'blaster' worm
Discussion
Apache said:Yes, you need a virus gaurd definition from Norton or other similar provider dated after 11/8/03. Windows are providing critical updates on their web site which should put right any damage. I have two PC's one W2000 the othe XP. Both were infected, both are now OK.
anyone know how to protect against this?
If you're not acting as a fileserver for internet machines, then simply block all inward netbios packets at your router. This will also block a bunch of other 'hacking' tactics from the outside.
If you're not using a router with packet filtering capabilities, you can use ZoneAlarm or similar to do the packet filtering.
It goes without saying to download the patches!!
If you're not using a router with packet filtering capabilities, you can use ZoneAlarm or similar to do the packet filtering.
It goes without saying to download the patches!!
Patch available from here:
www.microsoft.com/security/incident/blast.asp
much easier than going through windowsupdate.com
Also, an alternative fix tool and a bit of info from Sophos is available here:
www.sophos.com/support/disinfection/blastera.html
John
www.microsoft.com/security/incident/blast.asp
much easier than going through windowsupdate.com
Also, an alternative fix tool and a bit of info from Sophos is available here:
www.sophos.com/support/disinfection/blastera.html
John
Been there, done that. I'd had it for a few days before I decided to go looking. First I downloaded the patch. Great, except that when you try to install (Win 2K Professional) it says that you need at least Service Pack 2 installed first. So, off to the Windows download site. Alas for whatever reason I couldn't get the SP to download.
Spoke to the daughter's other half and he said 'Ah yes, I have the answer' and within minutes he appeared at my place with a Microsoft disc that had Service Pack 4. Installed that no problem, then he also had the worm patch on a separate disk to save me the download again. Poked that in, rebooted and everything has been hunky-dory since.
So screw you, whoever created the worm. There are people more intelligent than you on this planet. Get a life other than the amoebic one you already have.
To the rest of you: be cool. It can be fixed.
Part of the problem seems to be that either the worm attacks the Windows download routine, or that sheer weight of numbers is overloading the download site.
Ask around for one of the service packs, then just download the patch.
As for the daughter's fiance, I suppose I can't get out of welding that Locost chassis for him now... :doh:
Ian
Spoke to the daughter's other half and he said 'Ah yes, I have the answer' and within minutes he appeared at my place with a Microsoft disc that had Service Pack 4. Installed that no problem, then he also had the worm patch on a separate disk to save me the download again. Poked that in, rebooted and everything has been hunky-dory since.
So screw you, whoever created the worm. There are people more intelligent than you on this planet. Get a life other than the amoebic one you already have.
To the rest of you: be cool. It can be fixed.
Part of the problem seems to be that either the worm attacks the Windows download routine, or that sheer weight of numbers is overloading the download site.
Ask around for one of the service packs, then just download the patch.
As for the daughter's fiance, I suppose I can't get out of welding that Locost chassis for him now... :doh:
Ian
http://news.bbc.co.uk/1/hi/technology/3151439.stm
The true extent of the spread of the virus is likely to become apparent on Saturday morning when infected machines are supposed to launch a co-ordinated attack on the Microsoft's Windows update site.
Fantastic!
The true extent of the spread of the virus is likely to become apparent on Saturday morning when infected machines are supposed to launch a co-ordinated attack on the Microsoft's Windows update site.
Fantastic!
Everytime a virus/trojan of this type arrives I can't help laughing at the number of big firms that are brought to their knees!
The exploit was publicised a month ago, along with the patch. Low and behold a month later an exploit is released in to the wild and everyone is running around in a panic firefighting.
Big firm, small firm or individual at home - every week or two, point your browser at www.windowsupdate.com and relax!
The exploit was publicised a month ago, along with the patch. Low and behold a month later an exploit is released in to the wild and everyone is running around in a panic firefighting.
Big firm, small firm or individual at home - every week or two, point your browser at www.windowsupdate.com and relax!
zumbruk said:
Everytime a virus/trojan of this type arrives I can't help laughing at the number of big firms that are brought to their knees!
So how would you like to install fixes every 2 or 3 days on 12,000 machines? Especially when those fixes break other things.
You shouldn't be in that situation if your sysadmins are worth anything. IDS and scanners are 2 a penny these days. There really is no excuse for these small viruses.
My 2p'th as a IT ops manager for a large company
Steve
fatsteve said:
Mark.S said:
Everytime a virus/trojan of this type arrives I can't help laughing at the number of big firms that are brought to their knees!
So how would you like to install fixes every 2 or 3 days on 12,000 machines? Especially when those fixes break other things.
You shouldn't be in that situation if your sysadmins are worth anything. IDS and scanners are 2 a penny these days. There really is no excuse for these small viruses.
My 2p'th as a IT ops manager for a large company
Steve
And please could you explain just how IDS or a "scanner" is going to help in this situation!!! IDS may tell you that a worm has got in but it will not stop/prevent or fix it, for that you must apply the patch.
I'm just waiting for someone to get this worm modified (make it nasty) and then attach it to an email infector. Spam it to the world and then sit back and watch it sail through the perimeter(sp?) defences. All those admins that haven't patched because they have 135 blocked at the firewall are going to be in for a late night/weekend.
All it takes is one user to open the mail and it will be released and free to roam through the unpatched networks mailing itself to everyone just before it trashes your disks.
Get patching
All it takes is one user to open the mail and it will be released and free to roam through the unpatched networks mailing itself to everyone just before it trashes your disks.
Get patching
tuffer said:
zumbruk said:
Mark.S said:
Everytime a virus/trojan of this type arrives I can't help laughing at the number of big firms that are brought to their knees!
So how would you like to install fixes every 2 or 3 days on 12,000 machines? Especially when those fixes break other things.
You shouldn't be in that situation if your sysadmins are worth anything. IDS and scanners are 2 a penny these days. There really is no excuse for these small viruses.
My 2p'th as a IT ops manager for a large company
Steve
And please could you explain just how IDS or a "scanner" is going to help in this situation!!! IDS may tell you that a worm has got in but it will not stop/prevent or fix it, for that you must apply the patch.
Sorry tuffer, my gripe was aimed at general viruses not RPC exploits which obviously need patching. The point is if you regularly patch your OS's then you are less suceptable to these issues. The number of companies I know that have little or no IDS or vscan is scary.
Steve
Equally, how many people out there actually need to expose Windows netbios ports to the internet?? (this is a serious question). The DCOM bug can't be exploited without port 135 being open (or 445, IIRC).
A simple cheap packet filtering router will halt these sorts of attacks. The worms that you have to really worry about are the ones that exploit buffer overflows (i.e. shoddy code) in net server software that you HAVE to expose to the internet (e.g. web server, á la code red)
Loads of firms don't filter everything except the ports that they are actually serving on - I found a company server the other day that was running 2K advanced server and had EVERYTHING open to the outside world. Crazy.
Any decent sysadmin should lock this down.
A simple cheap packet filtering router will halt these sorts of attacks. The worms that you have to really worry about are the ones that exploit buffer overflows (i.e. shoddy code) in net server software that you HAVE to expose to the internet (e.g. web server, á la code red)
Loads of firms don't filter everything except the ports that they are actually serving on - I found a company server the other day that was running 2K advanced server and had EVERYTHING open to the outside world. Crazy.
Any decent sysadmin should lock this down.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff