Film-Tech Cinema Systems
Film-Tech Forum ARCHIVE


  
my profile | my password | search | faq & rules | forum home
  next oldest topic   next newest topic
» Film-Tech Forum ARCHIVE   » Community   » Film-Yak   » New worm going around -W32.Blaster.Worm (Page 1)

 
This topic comprises 2 pages: 1  2 
 
Author Topic: New worm going around -W32.Blaster.Worm
Michael Gonzalez
Jedi Master Film Handler

Posts: 790
From: Grand Island , NE USA
Registered: Sep 2000


 - posted 08-12-2003 01:11 PM      Profile for Michael Gonzalez   Email Michael Gonzalez   Send New Private Message       Edit/Delete Post 
I hear that this worm had really been making the rounds lately despite the fact that a security patch has been available from Microsoft for over a month. I have my computer set up for automatic updates so I don't seem to have a problem with these but if you caught the worm, here is how you can remove it:

Norton has removal tool here

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Microsoft has a patch here (1-866-PC-Saftey)

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Systems affected

The following operating systems are affected by this vulnerability:
• Windows NT 4.0 Workstation
• Windows NT 4.0 Server
• Windows 2000 Professional
• Windows 2000 Server
• Windows 2000 Advance Server
• Windows XP Home
• Windows XP Professional
This security threat affects Windows 2000, NT, and XP and has recently been the subject of a security bulletin released by Microsoft. It is a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
Solution: Customers should install the security patch immediately and consider installing a firewall Customers with a firewall installed or who are running Operating Systems other than those listed above may see increased Internet traffic but will not be otherwise affected

ADVANCED USERS:
You can temporarily get around the issue by doing the following:

1.Go to administrative tools>services
2.Double click remote procedure call
3.Under the recovery tab, set all failure reactions to "Take No Action" and set "Reset failure count after" to zero [0] days.

Port numbers affected you can block are

tcp port 4444

tcp 135

udp 69

 |  IP: Logged

Adam Martin
I'm not even gonna point out the irony.

Posts: 3686
From: Dallas, TX
Registered: Nov 2000


 - posted 08-12-2003 04:34 PM      Profile for Adam Martin   Author's Homepage   Email Adam Martin       Edit/Delete Post 
I found out about this one this past weekend when I took my desktop home from work and used it on dialup without a firewall. Switching the RPC termination to "no action" and turning on XP's dialup firewall as stated above remedied the problem until I could download the patch.

 |  IP: Logged

Matthew Bailey
Master Film Handler

Posts: 461
From: Port Arthur,TX
Registered: Sep 2000


 - posted 08-12-2003 05:57 PM      Profile for Matthew Bailey   Email Matthew Bailey   Send New Private Message       Edit/Delete Post 
Once I tried to load the MS update & I had to use ctrl+alt+delete to inerrupt it because it either stalled or hung during downloading.

 |  IP: Logged

Ken Layton
Phenomenal Film Handler

Posts: 1452
From: Olympia, Wash. USA
Registered: Sep 1999


 - posted 08-12-2003 06:04 PM      Profile for Ken Layton   Email Ken Layton   Send New Private Message       Edit/Delete Post 
So, Windows 98 is not affected? That's what I have.

 |  IP: Logged

Richard Thomas
Film Handler

Posts: 11
From: Trinidad, CO
Registered: Aug 2003


 - posted 08-12-2003 06:05 PM      Profile for Richard Thomas   Email Richard Thomas   Send New Private Message       Edit/Delete Post 
This is a bad deal. I have a firewall (Zone Alarm) and it is catching and blocking over 100 probes per hour just sitting there connected to the internet. If you have a open port and this thing finds it, you are likely to get infected. It is not like a worm that comes in an email requiring clicking; this baby just gets you if you are connected and things are just right. Nasty deal.

 |  IP: Logged

Tim Reed
Better Projection Pays

Posts: 5246
From: Northampton, PA
Registered: Sep 1999


 - posted 08-12-2003 07:27 PM      Profile for Tim Reed   Author's Homepage     Send New Private Message       Edit/Delete Post 
Welcome, Richard!

 |  IP: Logged

John Walsh
Film God

Posts: 2490
From: Connecticut, USA, Earth, Milky Way
Registered: Oct 1999


 - posted 08-12-2003 07:30 PM      Profile for John Walsh   Email John Walsh   Send New Private Message       Edit/Delete Post 
I'm behind a Sonicwall firewall router/NAT, then ZoneAlarm. I wouldn't say I'm bulletproof, but doin' OK....

 |  IP: Logged

Joe Redifer
You need a beating today

Posts: 12859
From: Denver, Colorado
Registered: May 99


 - posted 08-12-2003 07:30 PM      Profile for Joe Redifer   Author's Homepage   Email Joe Redifer   Send New Private Message       Edit/Delete Post 
To find out if you have this worm, you must go to the TASK MANAGER and see if something called "msblast." is running. If so, you have the worm.

