said by vic102482 :

---

said by museheart :
Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.

I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.

Guess I should hook it back up post haste?

Peace,

---

Yeah keep the linksys on at all times. I had only 1 computer and I had a NAT box. I dont ever update my machine unless I need to. I havent updated ANY of my computers to patch the worm because I am behind NAT. The firewall is good encase it somehow makes it onto your network, you will see it trying to download the meat and potatoes to your computer. The msblast.exe alone doesnt harm your machine (or so others say), only when it can get out onto the web and start reaking havok on your connection. NATs really cant protect against outgoing connections (although you can block incoming and outgoing ports).

---

said by museheart :

---

said by vic102482 :

---

said by MrTangent :

---

said by vic102482 :

---

Whoever has any numbers below 1024 open is really asking for it!

If you are browsing the web with no NAT or Firewall, then you are asking for it!

Hows that? MasterMrtangent.:p

---

Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.

I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.

Guess I should hook it back up post haste?

Peace,

---

Yeah keep the linksys on at all times. I had only 1 computer and I had a NAT box. I dont ever update my machine unless I need to. I havent updated ANY of my computers to patch the worm because I am behind NAT. The firewall is good encase it somehow makes it onto your network, you will see it trying to download the meat and potatoes to your computer. The msblast.exe alone doesnt harm your machine (or so others say), only when it can get out onto the web and start reaking havok on your connection. NATs really cant protect against outgoing connections (although you can block incoming and outgoing ports).
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7691152 Fri, 15 Aug 2003 15:45:08 EDT http://www.dslreports.com/forum/remark,7691061 museheart :

said by vic102482 :

---

said by MrTangent :

---

said by vic102482 :

---

Whoever has any numbers below 1024 open is really asking for it!

If you are browsing the web with no NAT or Firewall, then you are asking for it!

Hows that? MasterMrtangent.:p

---

Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.

I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.

Guess I should hook it back up post haste?

Peace,

--
MuSe

Visit Fighting Back! - Quick links to the best freeware anywhere!
»home.mchsi.com/~museheart/fight.html]]> http://www.dslreports.com/forum/remark,7691061 Fri, 15 Aug 2003 15:36:21 EDT http://www.dslreports.com/forum/remark,7687490 vic102482 :

said by MrTangent :

---

Don't worry about him, vic382398826. Just another anonymous person. :)

---

It could have been you that made that post;).
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7687490 Fri, 15 Aug 2003 08:01:00 EDT http://www.dslreports.com/forum/remark,7687254 MrTangent : Don't worry about him, vic382398826. Just another anonymous person. :)

--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength"]]> http://www.dslreports.com/forum/remark,7687254 Fri, 15 Aug 2003 06:31:42 EDT http://www.dslreports.com/forum/remark,7685511 vic102482 :

said by Give Me A Break:

---

Quote : If you are behind NAT that you are pretty much okay.

I would call you an idiot, but based on your other posts here that would seem redundant !

---

????

Um yeah okay.....NEways, I have no firewall, no antivirus software, no Windows XP patches, and I am fine. Call me an idiot if you want, but atleast Im not one with worms anonymous coward!:)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7685511 Thu, 14 Aug 2003 22:58:07 EDT http://www.dslreports.com/forum/remark,7681625 anon : Quote : If you are behind NAT that you are pretty much okay.

I would call you an idiot, but based on your other posts here that would seem redundant !]]> http://www.dslreports.com/forum/remark,7681625 Thu, 14 Aug 2003 15:55:50 EDT http://www.dslreports.com/forum/remark,7662000 ricep5 : Hey Alky,

Thats the same argument most people have used just before they got AIDS.

"Hey, I only get involved with 5% of the people I date, I am OK" "What fun is there in protection" "I am way more active doing it my way"

Oops, sorry we are talking about computers, not people here.]]> http://www.dslreports.com/forum/remark,7662000 Tue, 12 Aug 2003 18:12:24 EDT http://www.dslreports.com/forum/remark,7659547 murdok6100 :

said by MrTangent :

---

Matter of fact whoever runs anything by Microsoft is asking for it!

And rightly so.

---

Oh but of course (good one!)

