DevilFrank
join:2003-07-13
 ·T-Com
| Virus alert category 3: W32.Blaster.Worm
Symantec had reacts. The LU is going well.
W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. It will attempt to download and run the file Msblast.exe.
You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.
Click here for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability.
NOTE: This threat will be detected by virus definitions having:
Defs Version: 50811s
Sequence Number: 24254
Extended Version: 8/11/2003 rev. 19
Also Known As: W32/Lovsan.worm [McAfee]
Type: Worm
Infection Length: 6,176 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0352
»securityresponse.symantec.com/av···orm.html
--
Regards from Germany. Please excuse my stumbling English |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| Discussed extensively here: »More RPC/TFTP malware, this time local
and I probably should have posted mine under your thread DevilFrank  , but I did already post here:
Sophos: W32/Blaster-A
»Sophos: W32/Blaster-A
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | reply to DevilFrank
Now uprated to Category 4. Don't see that very often. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| Panda: The new Blaster is spreading rapidly
- The new Blaster is spreading rapidly,
infecting computers around the globe -
Oxygen3 24h-365d, by Panda Software (»www.pandasoftware.com)
Madrid, August 12, 2003 - In just a few hours the new Blaster worm has spread rapidly and already infected thousands of computers around the globe. According to Luis Corrons, head of Panda Software's Virus Laboratory: "This is a critical moment, as all computers that do not have the security patches installed are vulnerable to this worm. Its proliferation rate is even higher than that of Bugbear.B."
Blaster has already topped the ranking of the viruses most frequently detected by the free, online antivirus, Panda ActiveScan. For this reason, Panda Software offers all users its PQREMOVE application, which is especially designed to detect and eliminate the Blaster worm and repair the damage that it may have caused in affected computers. This utility is available for download at »www.pandasoftware.com/download/utilities/.
Blaster exploits the RPC DCOM vulnerability, recently discovered in several versions of Windows operating systems, in order to get into computers directly via the Internet through port 135. Once it has done this, it causes a buffer overflow in the affected computer.
However, the main aim of Blaster is to infect as many computers as possible in order to launch a denial of service attack against the website windowsupdate.com whenever the system date is between August 16 and December 31, 2003. When this condition is met, the worm creates a new run thread, which sends a 40-byte packet to windowsupdate.com every 20 milliseconds through the TCP port 80.
This Windows vulnerability, classified as "critical" by Microsoft, consists of a buffer overflow in the RPC interface and affects Windows NT 4.0, 2000, XP and Windows Server 2003. This security hole could allow hackers to gain remote control of affected computers. For this reason and in order to avoid falling victim to attack, Panda Software advises network administrators, IT managers and home users to immediately install the patches released by Microsoft to fix this vulnerability. These are available at »www.microsoft.com/security/secur···-026.asp where you can also find detailed information about this flaw.
Panda Software advises users to update their antivirus solutions, if they have not already done so. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate Blaster. Those whose software is not configured to update automatically, should update their solutions from »www.pandasoftware.com/ From this address users can also detect and disinfect Blaster using the free, online antivirus, Panda ActiveScan.
For further information about Blaster and other viruses, visit Panda Software's Virus Encyclopedia at: »www.pandasoftware.com/virus_info···lopedia/
-------------------------------------------------
5 more viruses detected by Panda ActiveScan, Panda Software's free, online scanner: 1)Blaster; 2)Bugbear.B; 3)Klez.I; 4)Fortnight.E; 5)PSWBugbear.B.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to DevilFrank
Re: Virus alert category 3: W32.Blaster.Worm
Computer Infection Disrupts Asia, Europe
By MATT MOORE
STOCKHOLM, Sweden (AP) - An Internet-borne infection incapacitated tens of thousands of computers on Tuesday, snarling company networks and frustrating home users as it spread across the globe.
Security officials said the virus-like worm, dubbed ``LovSan,'' was part of a coordinated electronic attack that exploited one of the most serious flaws yet discovered in Microsoft Corp.'s Windows operating systems.
The worm was first reported in the United States on Monday and, while appearing not to delete files or otherwise incur permanent damage, knocked many computers offline. Non-Microsoft systems were not vulnerable.
Across Asia and Europe, it struck many businesses as they opened and workers logged on, spreading without the need for user intervention.
Graham Cluley, a senior technology consultant with Sophos PLC in Britain, said his company started getting reports about the infection from Australia and then in Europe.
In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers that handled Internet traffic. Spokeswoman Lena Rosell said customers had their service restored by late morning.
Denmark initially reported limited problems, but ``the tendency is rising and we're getting more reports of attacks,'' said Preben Andersen, head of Denmark's official virus watchdog agency, DK CERT. ``There must be at least a couple of thousand PCs infected with this worm.''
Among companies affected in Germany was automaker BMW, said spokesman Eckhard Vannieck. The problems did not affect production and the company expected it fixed by day's end.
