Beware the MSBlaster Worm, it will get you

Discussion in 'rec.audio.pro' started by Luke Kaven, Aug 12, 2003.

  1. Rick Thomas

    Rick Thomas Guest

    in article vjmagt8vk1q05a@corp.supernews.com, Richard Crowley at
    rcrowley7@xprt.net wrote on 8/14/03 2:20 AM:

    > "Rick Thomas" wrote ...
    >> See everyone should own a mac.

    >
    > If they did then you would be the one complaining about the
    > unending infections. The juvenile delinquents go after whoever
    > has the biggest market share. At times like these you should
    > be glad Apple has such a tiny market share.
    >
    >

    Ahh, viruses just dont work as well on mac os and amiga systems. There to
    easy to spot and get rid of.
  2. > >"Rick Thomas" wrote ...
    > >> See everyone should own a mac.


    > Richard Crowley wrote:
    > >If they did then you would be the one complaining about the
    > >unending infections. The juvenile delinquents go after whoever
    > >has the biggest market share. At times like these you should
    > >be glad Apple has such a tiny market share.


    "Scott Dorsey" wrote ...
    > This may be true, but most of the security issues with Microsoft
    > products were just plain stupid ones due to fundamentally poor
    > design, and most of the patches don't really fix any of the problems.


    The vast majority of the security vulnerabilities seem to be poor (or
    seeming non-existent) buffer/pointer management. Some have
    suggested this is due to the way early Microsoft C compiler
    manuals were edited. All their new-college-grad progrmmers used
    the section showing how to do it, and never looked at the appendix
    explaining buffer overrun safeguards and pointer preservation. An
    apparent dearth of meaningful code review would appear to have
    neatly finished the job. Now there are likely thousands and thousands
    of vulnerable buffers ripe for the discovery by the next slime-ball
    virus "author".
  3. mrivers@d-and-d.com (Mike Rivers) wrote in news:znr1060812644k@trad:

    > I looked at the MS patch, but it looks like it's at least a month old.
    > I guess they must have thought about this one before someone actually
    > wrote a worm to take advantage of the hole.


    Tat's pretty normal. When the first worm exploiting a specific bug comes
    out, that bug has usually been known for months and the bugfix has been
    available fot at least a month.

    > I just installed Service
    > Pack 4 (Win2K) last week (dated later than the patch), and I trust
    > that has all the appropriate security updates for this one.


    Don't. The service packs do not allways contain all patches. Actually, I've
    once installed a service pack for Win2K that *removed* one of the security
    patches we had installed. Couple of hours after we had installed the
    service pack we had to take down the machine to remove a nasty worm. A worm
    wich we thought couldn't get in there as we had installed the security
    patch fixing the bug that worm exploited. :-/

    Regards
    /Jonas
  4. George W.

    George W. Guest

    On Fri, 15 Aug 2003 15:35:36 GMT, Jonas Eckerman wrote:

    >> I just installed Service
    >> Pack 4 (Win2K) last week (dated later than the patch), and I trust
    >> that has all the appropriate security updates for this one.

    >
    >Don't. The service packs do not allways contain all patches. Actually, I've
    >once installed a service pack for Win2K that *removed* one of the security
    >patches we had installed. Couple of hours after we had installed the
    >service pack we had to take down the machine to remove a nasty worm. A worm
    >wich we thought couldn't get in there as we had installed the security
    >patch fixing the bug that worm exploited. :-/


    Anyone know the patch number for XP?

    Thanks.
  5. georgeh

    georgeh Guest

    There's a version for 32-bit and a version for 64-bit XP. There's a hyperlink
    to the downloads page right on the microsoft home page.


    George W. <geowirth@comcast.net> writes:

    >Anyone know the patch number for XP?
    >Thanks.
  6. You don't need the number. Just go to www.windows.com and look on the right side
    of the page.

