 |
 | 
Jeremy341
Bye
Premium
join:2000-01-06
localhost | Re: Can someone port this to linux And you'd want to DDoS windowsupdate.com because...? | |
|
| | 
Thasp6
The Thasps Are Everywhere.
Premium
join:2003-06-08
Your Mind.
| Re: Can someone port this to linux said by Jeremy341  :
And you'd want to DDoS windowsupdate.com because...?
Who doesn't?  | |
|
| | |
Jeremy341
Bye
Premium
join:2000-01-06
localhost
| Re: Can someone port this to linux said by Thasp6 :
Who doesn't?
Uh, me. | |
|
hubs187
join:2003-01-21
Lisle, IL
| HELP!!! i got hit by it this morning.....if ive already been infected is there anytihng i can do to get it out...or quarentined?.....i put up my built in windows firewall is that enough.....now how do i stop it form infecting other computers from mine? please respond i found the msblast.exe on my computer is deleting it enough.....?????then just keep my firewall up?
[text was edited by author 2003-08-11 22:08:23] | |
|
| 
GoD of KaOs
Agent of KaOs
join:2001-01-29
Chatsworth, CA | Re: HELP!!! I wouldn't rely on windows firewall, I would also get zonealarm. | |
|
P8ntball Guy
join:2003-08-10
Buffalo, NY | Router So glad I bought the firewall router. Thank you Linksys. | |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| Worm may have hit where I work today Around 1:00 PM Central time, several people where I work
began seeing random crashes and shutdowns of applications
we use regularly at work, and sometimes even parts of
Windows2000 itself. In some cases, people were unable to
log onto our primary production system, which is based on
Oracle. In other cases, it was Outlook2002 that seemed to
be associated with the crashes. I noticed on my work-
station a random crash of one of the svchost.exe processes,
and at that time I wondered if a new worm that exploited
the DCOM vulnerability had gotten loose in our network. A
few people also reported being unable to log into our time
entry system, which is located on a secure server. Having
read some of what other posters in this thread have
reported, I believe the answer to my question is yes. The
time frame in which this was occurring is consistent with
the flood of DCOM port probes logged by Zone Alarm on my
home PC. I patched my system here at home the Sunday
night after the Department of Homeland Security warning
was issued about this vulnerability. I have a feeling MIS
(our IT department) where I work has not done likewise.
--
"Kayura or Badamon, whichever you are, you should know that I will never give up this battle. By the will of the Ancient, I shall succeed!" - Shuten (Anubis) from the Ronin Warriors. | |
|
| 
TobyB
@195.137.x.x
| Re: Worm may have hit where I work today I have been hit too. The worm file was called W32.Blaster acccording to Norton AV. I cleared the msblaster.exe file out of system32 with Norton but still have trouble with SVCHOST. SVCHOST.EXE now runs for about 2 minutes on a restart and then crashes out. | |
|
| | 
Apophis
Jaffa Kree
Premium
join:2001-12-27
Holmen, WI
clubs: 
| Re: Worm may have hit where I work today said by TobyB:
I have been hit too. The worm file was called W32.Blaster acccording to Norton AV. I cleared the msblaster.exe file out of system32 with Norton but still have trouble with SVCHOST. SVCHOST.EXE now runs for about 2 minutes on a restart and then crashes out.
Hi, I also did what you did but in the end had to do a os-re install to get rid of the garbage.
--
Just say NO to Same-Sex Marriages, Affirmative Action, Liberals and PETA.Re-Elect George Bush 2004, The True Leader of this Country!!! | |
|
Haychance
join:2003-07-01
Lewisville, TX
|  way over my head
| |
|
bigbeartech
Goo?
join:2001-09-23
Saint Louis, MO
| This started last night A co-worker reported that a customer called in about this late last night. The issue did not dawn on him until today when we got hit by multiple calls about this.
FYI, your ISP does not support the operating system. The OEM, or if you built your computer, Microsoft does.
--
guycad: It may take you days and large clumps of hair to get it to work,CyberSchnook:I am so screwed--I haven't had large clumps of hair for years.  | |
|
jimahrens
join:2002-05-30
Owego, NY | another virus this one is so lame it cant get past a simple firewall
geeze...some other viruses at least offered a challenge... | |
|
Gundam_MX
Stomping Robot
join:2003-06-27
| Windows NT family affected only From what I understand Windows NT 4.0, Windows NT 4.0 Terminal Services Edition,Windows 2000, Windows XP and Windows Server 2003 are the only Windows OS affected by this worm.
Source
If you use Windows 95,98 and ME you're safe.
Of course if everybody used Linux in the first place, none of this would have happened!  | |
|
cableblows3
join:2001-06-17
Indianapolis, IN |  135
| |
|
|
|
|
| 
CPUYODA
join:2003-01-25
Johnson City, TN | Re: Same Prob.
Its gonna be a great week!!!!!
Cheers Beers and Tears!!
--
"In God We Trust,All Others Pay Cash" | |
|
ODYSSEY
join:2001-12-06
Raleigh, NC | Getting worst... Getting about 100 hits on port 135 an hour. About 90% are from local RR users. | |
|
e144539
join:2000-11-02
San Angelo, TX
clubs:
 ·Verizon Online DSL
| automatic updates I don't understand why people don't have all the critical security patches applied when automatic updates has been around for a while now.
Do people just not take advantage of it?
--
Never attribute to malice that which can be adequately explained by stupidity. | |
|
| 
Brat75
Cats rule
join:2003-02-05
Auburn, WA
| Re: automatic updates said by e144539 :
I don't understand why people don't have all the critical security patches applied when automatic updates has been around for a while now.
