vinfo/vir...=WORM_MSBLAST.A



Thank you for your attention.



Best regards



Posted by: admin

PS> This is a genuine alert received from my ISP. It was not spammed

So the advisory links above should be OK to click on, I hope

Maybe someone with a more technical background can advise


Posted by: neo

Yes it is a real threat.
One that microsoft themselves issued a report on.
Mcafee has an advisory on it too, and added it to their stinger utility
And I have not looked further.

One quick way to see if you have "contracted" it is to look in your system32 directory (inside your windows directory) for a file with "msblast" as its name. I believe the extension is ".exe"

A simple way to check is to "search for files" on your "c:" drive with the name "msblast"

If you do find it there then you will need to goto www.microsoft.com or www.mcafee.com and follow their directions carefully. You cannot just delete it, and incorrect removal could leave your system doing a reset immediately after boot. The MOST important thing to get rid of the worm is to apply all critical updates BEFORE trying to remove the worm (as stated by microsoft), so follow their directions carefully.

The GOOD news is that windows 9x systems are safe and if you have applied all the critical updates to NT, 2000, xp, 2003 systems then you should be safe too.

Dialup is not much protection since an infected system takes a random block if ip addresses and looks for vunerable systems to infect. So its "russian roulette" as to whether your ip is picked or not. Obviously "always on" broadband connections are at a higher risk.

neo

directory (older term used by non-IBM) == folder (newer term used by IBM and taken up by microsoft)


Posted by: awty

(FYI) I also found a note from my ISP (cox cable) that they're closing off (Filtering) port 135 traffic from the internet into the cox network. So, if anyone's running an Exchange server or similar services at home on cox.net, it may not work. Suggestion was setting up a VPN link.

And, a personal note, if I may. YES, you WILL see that many will suggest not applying Windows updates soon after they come out, in order to avoid running into the 'fix of the fix'. However, over the last 3 years or so, I have found that the windows updates have been much more solid than they were in the past, and I now apply them as soon as I can. Again, just my personal preference and experience...

Thanx for the information, Neo! Since it picks random IP's, this is one situation where a firewall can be a big help!

Jeff


Posted by: memorex

I have always had and used the automatic updater since it has been available.
Which relieves me of the worry of whether, I have, or have not, got the fix.
It has, with other things, kept me from most problems that are flying around the cyberspace at any given time.
regards
memorex


Posted by: droesparky

I use Mcafee online virus scan and late last night when I came home there was a red box reporting this worm. I dont know if that means it tried to infect me and Mcafee killed it but I have ran all my bug finders and am still klean.


Posted by: admin

Another update - Interesting to see the different attachments that it uses

Quote:
Virus Advisory

The virus is called "Sobig". This virus sends out emails to all the addresses in your contact list, and makes it appear as though the email was sent by someone else in your contact list.

Symantec (makers of the Norton line of software) has released a free Sobig worm removal tool. If you already have antivirus software, download the latest virus definition file from your vendor, and run a complete system scan.

The following is a list of subject lines and attachments the virus tends to use:

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif



Posted by: neo

Quote:
Originally Posted by droesparky
I use Mcafee online virus scan and late last night when I came home there was a red box reporting this worm. I dont know if that means it tried to infect me and Mcafee killed it but I have ran all my bug finders and am still klean.


You will find that you are also signed up for McAfee' advisory service which is seen as a red box telling you of new threats that are considered significant. This is not saying youu have the virus but rather saying 'be warned' and keep updated.

hope this explains it

Neo



eXTReMe Tracker