Murdok610]]> http://www.dslreports.com/forum/remark,7659547 Tue, 12 Aug 2003 14:08:10 EDT http://www.dslreports.com/forum/remark,7658513 crazylike : goto start button then control panel then to preformance and maintance then to Administrative Tools then Computer management then sub under adminstrative tools click local users and groups in the left hand side on the right hand side it will show a list of diffrent logins to your computer any you did not make delete the 2 that it will not allow deletion ones Administrator the other a guest account password protect them then goto c:\winnt\system32 look for msblast.exe delete it then goto registry delete the reg key for it there then go back to the system32 directorie and look for any folders with out of place nameslike (inetserv comserv saved uploads dloads) you should also check for files and folders in the c:\winnt\system32\drivers\etc folder
you could do a search for files ending in .sah .bak .pid .bat these files are common to sdbots and to msblast.exe as there seems to be 3 parts to this bot 1st a ftp 2nd a irc xdccbot 3rd a self contained scanner and auto rooter very fancy piece of programming to bad i found all three peices man people will be mad at me lol]]> http://www.dslreports.com/forum/remark,7658513 Tue, 12 Aug 2003 12:00:54 EDT http://www.dslreports.com/forum/remark,7656847 vic102482 :

said by Neophyte101 :

---

quote:

---

Matter of fact whoever has any ports open is asking for it!

---

Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network.

---

See above smarty pants.;)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7656847 Tue, 12 Aug 2003 06:51:29 EDT http://www.dslreports.com/forum/remark,7656542 crazylike : people just goto the computer management and then to the sub dir user and group accounts close and password all you accounts and delete the ones the windows makes at instal.
then go find the msblast as you call it its actually a sdbot you can remove it by finding the host folder it usually is c:winnt/system32/drivers/etc or c:/winnt/system32/config
best idea is look for folders that just do not belong eg Certserv or Jobs Cpuidle these folder will be in system32 folder so look there they will be hidden folders and files look in the reg and edit the HKEY which controls rundll32.exe Microsoft does know about this pronlem but chooses not to fix it]]> http://www.dslreports.com/forum/remark,7656542 Tue, 12 Aug 2003 04:23:23 EDT http://www.dslreports.com/forum/remark,7656263 redstepchild : isc.sans.org/diary.html?date=2003-08-11

all the techy stuff you could ask for related to this worm.
--
I'm a Cable girl.. In a Cable World..... RedStepChild@dslr.net]]> http://www.dslreports.com/forum/remark,7656263 Tue, 12 Aug 2003 02:39:58 EDT http://www.dslreports.com/forum/remark,7655862 anon : Alky-

You are preaching to the choir here. My desk is surrounded with 2 Mac's (G3/G4 OSX) and 1 Intel Linux (RedHat 9) Desktop, 1 Linux RedHat Notebook.

(almost) Everyone in my office building is running around like heads with their chickens cut off. Some offices have high-end firewalling using outboard NetScreen & IPIX iron, but the worm still got through.

Here is the funny part; I had a scheduled sales presentation (remote data disaster recovery services) today and one of the "competitors" whose pitch was 2 hours before mine ran my meeting late...his laptop PP presentation wouldn't fly...his PC laptop kept going into a forced shutdown. My StarOffice demo ran like clockwork.

Why people continue to put up with this "platform" escapes me.

]]> http://www.dslreports.com/forum/remark,7655862 Tue, 12 Aug 2003 01:20:53 EDT http://www.dslreports.com/forum/remark,7655842 wtansill : Well, my SMC Barricade is blocking things nicely... Lots of log hits, no responses to the originating queries...
--
That which does not kill me merely prolongs the agony.]]> http://www.dslreports.com/forum/remark,7655842 Tue, 12 Aug 2003 01:17:33 EDT http://www.dslreports.com/forum/remark,7655634 tenebrion : I had a friend of mine running zonealarm, and i don't know how, but it got passsed it.]]> http://www.dslreports.com/forum/remark,7655634 Tue, 12 Aug 2003 00:43:12 EDT http://www.dslreports.com/forum/remark,7655494 jennjen : I'm sorry.. but I'm not too computer literate. I have the worm and it keeps replicating itself in my system. I delete the file (msblast.exe) but it comes back again and again. I must not have a firewall up. Can someone please guide me through the procedure?

thank you.]]> http://www.dslreports.com/forum/remark,7655494 Tue, 12 Aug 2003 00:27:52 EDT http://www.dslreports.com/forum/remark,7655117 FLea973 : cableblows ]

said by »grc.com/np/pa-features.htm :

---

The steadily decreasing security of the industry's most prevalent operating system (Microsoft Windows) warrants more comprehensive testing.

