Yet Another Bulletin Board

Welcome, Guest. Please Login or Register.
Nov 26th, 2024, 7:28pm

Home Home Help Help Search Search Members Members Member Map Member Map Login Login Register Register
Clusterheadaches.com Message Board « Blaster Patch & Fix »


   Clusterheadaches.com Message Board
   New Message Board Archives
   2003 Posts
(Moderator: DJ)
   Blaster Patch & Fix
« Previous topic | Next topic »
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print
   Author  Topic: Blaster Patch & Fix  (Read 241 times)
Mark C
CH.com Alumnus
New Board Hall of Famer
USA 
*****




Onward through the fog.

   
Email

Gender: male
Posts: 2660
Blaster Patch & Fix
« on: Aug 13th, 2003, 8:38pm »
Quote Quote Modify Modify

When I got to work today 4 out of 5 of our PC's had MS Blaster.32 and our network of 4000 pc's and 2000 laptops is currently toast so I have gotten adept at removing it. Microsoft's update site is swamped but I have managed to get the patch and the fix here. Run the MS patch first, re-boot, then run the fix and re-boot. Not too hard to do. If you do not have the worm the report at the end of the scan will summarize it. Not a very creative worm, it just takes advantage of MS holes.
Only the NT kernel is affected so if you have Win95 or Win98 you are not affected.  
 
I have personally used these two programs several times so far and they are safe, digitally signed by MS and Symantec.
 
 
Happy Surfing!
Mark
 
The patch here is for MS2000. Hit MS Blaster Info for other OS's. The removal tool will work on all OS
« Last Edit: Aug 14th, 2003, 11:31am by Mark C » IP Logged


Click The Flag
TomM
New Board Hall of Famer
USA 
*****






   
WWW Email

Gender: male
Posts: 2006
Re: Blaster Patch & Fix
« Reply #1 on: Aug 14th, 2003, 7:29am »
Quote Quote Modify Modify

on Aug 13th, 2003, 8:38pm, Mark C wrote:
Only the NT kernel is affected so if you have Win95 or Win98 you are not affected.

This means if you have WinNT, Win XP, Win2000, or WinServer2003 use the patch designated for your OS. Otherswise you do not have a security leak. That is what this worm is doing, going through a 'hole' if you will, in the architecture of the operating system.
TomM Cool
Here's more from the Symantec site:  
____________________  
 
When W32.Blaster.Worm is executed, it does the following:  
Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.  
Adds the value:  
"windows auto update"="msblast.exe"  
to the registry key:  
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run  
so that the worm runs when you start Windows.  
Calculates a random IP address, A.B.C.0, where A, B, and C are random values  
between 0 and 255.  
NOTE: 40% of the time, if C > 20, a random value less than 20 will be  
subtracted from C.  
Once the IP address is calculated, the worm will attempt to find and exploit a  
computer on the local subnet, based on A.B.C.0. The worm will then count up  
from 0, attempting to find and exploit other computers, based on the new IP.  
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.  
NOTES:  
This means the local subnet will become saturated with port 135 requests.  
Due to the random nature of how the worm constructs the exploit data, this may  
cause computers to crash if it sends incorrect data.  
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003, unpatched  
computers running these operating systems may crash as the result of attempts  
by the worm to exploit them.  
Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,  
allowing an attacker to issue remote commands on the infected system.  
Listens on UDP port 69. When the worm receives a request from a computer it was  
able to connect to using the DCOM RPC exploit, it will send that computer  
Msblast.exe and tell it to execute the worm.  
If the current month is after August, or if the current date is after the 15th,  
the worm will perform a DoS on Windows Update. The worm will activate the DoS  
attack on the 16th of this month, and continue until the end of the year.  
The worm contains the following text, which is never displayed:  
I just want to say LOVE YOU SAN!!  
billy gates why do you make this possible ? Stop making money and fix your  
software!!  
 
IP Logged

"Everyone should believe in something. I believe I'll go fishing."
--Thoreau--
jminmilwaukee
New Board Old Timer

****





   


Gender: male
Posts: 384
Re: Blaster Patch & Fix
« Reply #2 on: Aug 14th, 2003, 8:30am »
Quote Quote Modify Modify

Still no infection on my 5000 node network. Looks like the weeks of preperation and the 16 hour days are paying off!
 
We are actually shutting down netowork ports to all systems that did not heed our warning and are still vuln.
Not a nice tack in a level one trauma hospital but considering the scale of this thing it is prudent.
 
I can not believe how many universities and goverment offices have been shut down by this!?! The warning went out a good three weeks ago.
 
Oh well, live and learn I guess. Thanks for providing the link as many are scrambling at this point and cannot access good ol microsoft!
 
jmin
IP Logged
badfly
New Board Veteran
New_Zealand 
***



No matter where you are, thats where you're at!

   
Email

Gender: male
Posts: 141
Re: Blaster Patch & Fix
« Reply #3 on: Aug 14th, 2003, 8:56am »
Quote Quote Modify Modify

Thanx for the links guys Smiley
IP Logged

for (int i=0;i<infinity;i++)
{Shout("Get this BEAST off my back !!!");}
Pages: 1  Reply Reply Notify of replies Notify of replies Send Topic Send Topic Print Print

« Previous topic | Next topic »


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.


©1998-2010 Web Vision Enterprises All rights reserved. All information on this site is protected by international copyright laws. You may not re-distribute any information from this site without written permission from Web Vision Enterprises and the webmaster of this site. Violators will be prosecuted.
You may view our privacy policy and financial disclosure statement here

test rss