Do people just not take advantage of it?
Some of those patches screw your computer up further than it already is..
811493 ring a bell?
And most people want to have control over their computer's settings/applications. Like WMP9 sends info back to MS, I only keep WMP8.
I wait at least a week b4 installing a patch due to errors from a patch.
Brat
--
I sometimes feel that I'm playing hockey, and God wants to throw me a curveball. | |
|
| | |
| | Phatty
join:2000-05-10
Valley Park, MO
 ·Vonage
 ·Charter Pipeline
| Re: automatic updates I wouldn't think people wanting to have more control over system or waiting to see if a patch messes up a system would be the reason the majority of the people do not enable those features. Those features are not enabled because most people do not pay attention to updates, or care about keeping there system properly patched and updated. For those who do not enable it for the reason of waiting, something like this would still probably never affect them because MS releases patches well before something like this spreads most of the time.
[text was edited by author 2003-08-12 14:38:23] | |
|
Bytezboy
join:2001-05-17
New York, NY | glad i'm protected | |
|
| 
aw3dhg
join:2001-09-05
Middletown, NY
| fromCA about 20 minutes after I saw this article Just got this from my av supplier they have renamed it apparently
Virus Alert Notification
Win32.Poza
Alias: W32.Blaster.Worm (Symantec) ,
W32/Lovsan.worm (McAfee),
W32/Msblast.A (F-Secure),
Win32/Poza.Worm ,
WORM_MSBLAST.A (Trend)
Category: Win32
Type: Worm
Published Date: 8/11/2003
Last Modified: 8/11/2003
CHARACTERISTICS
Win32.Poza is a worm using the exploit described in MS03-026 to gain access to unpatched Windows installation. More information about the exploit can be found in our Vulnerabilities Library or at the Microsoft site here: »www.microsoft.com/technet/securi···-026.asp
Method of Installation
It creates a mutex "BILLY" to avoid running multiple instances of itself, and creates a registry value to activate on Windows restart:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe"
The worm runs a FTP service listening on port 69 waiting for exploited machine to connect.
Method of Distribution
It starts by scanning the entire subnet for open 135 ports, then moves on to scan randomly selected class B subnets (255.255.0.0) to start scanning. If an open 135 port is found, it uses the exploit mentioned above to gain entry and create a remote shell on the exploited machine. It then assumes the exploit succeeded and attempts to connect to port 4444 of the remote machine. If successfully connected, it instructs the remote machine to download MSBLAST.EXE (size: 6,176 bytes, UPX packed) from its FTP service using TFTP.EXE. It then sends an instruction to start MSBLAST.EXE on the remote machine.
Note: TFTP.EXE is an utility included by default in Windows installation of Windows 2000 and later versions.
The worm is capable of keeping live connections to 20 exploited machines simultaneously.
Payload
If the day of the month is 16 or later, or the month is between January and August, the worm creates a working thread to send random data to windowsupdate.com almost continuously. This effectively launches a Distributed Denial of Service attack against windowsupdate.com.
Additional Information
The worm body contains these strings:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
CA has also received reports from several sources that this worm may be seen, associated with crashes of svchost.exe.
For more information about Win32.Poza worm click here.
To obtain the latest EZ Antivirus Signature files directly from your pc follow the easy steps below for your specific version number:
Product Versions 5.3 and 5.4 - Signature file Version 2554
Product Version 6.0 - Signature file Version 4828
Product Version 6.1 - Signature file Version 4828
For instructions on how to autodownload or download signature files manually click here
Unsure of your product version number?
To find your product version number, right click on the eTrust EZ Antivirus taskbar icon and select "Version". Your product version number will be presented in a pop-up box on your screen.
Please remember that these signature file updates are cumulative: therefore the latest update includes everything from all previous updates as well as the new virus information.
--------------------------------------------------------------------------------
Additional Information on viruses, worms, and trojans can be found in our virus encyclopedia: »www.my-eTrust.com/products/encyclopedia and on our Virus Alerts page: »www.my-eTrust.com/products/virusalerts | |
|
|
| 
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| Re: Check it out Yo! They published this information less than a month ago.. people who do not make it a habit to read geek-websites (that would be 95% of the population) probably have no idea this vulnerability exists.
It's nice to want to blame this on the users.. but no.. it's not their fault the software they paid good money for is full of security holes. Perhaps the multi-billion dollar company that insists on releasing software before it's fully white-box tested has something to do with it.
--
Life is too short to be boring | |
|
| | |
nanofever
Liberal Democrats, You Know We're Right
join:2001-08-19
Modesto, CA | No worries Got the worm, ZAP told me I had the worm, Cleaned the worm, life is good... | |
|
seifertim
join:2003-05-30
Valley Park, MO
| Detection Hmm... so what should I look for to diagnose my pc if I don't notice any random shut-downs? I have Norton, and I have a router, but not too sure that I am clean and free... are there certain files I can/should look for, or just try and run "Lions" techniques if I notice something screwy (which doesn't give me a lot to go on, after my wife's been on the computer, there isn't anything that's not screwy!) | |
|
inciter
Noobie
Premium
join:2000-08-30
Rohnert Park, CA
| Two words Steve Gibson »https://grc.com/
[text was edited by author 2003-08-12 01:54:38] | |
|
machater
join:2003-04-30
Turlock, CA
| this will end this If you create and release a virus/trojan...etc, you go to jail for life, if you hack a public or private commercial or government institution/business you go to jail for 10 years, $25,000 fine for first attempt, life imprisonment for the second offense. This type of punishment will GREATLY reduce this increase in stupidity. | |
|
|
|
|
Can someone port this to linux
