jennjen
join:2003-08-12
Rohnert Park, CA
| reply to vic102482
Re: Port 135?!
I'm sorry.. but I'm not too computer literate. I have the worm and it keeps replicating itself in my system. I delete the file (msblast.exe) but it comes back again and again. I must not have a firewall up. Can someone please guide me through the procedure?
thank you. |
|
tenebrion
join:2001-12-12
Rancho Palos Verdes, CA
clubs:   | reply to Maggs
I had a friend of mine running zonealarm, and i don't know how, but it got passsed it. |
|
wtansill
Ncc1701
join:2000-10-10
Falls Church, VA | reply to x____
Well, my SMC Barricade is blocking things nicely... Lots of log hits, no responses to the originating queries...
--
That which does not kill me merely prolongs the agony. |
|
DogmaBast
@206.169.x.x
 from:
rchandra 
| reply to Alky
Alky-
You are preaching to the choir here. My desk is surrounded with 2 Mac's (G3/G4 OSX) and 1 Intel Linux (RedHat 9) Desktop, 1 Linux RedHat Notebook.
(almost) Everyone in my office building is running around like heads with their chickens cut off. Some offices have high-end firewalling using outboard NetScreen & IPIX iron, but the worm still got through.
Here is the funny part; I had a scheduled sales presentation (remote data disaster recovery services) today and one of the "competitors" whose pitch was 2 hours before mine ran my meeting late...his laptop PP presentation wouldn't fly...his PC laptop kept going into a forced shutdown. My StarOffice demo ran like clockwork.
Why people continue to put up with this "platform" escapes me. |
|
redstepchild
Premium
join:2002-01-04
Birmingham, AL | reply to Maggs
check out the W32.Blaster.Worm diaries
isc.sans.org/diary.html?date=2003-08-11
all the techy stuff you could ask for related to this worm.
--
I'm a Cable girl.. In a Cable World.....RedStepChild@dslr.net |
|
crazylike
join:2003-08-12
canada
|  reply to vic102482
Re: Port 135?!
people just goto the computer management and then to the sub dir user and group accounts close and password all you accounts and delete the ones the windows makes at instal.
then go find the msblast as you call it its actually a sdbot you can remove it by finding the host folder it usually is c:winnt/system32/drivers/etc or c:/winnt/system32/config
best idea is look for folders that just do not belong eg Certserv or Jobs Cpuidle these folder will be in system32 folder so look there they will be hidden folders and files look in the reg and edit the HKEY which controls rundll32.exe Microsoft does know about this pronlem but chooses not to fix it |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| reply to Neophyte101
said by Neophyte101 :
quote:
Matter of fact whoever has any ports open is asking for it!
Yeah ok... did you even realize that if you NEVER EVER had ports open you would NEVER EVER be able to do anything on the internet? Web browsers open ports to transfer data... so do IM clients, FTP clients, multiplayer games and every other piece of software that transfers data over a network.
See above smarty pants.;)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! |
|
crazylike
join:2003-08-12
canada
| reply to jennjen
you need to lock the door
goto start button then control panel then to preformance and maintance then to Administrative Tools then Computer management then sub under adminstrative tools click local users and groups in the left hand side on the right hand side it will show a list of diffrent logins to your computer any you did not make delete the 2 that it will not allow deletion ones Administrator the other a guest account password protect them then goto c:\winnt\system32 look for msblast.exe delete it then goto registry delete the reg key for it there then go back to the system32 directorie and look for any folders with out of place nameslike (inetserv comserv saved uploads dloads) you should also check for files and folders in the c:\winnt\system32\drivers\etc folder
you could do a search for files ending in .sah .bak .pid .bat these files are common to sdbots and to msblast.exe as there seems to be 3 parts to this bot 1st a ftp 2nd a irc xdccbot 3rd a self contained scanner and auto rooter very fancy piece of programming to bad i found all three peices man people will be mad at me lol |
|
murdok6100
Avatar. Get It, Avatar?
join:2002-06-20
| reply to MrTangent
Re: Port 135?!
said by MrTangent :
Matter of fact whoever runs anything by Microsoft is asking for it!
And rightly so.
Oh but of course (good one!)