---

A good read... a humorous one too - and to think Microsoft is "focusing" on making very secure software... funny I felt safer when they weren't focusing on it.]]> http://www.dslreports.com/forum/remark,7655117 Mon, 11 Aug 2003 23:42:20 EDT http://www.dslreports.com/forum/remark,7655116 Maggs : MS Patches fudged my PC 3 times. I would be careful installing Service Pack 1, or Satan's Paradise 1 as I call it for messing up my PC 3 times.
--
Let's get right to the .]]> http://www.dslreports.com/forum/remark,7655116 Mon, 11 Aug 2003 23:42:18 EDT http://www.dslreports.com/forum/remark,7655105 Maggs : Here's a great site to check to see if your computer is open to attack.

»stealthtests.lockdowncorp.com/
--
Let's get right to the .]]> http://www.dslreports.com/forum/remark,7655105 Mon, 11 Aug 2003 23:40:52 EDT http://www.dslreports.com/forum/remark,7655052 jgoldring : For christ sakes...take your hit (IF ANY!)
MS has patches out that make up for most common problems. Port 135? Yes, and anything around that!! Netbios is an issue, MS knows it and you are just re-starting a simple problem to begin with.

J.]]> http://www.dslreports.com/forum/remark,7655052 Mon, 11 Aug 2003 23:35:42 EDT http://www.dslreports.com/forum/remark,7654936 Maggs : Sounds like the football calls. Blue 80, Blue 22 Hike. I got my Linky up and running, My Norton AV fully updated, Zone Alarm going, and for safe measure, why not try a fresh & friendly DSLR port scan. Have the techies run free if I don't secure it. ;) GOD I hope I don't have to reformat again its been my 3rd time this month, since I installed Satan's Pack I from Windows Update.
--
Let's get right to the .
[text was edited by author 2003-08-11 23:26:19]
]]> http://www.dslreports.com/forum/remark,7654936 Mon, 11 Aug 2003 23:25:15 EDT http://www.dslreports.com/forum/remark,7654380 Neophyte101 :

quote:

---

Matter of fact whoever has any ports open is asking for it!

---

Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network.]]> http://www.dslreports.com/forum/remark,7654380 Mon, 11 Aug 2003 22:29:30 EDT http://www.dslreports.com/forum/remark,7654329 Halo5 : Don't forget port 4444 people. I've got more hits there than 135. ;)
--
»www.thismodernworld.com A cartoon that tells it like it is.]]> http://www.dslreports.com/forum/remark,7654329 Mon, 11 Aug 2003 22:25:31 EDT http://www.dslreports.com/forum/remark,7654203 Alky : Hee hee! Why would anyone even own a pc for that matter? 95% of worms, virii, and nasty scripts are written for the M$ platform. The other 5% are diviied up between Mac and Linux. I haven't run a virus scanner on my Mac in years. My pc I find I'm constantly checking for all kinds of crap. I spend more time doing maintenance on it than anything else. What fun is there in that? I'm way more productive on my Mac. ]]> http://www.dslreports.com/forum/remark,7654203 Mon, 11 Aug 2003 22:11:28 EDT http://www.dslreports.com/forum/remark,7654171 biggoofball : I will have to check my system...thanks for the info]]> http://www.dslreports.com/forum/remark,7654171 Mon, 11 Aug 2003 22:06:33 EDT http://www.dslreports.com/forum/remark,7654121 Myrrdin : Disable system resore if using XP or Windows ME.

Open registry editor, go to:
HKEY_Local_Machine
Software
Microsoft
Windows
Current Version
RUN

delete the entry for Windows Update which has a value that executes MSBLAST.EXE

Restart in safe mode, delete the file MSBLAST.exe from C:\Windows\System32
or
C:\Winnt\system32

Reboot and then apply the patch from Windows Update and update antivirus software.]]> http://www.dslreports.com/forum/remark,7654121 Mon, 11 Aug 2003 22:00:36 EDT http://www.dslreports.com/forum/remark,7654014 cableblows :

said by geierr :

---

All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.

