Author |
Topic: Blaster Patch & Fix (Read 241 times) |
|
Mark C
CH.com Alumnus New Board Hall of Famer
Onward through the fog.
Gender:
Posts: 2660
|
|
Blaster Patch & Fix
« on: Aug 13th, 2003, 8:38pm » |
Quote Modify
|
When I got to work today 4 out of 5 of our PC's had MS Blaster.32 and our network of 4000 pc's and 2000 laptops is currently toast so I have gotten adept at removing it. Microsoft's update site is swamped but I have managed to get the patch and the fix here. Run the MS patch first, re-boot, then run the fix and re-boot. Not too hard to do. If you do not have the worm the report at the end of the scan will summarize it. Not a very creative worm, it just takes advantage of MS holes. Only the NT kernel is affected so if you have Win95 or Win98 you are not affected. I have personally used these two programs several times so far and they are safe, digitally signed by MS and Symantec. Happy Surfing! Mark The patch here is for MS2000. Hit MS Blaster Info for other OS's. The removal tool will work on all OS
|
« Last Edit: Aug 14th, 2003, 11:31am by Mark C » |
IP Logged |
Click The Flag
|
|
|
TomM
New Board Hall of Famer
Gender:
Posts: 2006
|
|
Re: Blaster Patch & Fix
« Reply #1 on: Aug 14th, 2003, 7:29am » |
Quote Modify
|
on Aug 13th, 2003, 8:38pm, Mark C wrote:Only the NT kernel is affected so if you have Win95 or Win98 you are not affected. |
| This means if you have WinNT, Win XP, Win2000, or WinServer2003 use the patch designated for your OS. Otherswise you do not have a security leak. That is what this worm is doing, going through a 'hole' if you will, in the architecture of the operating system. TomM Here's more from the Symantec site: ____________________ When W32.Blaster.Worm is executed, it does the following: Creates a Mutex named "BILLY." If the mutex exists, the worm will exit. Adds the value: "windows auto update"="msblast.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows. Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255. NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C. Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability. NOTES: This means the local subnet will become saturated with port 135 requests. Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data. While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system. Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm. If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year. The worm contains the following text, which is never displayed: I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!
|
|
IP Logged |
"Everyone should believe in something. I believe I'll go fishing." --Thoreau--
|
|
|
jminmilwaukee
New Board Old Timer
Gender:
Posts: 384
|
|
Re: Blaster Patch & Fix
« Reply #2 on: Aug 14th, 2003, 8:30am » |
Quote Modify
|
Still no infection on my 5000 node network. Looks like the weeks of preperation and the 16 hour days are paying off! We are actually shutting down netowork ports to all systems that did not heed our warning and are still vuln. Not a nice tack in a level one trauma hospital but considering the scale of this thing it is prudent. I can not believe how many universities and goverment offices have been shut down by this!?! The warning went out a good three weeks ago. Oh well, live and learn I guess. Thanks for providing the link as many are scrambling at this point and cannot access good ol microsoft! jmin
|
|
IP Logged |
|
|
|
badfly
New Board Veteran
No matter where you are, thats where you're at!
Gender:
Posts: 141
|
|
Re: Blaster Patch & Fix
« Reply #3 on: Aug 14th, 2003, 8:56am » |
Quote Modify
|
Thanx for the links guys
|
|
IP Logged |
for (int i=0;i<infinity;i++) {Shout("Get this BEAST off my back !!!");}
|
|
|
|
|
|