    > Anyone know the patch number for XP?
  7. Mike Rivers

    Mike Rivers Guest

    In article <Xns93D8B2F75FE57wastheworldcreatedby@127.0.0.1> jonas@truls.org writes:

    > The service packs do not allways contain all patches. Actually, I've
    > once installed a service pack for Win2K that *removed* one of the security
    > patches we had installed.


    Nothing like a little configuration management, is there?


    --
    I'm really Mike Rivers - (mrivers@d-and-d.com)
  8. Rob Adelman

    Rob Adelman Guest

    Today in the office, the worm was propagating. Even though the "computer
    guy" assured us it wouldn't get us. He has firewalls and routers and
    security stuff and told us it wouldn't get in. But hey, it didn't get
    me, I have windows 98 on my work computer he,he..
    So the lady in the front area was sitting there with her computer
    shutting down and starting up and I told her to check the task manager,
    shut off msblast, then search for the file and delete. I was the Hero!
    heheh

    Computer guy was downstairs and I told him Pat's computer was infected
    but we fixed it and he was all " oh no, I gotta get up there and do this
    that and the other thing...

    William Sommerwerck wrote:
    > I believe it is. Or a related one.
    >
    > Log off. Check the Task Manager Processes window for msblast and kill the
    > process. Then find msblast.exe on your hard drive and delete it.
    >
    > Then log on and install the Microsoft update. I did these things yesterday, and
    > that was the end of that.
    >
  9. Rob Adelman

    Rob Adelman Guest

    I took Luke's advise and went into administration tools and shut off a
    few things including alert. Pop ups are gone, free zone alarm,
    uninstalled, everything back to normal. I suppose there are hundreds of
    attempts going into my computer right now. Does it really matter?


    David Morgan (MAMS) wrote:
    > "Luke Kaven" <luke@smallsrecords.com> wrote in message news:jrjnjvghh2qi66r01tqgsgk4ltk5m8hj0j@4ax.com...
    >
    >>Rob Adelman <radelman@mn.rr.com> wrote:
    >>
    >>>Mike Rivers wrote:
    >>>
    >>>
    >>>>I'm using the free version of Zone Alarm, and if that allows blocking
    >>>>of specific ports, I haven't found it. It might be a feature only of
    >>>>the the paid version. But it blocks a lot of stuff, and I'm dialed up
    >>>>all the time and haven't found the latest worm yet.

    >
    >
    > Mike,
    >
    > Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
    > version does allow highly tailored functions on a site by site basis if
    > needed. I think it's quite sufficient enough in it's 'free' state though.


    >
    > Rob,
    >
    > I can get 40 blocked attempts per hour!! The guy that developed ZoneAlarm
    > is pretty reknowned for his work in identifying 'spyware' software, including
    > actions against Real Networks (Real player, Real jukebox, Real download,
    > etc.), PKZip and more - - I doubt he writes virii as a passtime. We could
    > share in the great cynic, conspiracist approach, however.
    >
    >
    >>Go into Settings->Control Panel->Administrative Tools->Services
    >>
    >>Look for the "Windows Messaging" service and see it is running. If it
    >>is, right click on the entry for it, and bring up the Property sheet.
    >>Hit Stop, and select "Disable". You won't be able to run some kinds
    >>of instant messaging, but that will keep popups from coming in out of
    >>the wild. If you run Spybot Search & Destroy periodically (and keep
    >>up with the updates), you will be able to eradicate most annoying
    >>trojans (Xupiter, Gator, all those things we hate).
    >>
    >>Luke

    >
    >
    > Did you figure out how you got this thing Luke? (I'd really like to hear
    > how the USPS stumbled onto it).
    >
    > I like AdAware, but Spybot probably runs much the same way. Probably
    > both are harmless, non-invasive pieces of software... I know AAW is.
    >
    > By practicing simple safe (albeit sometimes time consuming) surfing
    > and mail-reading practices, using a firewall and judiciously setting a few
    > preferences, I've never had a virus, and I have never used on-board
    > anti-virus software. The protection has almost always been there, you
    > just have to employ it. I think the careless, haphazard users get the
    > worms in most cases. (I can't put you in that category). I'm surprised
    > how many people are glued to the internet without a firewall and with no
    > knowledge of their on-board protection options. Keeping updated is such
    > a minor thing... some would make it sound like big trouble, but it's a no
    > brainer to do this. (...And *without* downloading the automatic update
    > notifier.. another POS to run in the background).
    >
  10. >> Ahh, viruses just dont work as well on mac os and amiga systems. There to
    >> easy to spot and get rid of.