Computers infected by LovSan were programmed to automatically launch an attack Saturday on windowsupdate.com, a Web site Microsoft uses to avail customers of software patches that can prevent such infections.
The infection was dubbed ``LovSan'' because of a love note left behind on vulnerable computers: ``I just want to say LOVE YOU SAN!'' Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: ``billy gates why do you make this possible? Stop making money and fix your software!''
Microsoft had posted a free patch on the Web site to protect Windows users after it warned on July 16 about the flaw. Nearly all versions of Windows are affected.
The high-profile alerts issued by Microsoft notwithstanding, many businesses did not initially install the patches and scrambled Tuesday to shore up their computers.
``People are too laid back. Microsoft doesn't do these warnings for fun,'' said Cluley. ``I think a lot of people have gotten into the habit of thinking viruses only come in via e-mails.''
S.C. Leung, spokesman for the Hong Kong Computer Emergency Response Team Coordination Center, said some home computers crashed, possibly a side effect of the infection, also dubbed ``blaster.''
Individual users and small businesses appeared to be at greater risk than bigger companies, which typically have firewalls that can stem such attacks. But once such a worm gets inside a firewall, unprotected computers are vulnerable.
South Korea's Information and Communication Ministry said that about 1,900 cases of the infection were reported there.
On the Net:
Network Associates: »vil.nai.com/vil/content/v-100547.htm
Symantec: www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Microsoft warning: www.microsoft.com/security/security-bulletins/ms03-026.asp
Government warning: www.nipc.gov/warnings/advisories/2003/Potential7302003.htm |
|
DaHen
Premium
join:2002-11-08
Brockton, MA | reply to DevilFrank
DevilFrank,
Thanks for the port info. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to John2g
Symantec Blaster Alert |
said by John2g :
Now uprated to Category 4. Don't see that very often.
I just got that in the mail too; you are right, Category 4 {Severe} rating is very very rare; in fact I don't ever recall a Cat-4 since I've been involved at DSLReports, but I could be wrong on that. Thanks to others for your informative posts, as well as the many threads & posts about this new worm. Special thanks to psloss for his research & insights. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Buddel5
Premium
join:2003-08-12
Germany | reply to DevilFrank
If Category 4 means "severe", I wonder what a worm must do to qualify for Category 5. Are there / Have there ever been any Cat-5 worms? |
|
DrVidiBoomBa
No Respect
Premium
join:2000-02-17
Kirkland, WA
clubs:  | reply to DevilFrank
What I hate is they tell you what to do but never how to do it!! I'm a newb at configuring routers can some tell me how to block those ports!!
I have a Netgear MR814 wireless router.
TIA! |
|
phriday613
Your Avatar Is Nice... For Me To Poop On
Premium
join:2002-02-06
Eastchester, NY
clubs:
| reply to DevilFrank
i dont know, but i heard (i was asleep) that SQLSlammer was a pretty serious one, that clogged internet traffic serverely..
I think that went as high as 4. I think it would be something that REALLY kills internet traffic and boggs it down to just about nothing.. Who knows how far this one can get :P
Ask M$ how their traffic will be on the webserver that hosts windowsupdate.com later on in the week  I bet it'll be a cat 5 over there
--
"Forewarned is forearmed..." -gwion |
|
DevilFrank
join:2003-07-13 | Here in Germany is the worm acute at work. Since the last 24 minutes I did register 169 hits on my port 135.
That´s heavy.
--
Regards from Germany. Please excuse my stumbling English |
|
markwp2001
Spreadhead
Premium
join:2002-05-25
Long Beach, MS | reply to DevilFrank
Your English is fine and your point comes across loud and clear |
|
DevilFrank
join:2003-07-13 | thank you very much
QuickDic is a good helper.
|
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to DevilFrank
ZoneAlarm: port 135 hit | 
ZoneAlarm: NetBios hit |
said by DevilFrank :
Here in Germany is the worm acute at work. Since the last 24 minutes I did register 169 hits on my port 135. That´s heavy.
Same here, I seem to be getting hits alternatively on port 135 {1st pic} and NetBIOS {2nd pic}. This is on dialup at the moment.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
quientus
So Red Shoes
Premium
join:2000-08-11
San Jose, CA | reply to DevilFrank
LOL. You guys shouldn't even be seeing that alert in your firewall!, why haven't your blocked 135 at the router level? I don't even see the alert.
--
(sig was too long) |
|
boblandy
Premium
join:2002-05-06
| reply to Buddel5
said by Buddel5 :
If Category 4 means "severe", I wonder what a worm must do to qualify for Category 5.
according to symantec...
Category 4 - Severe
Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed.
Category 5 - Very Severe
Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.
|
|
boblandy
Premium
join:2002-05-06
| reply to Buddel5
said by Buddel5 :
Have there ever been any Cat-5 worms?
here's one you may recall that was only a cat2, but it claimed to be a cat5, as part of the attempted social engineering...
W32.Gruel@mm
"Message body:
Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement, to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum )"
|
|
