Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> Jul-Sep 2003 >> Blaster Patch & Fix
        
(Message started by: Mark C on Aug 13th, 2003, 8:38pm)
Title: Blaster Patch & Fix
Post by Mark C on Aug 13th, 2003, 8:38pm
When I got to work today 4 out of 5 of our PC's had MS Blaster.32 and our network of 4000 pc's and 2000 laptops is currently toast so I have gotten adept at removing it. Microsoft's update site is swamped but I have managed to get the patch (http://drfeller.com/Mark/patch.exe) and the fix (http://drfeller.com/Mark/FixBlast.exe) here. Run the MS patch first, re-boot, then run the fix and re-boot. Not too hard to do. If you do not have the worm the report at the end of the scan will summarize it. Not a very creative worm, it just takes advantage of MS holes.
Only the NT kernel is affected so if you have Win95 or Win98 you are not affected.

I have personally used these two programs several times so far and they are safe, digitally signed by MS and Symantec.


Happy Surfing!
Mark

The patch here is for MS2000. Hit MS Blaster Info (http://www.microsoft.com/security/incident/blast.asp) for other OS's. The removal tool will work on all OS
Title: Re: Blaster Patch & Fix
Post by TomM on Aug 14th, 2003, 7:29am

on 08/13/03 at 20:38:03, Mark C wrote:
Only the NT kernel is affected so if you have Win95 or Win98 you are not affected.

This means if you have WinNT, Win XP, Win2000, or WinServer2003 use the patch designated for your OS. Otherswise you do not have a security leak. That is what this worm is doing, going through a 'hole' if you will, in the architecture of the operating system.
TomM 8)
Here's more from the Symantec site:
____________________

When W32.Blaster.Worm is executed, it does the following:
Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Calculates a random IP address, A.B.C.0, where A, B, and C are random values
between 0 and 255.
NOTE: 40% of the time, if C > 20, a random value less than 20 will be
subtracted from C.
Once the IP address is calculated, the worm will attempt to find and exploit a
computer on the local subnet, based on A.B.C.0. The worm will then count up
from 0, attempting to find and exploit other computers, based on the new IP.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.
NOTES:
This means the local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may
cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003, unpatched
computers running these operating systems may crash as the result of attempts
by the worm to exploit them.
Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
Listens on UDP port 69. When the worm receives a request from a computer it was
able to connect to using the DCOM RPC exploit, it will send that computer
Msblast.exe and tell it to execute the worm.
If the current month is after August, or if the current date is after the 15th,
the worm will perform a DoS on Windows Update. The worm will activate the DoS
attack on the 16th of this month, and continue until the end of the year.
The worm contains the following text, which is never displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your
software!!

Title: Re: Blaster Patch & Fix
Post by jminmilwaukee on Aug 14th, 2003, 8:30am
Still no infection on my 5000 node network. Looks like the weeks of preperation and the 16 hour days are paying off!

We are actually shutting down netowork ports to all systems that did not heed our warning and are still vuln.
Not a nice tack in a level one trauma hospital but considering the scale of this thing it is prudent.

I can not believe how many universities and goverment offices have been shut down by this!?! The warning went out a good three weeks ago.

Oh well, live and learn I guess. Thanks for providing the link as many are scrambling at this point and cannot access good ol microsoft!

jmin
Title: Re: Blaster Patch & Fix
Post by badfly on Aug 14th, 2003, 8:56am
Thanx for the links guys :)


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.