    >
    >That's funny! The Amiga was the most virus-ridden computer of it's time.
    >Actually, the whole virus scene was started with the Amiga. Sure, there
    >were a few PC virii and other stuff before the avalanche of Amiga virii,
    >but the Amiga was the first computer to get new virii written for it
    >regularly.


    The Atari ST had its share too. Particularly when cracked copies of
    sequencer programs became widely distributed.
  11. Scott Dorsey

    Scott Dorsey Guest

    Richard Crowley <rcrowley7@xprt.net> wrote:
    >The vast majority of the security vulnerabilities seem to be poor (or
    >seeming non-existent) buffer/pointer management. Some have
    >suggested this is due to the way early Microsoft C compiler
    >manuals were edited. All their new-college-grad progrmmers used
    >the section showing how to do it, and never looked at the appendix
    >explaining buffer overrun safeguards and pointer preservation. An
    >apparent dearth of meaningful code review would appear to have
    >neatly finished the job. Now there are likely thousands and thousands
    >of vulnerable buffers ripe for the discovery by the next slime-ball
    >virus "author".


    No, not at all. The buffer overrun issues are only a tiny fraction of
    a more fundamental problem of just plain not designing with security in
    mind.

    The buffer overrun problems are only the most visible ones because they
    are the ones that are being fixed.

    But remember, Microsoft didn't implement real memory protection until Windows
    95... and this was, what, almost thirty years after the industry had embraced
    the concept?

    The i386 architecture has all kinds of nifty security features built into it,
    including real rings. Seen anybody use the ring stuff? Didn't think so.

    It is very clear that whoever designed the "convenient" way that Outlook
    handles attachments never even thought about the ways it could be abused.
    THAT is the real problem. People who do systems design, and then write
    actual code, without any clue as to how it can be misused and what could
    go wrong with it. It doesn't take much, it just takes the right attitude.
    --scott
    --
    "C'est un Nagra. C'est suisse, et tres, tres precis."
  12. area242

    area242 Guest

    I have it and it keeps shutting down my computer before I can f


    "David Morgan (MAMS)" <mams@NOSPAm-a-m-s.com> wrote in message
    news:3xu%a.3140$_P1.3086@nwrddc01.gnilink.net...
    > I suppose not. But you still become a statistic if your computer can be

    seen.
    > And if a port is open, you can be hacked. I suppose it's just a personal
    > preference to run my surfing toy in total 'stealth' mode.
    >
    > If you want to analyze your vulnerability to attack, do a free scan found
    > at the Symantec site... You may want to close the doors anyway.
    >
    > http://security1.norton.com/us/intro.asp?venid=sym&langid=us
    >
    > --
    > David Morgan (MAMS)
    > http://www.m-a-m-s.com
    > http://www.artisan-recordingstudio.com
    >
    >
    > "Rob Adelman" <radelman@mn.rr.com> wrote in message

    news:IOh%a.93470$o27.2119557@twister.rdc-kc.rr.com...
    > > I took Luke's advise and went into administration tools and shut off a
    > > few things including alert. Pop ups are gone, free zone alarm,
    > > uninstalled, everything back to normal. I suppose there are hundreds of
    > > attempts going into my computer right now. Does it really matter?
    > >
    > > > Rob,
    > > >
    > > > I can get 40 blocked attempts per hour!! The guy that developed

    ZoneAlarm
    > > > is pretty reknowned for his work in identifying 'spyware' software,

    including
    > > > actions against Real Networks (Real player, Real jukebox, Real

    download,
    > > > etc.), PKZip and more - - I doubt he writes virii as a passtime. We

    could
    > > > share in the great cynic, conspiracist approach, however.