Why don't I have the worm? I can never get this stuff and my ports are all wide open!

Is this the worm that gives Microsoft hell by attacking their website somehow? Also, Michael... the link to Microsoft above does not go straight to the patch. You have to click around everywhere and suddenly you are engulfed in many many different critical updates. Which one is it? Boy, Windows sure seems to have a lot of security updates quite frequently. Every single update to their OS is to resolve a vunerability in security. Why does Microsoft program such crappy OS's with no beta testing, no debugging, and whatnot?

Mac OS is BETTER than Windows OS. Period.

 |  IP: Logged

Adam Martin
I'm not even gonna point out the irony.

Posts: 3686
From: Dallas, TX
Registered: Nov 2000


 - posted 08-12-2003 08:08 PM      Profile for Adam Martin   Author's Homepage   Email Adam Martin       Edit/Delete Post 
This one apparently affects NT/2000/XP/2003 OS's.

The patch will not apply properly if the worm is present on your system. Download the removal tool from the Symantec link above and it will scan your system, remove the affected files, and ask you if you want to go to the Microsoft page and download the patch.

 |  IP: Logged

Mitchell Cope
Master Film Handler

Posts: 256
From: Overland Park, KS, United States
Registered: Jun 99


 - posted 08-12-2003 08:26 PM      Profile for Mitchell Cope   Email Mitchell Cope   Send New Private Message       Edit/Delete Post 
According to McAfee,
quote:
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on TCP port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
If I'm interpreting this correctly, Microsoft may have recently added this vulnerability.

Indications of Infection:
* Presence of unusual TFTP files
* Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
* Error messages about the RPC service failing (causes system to reboot)

 |  IP: Logged

Paul G. Thompson
The Weenie Man

Posts: 4718
From: Mount Vernon WA USA
Registered: Nov 2000


 - posted 08-12-2003 10:36 PM      Profile for Paul G. Thompson   Email Paul G. Thompson   Send New Private Message       Edit/Delete Post 
Now you know why I get so darned angry with the computers on DSL at the radio station. We have a simple peer-to-peer network and the computers are wide open for the probes that are inward bound. When a window pops up saying basically someone is trying to bust into the machine, the guys running the computers don't know what to do so they say "let it." [Embarrassed] [Mad] [Frown] [Roll Eyes]

To add insult to injury, they don't raise the firewall to block all traffic when they are done. They are idiots!!!!

 |  IP: Logged

Chris Hipp
Phenomenal Film Handler

Posts: 1462
From: Mesquite, Tx (east of Dallas)
Registered: Jul 2003


 - posted 08-13-2003 02:29 AM      Profile for Chris Hipp   Email Chris Hipp   Send New Private Message       Edit/Delete Post 
I got this worm yesterday I think, or at least I Started seeing symptoms of it. What would happen is about 10 minutes of being online I would get an error saying SVC Host synce error or somethign and then I couldnt load Java on any websites.

I installed the patch and it fixed it, I run win2000

 |  IP: Logged

Adam Fraser
Master Film Handler

Posts: 499
From: Houghton Lake, MI, USA
Registered: Dec 2001


 - posted 08-13-2003 11:18 AM      Profile for Adam Fraser   Author's Homepage   Email Adam Fraser   Send New Private Message       Edit/Delete Post 
I have a friend who is a computer tech and I visited him yesterday at his store. He was in the process of fixing 3 or 4 at the same time and had fixed 15-20 by 3 PM. They are loving it, kind of makes me wonder if computer repair people make up these worms so they can charge $50-100 each to fix them. [Cool]

 |  IP: Logged

Richard Thomas
Film Handler

Posts: 11
From: Trinidad, CO
Registered: Aug 2003


 - posted 08-13-2003 01:37 PM      Profile for Richard Thomas   Email Richard Thomas   Send New Private Message       Edit/Delete Post 
Thanks for the kind welcome Tim! It is great to be here. [Big Grin]

 |  IP: Logged

Jack Ondracek
Film God

Posts: 2348
From: Port Orchard, WA, USA
Registered: Oct 2002


 - posted 08-13-2003 04:49 PM      Profile for Jack Ondracek   Author's Homepage   Email Jack Ondracek   Send New Private Message       Edit/Delete Post 
Paul, don't you have some kind of router with a firewall after your DSL modem? You sure seem to get hit hard, & I'm wondering why your system has to be so open?????

 |  IP: Logged



All times are Central (GMT -6:00)
This topic comprises 2 pages: 1  2 
 
   Close Topic    Move Topic    Delete Topic    next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:



Powered by Infopop Corporation
UBB.classicTM 6.3.1.2

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.

© 1999-2020 Film-Tech Cinema Systems, LLC. All rights reserved.