Murdok610 |
|
ricep5
Premium
join:2000-08-07
Jacksonville, FL
 ·AT&T Southeast
 ·AT&T CallVantage
·VoicePulse
 ·Comcast Formerly ..
| reply to Alky
Hey Alky,
Thats the same argument most people have used just before they got AIDS.
"Hey, I only get involved with 5% of the people I date, I am OK" "What fun is there in protection" "I am way more active doing it my way"
Oops, sorry we are talking about computers, not people here. |
|
Give Me A Break
@63.226.x.x | reply to vic102482
Dazzled by Brillance !
Quote : If you are behind NAT that you are pretty much okay.
I would call you an idiot, but based on your other posts here that would seem redundant ! |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| said by Give Me A Break:
Quote : If you are behind NAT that you are pretty much okay.
I would call you an idiot, but based on your other posts here that would seem redundant !
????
Um yeah okay.....NEways, I have no firewall, no antivirus software, no Windows XP patches, and I am fine. Call me an idiot if you want, but atleast Im not one with worms anonymous coward!:)
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! |
|
MrTangent
join:2001-12-28
Earth | Don't worry about him, vic382398826. Just another anonymous person. 
--
"War Is Peace. Freedom Is Slavery. Ignorance Is Strength" |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| said by MrTangent :
Don't worry about him, vic382398826. Just another anonymous person.
It could have been you that made that post;).
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! |
|
museheart
Premium
join:2002-08-11
Hazel Green, AL
| reply to vic102482
Re: Port 135?!
said by vic102482 :
said by MrTangent :
said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
If you are browsing the web with no NAT or Firewall, then you are asking for it!
Hows that? MasterMrtangent.:p
Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.
I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.
Guess I should hook it back up post haste?
Peace,
--
MuSe
Visit Fighting Back! - Quick links to the best freeware anywhere!
»home.mchsi.com/~museheart/fight.html |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| said by museheart :
said by vic102482 :
said by MrTangent :
said by vic102482 :
Whoever has any numbers below 1024 open is really asking for it!
If you are browsing the web with no NAT or Firewall, then you are asking for it!
Hows that? MasterMrtangent.:p
Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.
I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.
Guess I should hook it back up post haste?
Peace,
Yeah keep the linksys on at all times. I had only 1 computer and I had a NAT box. I dont ever update my machine unless I need to. I havent updated ANY of my computers to patch the worm because I am behind NAT. The firewall is good encase it somehow makes it onto your network, you will see it trying to download the meat and potatoes to your computer. The msblast.exe alone doesnt harm your machine (or so others say), only when it can get out onto the web and start reaking havok on your connection. NATs really cant protect against outgoing connections (although you can block incoming and outgoing ports).
--
10,000+ Posts and counting. You aint gonna stop me!!!!w00t!! |
|
museheart
Premium
join:2002-08-11
Hazel Green, AL
| said by vic102482 :
said by museheart :
Zone Alarm has been blocking 73.165.128.151 to port 2268 TCP Flags SYN all of two weeks now. I haven't looked it up yet, I was about to and saw this thread.
I had Linksys hooked up but due to some computer diagnostic's it isn't right now. I ended up having to re-format the hard drive.
Guess I should hook it back up post haste?
Peace,
Yeah keep the linksys on at all times. I had only 1 computer and I had a NAT box. I dont ever update my machine unless I need to. I havent updated ANY of my computers to patch the worm because I am behind NAT. The firewall is good encase it somehow makes it onto your network, you will see it trying to download the meat and potatoes to your computer. The msblast.exe alone doesnt harm your machine (or so others say), only when it can get out onto the web and start reaking havok on your connection. NATs really cant protect against outgoing connections (although you can block incoming and outgoing ports).
So I'm going to hook it up. What ports if any should I block (and how) on the Linksys?
When you say keep the Linksy's on at all times, do you mean as well as the modem? Someone told me to keep them both on all the time and I thought they were in idiot.
I used to always keep the Linksy's on but turn the modem off, sometimes un-plug it.
Thanks,
--
MuSe
Visit Fighting Back! - Quick links to the best freeware anywhere!
»home.mchsi.com/~museheart/fight.html |
|