    >
    >
  13. Chris Smalt

    Chris Smalt Guest

    Hank wrote:

    > At least MS has proven that square wheels can roll if you push 'em hard
    > enough.



    Yes, and that 90 % of computer users don't mind doing the pushing.


    Chris
  14. Luke Kaven

    Luke Kaven Guest

    "David Morgan \(MAMS\)" <mams@NOSPAm-a-m-s.com> wrote:
    [...]
    >Did you figure out how you got this thing Luke? (I'd really like to hear
    >how the USPS stumbled onto it).


    I don't exactly know, but I have been seeing some of these behaviors
    for a few weeks. Last Monday, though, the system would become
    unstable immediately after booting up, and that was a first. I have
    the feeling that prototypes of this "malware" have been out there for
    some time before Microsoft acknowledged the problem. I experienced a
    few of the symptoms infrequently before. There are a few reports in
    the Microsoft public newsgroups of some of the symptoms I experienced
    dating back a year or more, in various combinations. The remedy
    recommended at the time was either to repair the registry, or to do an
    "upgrade" install, to ensure the system files and registry were all
    clean. As of Monday, though, these remedies did not work, and in
    retrospect, I realized that this was due to the fact that I was
    getting continually re-infected. [I did four re-installs of Win2000
    on Monday, but none fixed the problem for very long.]

    >I like AdAware, but Spybot probably runs much the same way. Probably
    >both are harmless, non-invasive pieces of software... I know AAW is.


    I seemed to get better results with Spybot, and they keep up with new
    developments pretty well.

    >By practicing simple safe (albeit sometimes time consuming) surfing
    >and mail-reading practices, using a firewall and judiciously setting a few
    >preferences, I've never had a virus, and I have never used on-board
    >anti-virus software. The protection has almost always been there, you
    >just have to employ it. I think the careless, haphazard users get the
    >worms in most cases. (I can't put you in that category). I'm surprised
    >how many people are glued to the internet without a firewall and with no
    >knowledge of their on-board protection options. Keeping updated is such
    >a minor thing... some would make it sound like big trouble, but it's a no
    >brainer to do this. (...And *without* downloading the automatic update
    >notifier.. another POS to run in the background).


    I've picked up things from some funny places, especially things like
    Xupiter and Gator. One place I picked up Xupiter was from a
    repository of song lyrics. Another way that I seem to pick up a lot
    of things is by visiting unregistered domains that are reserved for
    some reason (possibly because they are similar enough to commonly used
    domains, and so they are used for no other reason than to catch a lot
    of traffic, at least for the time being.)

    Luke
  15. Mike Rivers

    Mike Rivers Guest

    In article <KnS_a.10970$v9.3476@nwrddc01.gnilink.net> mams@NOSPAm-a-m-s.com writes:

    > Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
    > version does allow highly tailored functions on a site by site basis if
    > needed. I think it's quite sufficient enough in it's 'free' state though.


    A friend of mine who studies all of the virus and spam newsgroups just
    told me that the blaster worm goes right thought Zone Alarm. Maybe
    this is true in the free version where you can't configure which ports
    are blocks and which ones are not (I have the "what it's doing"
    display turned off and just look at the log now and then out of
    curiousity) but I would think that if you close Port 135, which is
    apparently where it comes in, that would do it.



    --
    I'm really Mike Rivers - (mrivers@d-and-d.com)
  16. Pat Sproule

    Pat Sproule Guest

    The free version of Zone Alarm stopped me getting the virus. Indeed it has
    blocked over 50 scans of port 135 on this machine this-morning. This is with
    the standard as installed configuration.

    Pat.

