Page 1 of Please read, before its to late

General Forum

Please read, before its to late

--- -__- -_-- (Mostly Harmless) posted this on Tuesday, 12th August 2003, 10:01

http://www.theregister.co.uk/content/56/32286.html

MSBlaster worm spreading rapidly
By John Leyden
Posted: 12/08/2003 at 09:17 GMT


A worm that exploits a critical Remote Procedure Call (RPC) flaw to infect vulnerable Windows machines is spreading rapidly across the Internet this morning.

Although serious, the effects of the MSBlaster worm are expected to be less than that caused by the infamous Nimda worm.

The MSBlaster worm, also known as Lovsan, Blaster or Poza and which began spreading yesterday, is programmed launch an attack against windowsupdate.com on 16 August.

Microsoft last month issued a patch to guard against the problem but uptake has been predictably slow, allowing malicious code writers to come up with software that is having a severe effect on many users.

Mac, Linux and Unix computers are immune to this Microsoft-specific vulnerability.

According to a preliminary analysis of the worm by F-Secure, the worm spreads in a 6176 byte executable named MSBLAST.EXE to Windows 2000 and Windows XP systems unless recent Windows security patches have been applied. Windows NT 4 and Windows 2003 might also be affected but these systems appear to be playing a lesser role in the spread of the worm.

The worm launches a command shell and uses TFTP to connect to other infected systems to download the worm`s executable. MSBlaster will scan addresses in the Internet to locate vulnerable Windows machines using TCP/TDP port 135. Once found, it will copy itself over and modify the system so the worm will be executed every time the machine is started. The worm will keep on replicating from every infected machine.

Unsuccessful propagation attempts may crash vulnerable computers, or render them unstable. Successful worm outbreaks are causing localised network latency.

MSBlaster contains the following text:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix
your software!!

Security experts have been predicting the arrival of the worm, or something like it, for some weeks.

TruSecure, which has been prominent in these warnings, has published an informative advisory on the worm, which gives some indication of its likely spread.

The alert states: "TruSecure does not expect LANs to suffer from denial of service conditions due to this infection, even if it becomes infected. This is because internal infections will only propagate if outbound TFTP requests are allowed. If a source is found it can be blocked at either the firewall or router."

For these reasons, TruSecure "does not expect this to be as bad as Code Red, Nimda or SQL Slammer".

However, the company notes that there has been "numerous problems with Windows Update and St. Bernard`s Update Expert - both of which showed that MS patch was installed when it wasn`t". It is expecting more trouble ahead.

The SANS institute has issued to following advice on guarding against the spread of the worm:


Close port 135/tcp (and if possible 135-139, 445 and 593)
Monitor TCP Port 4444 and UDP Port 69 (tftp) which are also used by the worm
Ensure that all available patches have been applied, especially a fix for the flaw at the centre of the spread of MSBlaster
Pull infected machines from a network pending a complete rebuild of the system


Let`s be careful out there. ®



More info http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Free online virus scanner that can detect this virus

http://housecall.trendmicro.com/

This item was edited on Tuesday, 12th August 2003, 11:39

RE: Please read, before its to late

Alan Titherington (Reviewer) posted this on Tuesday, 12th August 2003, 10:05

oh yes indeed....has infected our whole company....worldwide! :-)

Shouldn`t laugh of course, but it`s nice and quiet at the moment and I can get on with my scheduled work.

RE: Please read, before its to late

neal 73 (Elite) posted this on Tuesday, 12th August 2003, 10:25

Times like this its good that our work computers are firmly in the dark ages and still run win95!

RE: Please read, before its to late

RJS (undefined) posted this on Tuesday, 12th August 2003, 10:47

Hehe Alan, all our PCs are safely behind firewalls that block the NetBios ports so will be safe. But I can imagine the nightmare of someone bringing their laptop into work (having gone and got it infected at home) and then spreading it all across the network. :)

Editor
DVD REVIEWER

RE: Please read, before its to late

Alan Titherington (Reviewer) posted this on Tuesday, 12th August 2003, 11:35

well there are quite a few laptop owners obviously, but I suspect the post-mortem will begin once our Exchange server is up and running again. I would have thought a company as big as ours would have been prepared for something like this...but you never can tell I suppose.

RE: Please read, before its to late

Jason Bagnall (Competent) posted this on Tuesday, 12th August 2003, 12:42

Thing that p***es me off, is that numerous "free" virus checkers keep telling me this blast virus is on my comp, but none of them will do anything about it. I downloaded an application which is supposed to remove it, and it just stalls on me and crashes. For god`s sake, how do I get rid of this thing.

What kind of people actually create these things?!




"Dude I almost had you" - Paul Walker (The Fast & The Furious)

RE: Please read, before its to late

HaGGis! (Elite) posted this on Tuesday, 12th August 2003, 12:51

yup.. was talking to someone who had this last night..

RE: Please read, before its to late

Alan Titherington (Reviewer) posted this on Tuesday, 12th August 2003, 12:55

Quote:
What kind of people actually create these things?!


Someone with no friends, lives with his mum, and who will probably end up in a newspaper article that ends `and then he turned the gun on himself`..

I should imagine :-)

RE: Please read, before its to late

Biagio (Elite) posted this on Tuesday, 12th August 2003, 13:02

Interestingly enough just eavesdropped on conversation where bloke said.....Quote:
most virus are spread/created by anti-virus software companies so we will buy their produce
. Personally I thought he was probably talking b*****ks but on the other hand what do I know? I`m just a dinosaur with Windows 98 so I`m allright Jack.
:) :) :)
Pete

RE: Please read, before its to late

RJS (undefined) posted this on Tuesday, 12th August 2003, 13:24

Heh, Win98 doesn`t need any virii to crash it, the OS can do that all by itself. ;)

I don`t believe any s/w company would write a virus and release it into the wild, it would open itself up to so many law suits it would go under in a week. Plus there are too many l33t h[at]sr0x out there who are more than happy to write and release them.

The reason we have so many virii out there is simply the fact that Microsoft have always put functionality over security. No matter how much they pretend this is changing, the number of major remote security holes in consecutive Windows operating systems seems to indicate they still don`t get it.

Editor
DVD REVIEWER

OpenBSD - The World`s Most Secure Operating System
Only one remote hole in the default install, in more than 7 years!

This item was edited on Tuesday, 12th August 2003, 14:25

Go back to General Forum threads, or All Forum threads