---

good reading and a port scan
»grc.com/np/pa-features.htm

»grc.com/default.htm]]> http://www.dslreports.com/forum/remark,7654014 Mon, 11 Aug 2003 21:50:38 EDT http://www.dslreports.com/forum/remark,7653871 hubs187 : i got hit by it this morning.....if ive already been infected is there anytihng i can do to get it out...or quarentined?.....i put up my built in windows firewall is that enough.....now how do i stop it form infecting other computers from mine? please respond]]> http://www.dslreports.com/forum/remark,7653871 Mon, 11 Aug 2003 21:39:08 EDT http://www.dslreports.com/forum/remark,7653614 Myrrdin : A lot of home users don't use NATs like linksys because they only have one PC and they don't download software like Zone Alarm because they aren't aware they need it.

I just cleaned this off of two systems today (not my own).
First was around 3pm the second was around 6pm.]]> http://www.dslreports.com/forum/remark,7653614 Mon, 11 Aug 2003 21:16:28 EDT http://www.dslreports.com/forum/remark,7653363 vic102482 :

said by Whiteice510 :

---

Let me ask you this,

I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?

TIA,
Whiteice

---

If you are behind NAT that you are pretty much okay. If you dont have port 135 forwarded to any computers for a VPN or something (not required anyways because of the tunnelling blah blah blah).

So you should be fine. Only people running their machines with ports open like others here, or no NAT firewalls at all, would have something to worry about.

You really dont even need a software firewall with NAT but it depends on your browsing habits. OI only get email from 10 people tops, no attachments (mostly) and never any .vbs, exe. pl or whatever that can execute.
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7653363 Mon, 11 Aug 2003 20:54:08 EDT http://www.dslreports.com/forum/remark,7653313 vic102482 :

said by MrTangent :

---

said by vic102482 :

---

Whoever has any numbers below 1024 open is really asking for it!

Matter of fact whoever has any ports open is asking for it!

---

Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P

I think the better statement would be:

Matter of fact whoever runs anything by Microsoft is asking for it!

And rightly so.

---

Blah blah blah, shame on you and nil, you guys know what I mean:p lol

If you are browsing the web with no NAT or Firewall, then you are asking for it!

Hows that? MasterMrtangent.:p
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7653313 Mon, 11 Aug 2003 20:49:21 EDT http://www.dslreports.com/forum/remark,7653199 geierr : All of my ports are blocked using Norton Internet Security. Have been using this firewall for over two years now. A port check via the Symantec website lists all of my ports as "stealth." Anyone who uses the Internet, especially via a broadband connection is foolish to not be using a firewall.
--
Robert L. Geier ]]> http://www.dslreports.com/forum/remark,7653199 Mon, 11 Aug 2003 20:37:45 EDT http://www.dslreports.com/forum/remark,7652715 MrTangent :

said by vic102482 :

---

Whoever has any numbers below 1024 open is really asking for it!

Matter of fact whoever has any ports open is asking for it!

---

Yeah, how dare anyone run an FTP on port 21 or a webserver on port 80! Those fools! I can't believe anyone would want to share information! Infidels! :P

I think the better statement would be:

Matter of fact whoever runs anything by Microsoft is asking for it!

And rightly so.

--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength"]]> http://www.dslreports.com/forum/remark,7652715 Mon, 11 Aug 2003 19:49:44 EDT http://www.dslreports.com/forum/remark,7652690 nil :

said by vic102482 :

---

Matter of fact whoever has any ports open is asking for it!

---

Oh, I don't know, I'd say my server would have some problems operating as a web/mail server w/o ports 80 and 25 open.. and of course I have to pick up my mail.. that's 110.. and have to get in there somehow! that's 22 :)
--
Life is too short to be boring]]> http://www.dslreports.com/forum/remark,7652690 Mon, 11 Aug 2003 19:48:02 EDT http://www.dslreports.com/forum/remark,7652684 Whiteice510 : Let me ask you this,

I run my Norton Anti Virus and keep it updated (Even though this is new, so I doubt Norton has updated itself for this as of yet) and also run my network at home behind NAT. What else can I do to take even more precautions in regards to this?

TIA,
Whiteice
[text was edited by author 2003-08-11 19:48:09]
]]> http://www.dslreports.com/forum/remark,7652684 Mon, 11 Aug 2003 19:47:40 EDT http://www.dslreports.com/forum/remark,7652525 vic102482 : Whoever has any numbers below 1024 open is really asking for it!

Matter of fact whoever has any ports open is asking for it!
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!!]]> http://www.dslreports.com/forum/remark,7652525 Mon, 11 Aug 2003 19:35:05 EDT