    "Mike Rivers" <mrivers@d-and-d.com> wrote in message
    news:znr1061244780k@trad...
    >
    > In article <KnS_a.10970$v9.3476@nwrddc01.gnilink.net>

    mams@NOSPAm-a-m-s.com writes:
    >
    > > Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
    > > version does allow highly tailored functions on a site by site basis if
    > > needed. I think it's quite sufficient enough in it's 'free' state

    though.
    >
    > A friend of mine who studies all of the virus and spam newsgroups just
    > told me that the blaster worm goes right thought Zone Alarm. Maybe
    > this is true in the free version where you can't configure which ports
    > are blocks and which ones are not (I have the "what it's doing"
    > display turned off and just look at the log now and then out of
    > curiousity) but I would think that if you close Port 135, which is
    > apparently where it comes in, that would do it.
    >
    >
    >
    > --
    > I'm really Mike Rivers - (mrivers@d-and-d.com)
  17. Htst

    Htst Guest

    Pat Sproule wrote:

    > The free version of Zone Alarm stopped me getting the virus. Indeed it has
    > blocked over 50 scans of port 135 on this machine this-morning. This is with
    > the standard as installed configuration.
    >
    > Pat.
    >


    What is your operating system?
  18. Mike Rivers

    Mike Rivers Guest

    In article <lIg0b.60$mk2.2015@nnrp1.ozemail.com.au> patsproule@ozemail.com.au writes:

    > The free version of Zone Alarm stopped me getting the virus. Indeed it has
    > blocked over 50 scans of port 135 on this machine this-morning. This is with
    > the standard as installed configuration.


    Is there a straightforward way to tell what port was blocked? Maybe
    I'm just not looking at the right screen. When I highlight an event
    and click on "More Info" it sends me to the Zone Alarm web site, and
    that shows the port number where the inquiry came in. Most of the time
    it's Port 80. I've never seen a Port 135 (but then I don't check every
    incursion).

    Maybe they can tell by probing on another port that I'm dialed up on
    AOL and that it's not worth sending me the worm. The purpose of
    MSBlaster isn't just to disable an individual machine, it's to spread
    itself and disrupt service all around. The purpose of the various
    worms that install a back door is to allow a spammer to relay mail
    through your system. Not much point in doing that on a system that has
    a slow Internet connection.



    --
    I'm really Mike Rivers - (mrivers@d-and-d.com)
  19. ryanm

    ryanm Guest

    "Vladan" <luxey1@eunet.yu> wrote in message
    news:1jmljvsflcu4ga89injdi2tvtps4cq4bld@4ax.com...
    > Is it really that dangerous. I have just XP bundled firewall service,
    > and got nothing. I have all remote and sharing services dissabled (not
    > installed/ allowed). What's the deal?
    >

    Nothing, you'll be fine. It's really not that serious a virus, it's just
    very persistent. A *real* virus is one that you never know you have. These
    annoyances are just kids playing around, thinking they're cool. The fact is
    I could write this worm in about 20 minutes if I wanted to, but it serves no
    purpose but to annoy, so what's the point?

    My wife got this worm yesterday, and it took about an hour to fix, and
    it only took that long because I had to install SP1 first (which is a 125
    meg download) before I could install the patch. The catch is, if you have
    it, you need to keep your process list open and kill the thing every time it
    pops up, because it only takes about 20 seconds to crash your RPC service,
    which will shut down your system.

    The real fix is to either keep wupdate.exe running in your system tray,
    or go to http://windowsupdate.microsoft.com on a regular basis and let it
    install the patches as they come out.

    ryanm
  20. ryanm

    ryanm Guest

    "William Sommerwerck" <williams@nwlink.com> wrote in message
    news:vjkgvd61dorj96@corp.supernews.com...
    > I believe it is. Or a related one.
    >
    > Log off. Check the Task Manager Processes window for msblast and kill the
    > process. Then find msblast.exe on your hard drive and delete it.
    >
    > Then log on and install the Microsoft update. I did these things

    yesterday, and
    > that was the end of that.
    >

    There is a second strain going around that is called cmd.exe (the same
    name as your command line parser) that will restart itself after being
    killed. Once you install the MS patch the RPC vulnerability is gone, though,
    and it can no longer cause any problems.

    ryanm

Share This Page