Author Topic: w32.blaster.worm  (Read 3536 times)

tylor2000

  • You never thought it'd hurt so bad
  • *****
  • Posts: 2930
    • View Profile
w32.blaster.worm
« on: August 12, 2003, 09:21:22 pm »
I found this on my computer. It is not really dangerous but annoying none the less.  It effects only window operating systems.  Just figured I would post it just in case.

Link:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

tylor

sayyouwould

  • You never thought it'd hurt so bad
  • *****
  • Posts: 2214
    • MSN Messenger - xsayyouwouldx@msn.com
    • AOL Instant Messenger - sayyouwould
    • View Profile
w32.blaster.worm
« Reply #1 on: August 12, 2003, 09:25:11 pm »
is that the link to the virus or the thing that prevents it? I saw it on the news and they said that windows would fix whatever it ruined in your computer but there has to be thousands infected they probably won't. The wonders of technology.
I rely on my illusions to keep me warm at night

tylor2000

  • You never thought it'd hurt so bad
  • *****
  • Posts: 2930
    • View Profile
w32.blaster.worm
« Reply #2 on: August 12, 2003, 09:34:58 pm »
Quote from: "sayyouwould"
is that the link to the virus or the thing that prevents it? I saw it on the news and they said that windows would fix whatever it ruined in your computer but there has to be thousands infected they probably won't. The wonders of technology.


Yeah, right, like I'm going to purposely spread the virus.  And I'm not sure if it is the same virus that you are talking about.....I put the name for clearification(sp)

tylor

sayyouwould

  • You never thought it'd hurt so bad
  • *****
  • Posts: 2214
    • MSN Messenger - xsayyouwouldx@msn.com
    • AOL Instant Messenger - sayyouwould
    • View Profile
w32.blaster.worm
« Reply #3 on: August 12, 2003, 09:55:07 pm »
Quote from: "tylor2000"
Quote from: "sayyouwould"
is that the link to the virus or the thing that prevents it? I saw it on the news and they said that windows would fix whatever it ruined in your computer but there has to be thousands infected they probably won't. The wonders of technology.


Yeah, right, like I'm going to purposely spread the virus.  And I'm not sure if it is the same virus that you are talking about.....I put the name for clearification(sp)

tylor



Well some people are just crazy. You never know. And I get worried because my Norton expired like 3 months ago and now I don't click that many things.  I think it is the virus that was on the news. I'll look it up and if I find anything on it i'll post it here.
I rely on my illusions to keep me warm at night

sayyouwould

  • You never thought it'd hurt so bad
  • *****
  • Posts: 2214
    • MSN Messenger - xsayyouwouldx@msn.com
    • AOL Instant Messenger - sayyouwould
    • View Profile
w32.blaster.worm
« Reply #4 on: August 12, 2003, 09:58:27 pm »
NEW YORK — The latest Internet attack on Microsoft operating systems (search) by rogue software disabled tens of thousands of computers worldwide Tuesday, though a fix had been available for nearly a month.

 
 
 
 
The virus-like worm, dubbed "LovSan (search)" or "blaster," snarled corporate networks with an inundation of data packets and frustrated home computer users unversed in techie triage.

It forced Maryland's motor vehicle agency to close for the day and kicked Swedish Internet users offline as it spread, the worm triggering Windows computers to shut down and restart.

Security experts said the world was lucky this time because LovSan is comparatively mild and doesn't destroy files. They worry that a subsequent attack exploiting the same flaw -- one of the most severe to afflict Windows -- could be much more damaging.

"We think we're going to be dealing with it for quite some time," said Dan Ingevaldson, engineering manager at Internet Security Systems (search) in Atlanta.

Although LovSan did not appear to do any permanent damage, Ingevaldson said instructions to do just that could easily be written into a worm that propagates in the same way.

On July 16, Microsoft posted on its Web site a free patch that prevents LovSan and similar infections. The underlying flaw affects nearly all versions of the software giant's flagship Windows operating system.

Notwithstanding high-profile alerts issued by Microsoft and the Department of Homeland Security, many businesses did not install the patches and scrambled Tuesday to shore up their computers.

Security experts say patches often stay on "to do" lists until outbreaks occur.

"You're looking at 70 new vulnerabilities every week," said Sharon Ruckman, senior director at the research lab for anti-virus vendor Symantec. "It's more than a full-time job trying to make sure you are up to date."

Microsoft spokesman Sean Sundwall acknowledged that the blame does not really lie with customers.

"Ultimately, it's a flaw in our software," he said.

The latest infection was dubbed "LovSan" because of a love note left on vulnerable computers: "I just want to say LOVE YOU SAN!"

Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft's chairman: "billy gates why do you make this possible? Stop making money and fix your software!"

Tracing its origins will be difficult because the worm left few clues, said Marc Maiffret, co-founder of eEye Digital Security. The worm appeared based on code released earlier by a Chinese research group that goes by Xfocus, Maiffret said.

Non-Microsoft systems were not vulnerable, though some may have had trouble connecting with Web sites, e-mail and other servers that run on Windows.

Symantec's probes detected more than 125,000 infected computers worldwide.

The worm exploits a flaw in Windows used to share data files across computer networks. It was first reported in the United States on Monday and spread across the globe as businesses opened Tuesday and workers logged on.

Additional U.S. computers were hit Tuesday, and Maryland's Motor Vehicle Administration shut all its offices at noon.

"There's no telephone service right now. There's no online service right now. There's no kiosk or express office service," spokeswoman Cheron Wicker said. "We are currently working on a fix and expect to be operational again in the morning."

In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers handling Internet traffic.

Among companies affected in Germany was automaker BMW, said spokesman Eckhard Vannieck. He said the problems did not affect production.

Symantec, F-Secure and other anti-virus companies have free tools for removing the worm.

All Windows users, whether their computers were infected or not, were encouraged to obtain a fix from Microsoft's Web site. Anti-virus and firewall products should also be updated, security experts say.

Larger companies typically have firewalls that can stem attacks, but once a worm gets inside a firewall, unprotected computers are vulnerable.

Employees connecting from home or taking infected laptops to the office can allow the worm to easily penetrate a company's defenses, said Russ Cooper, a senior researcher at TruSecure.

But to expect home users to keep their systems current is unreasonable, said Bruce Schneier, chief technology officer with Counterpane Internet Security. He blames software developers for writing bad software that constantly needs "critical" patches.

"My mother will never install the patch until I come visit," he said. "I couldn't even call her and walk her through it. The industry is wrong to expect her to do it. The fact that she sends me e-mail is incredible enough."
I rely on my illusions to keep me warm at night

kaysha

  • Administrator
  • Keepin' secrets at midnight
  • *****
  • Posts: 3806
    • ICQ Messenger - 996740
    • AOL Instant Messenger - katiakaysha
    • View Profile
    • http://www.chickey.org
    • Email
w32.blaster.worm
« Reply #5 on: August 12, 2003, 10:04:05 pm »
Well since everyone is posting on this, i thought i'd share what i know.

It is called the blaster worm, also termed MSBlast.  It affects machines on the internet by spreading itself using TCP Port 135.  It uses RPC daemon running on windows machines, infects the machine, then starts probing other machines trying to infect others.  Most of the large providers have blocked TCP135 inbound from the internet and if they're good they blocked outbound as well so if you get infected, you can't spread to other machines as well.

The CERT advisory is: http://www.cert.org/advisories/CA-2003-19.html

Virus Cleaner Information: http://www.trendmicro.com/download/tsc.asp and (What Tyler Said) http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Patch from MicroSquish: http://www.microsoft.com/security/incident/blast.asp

We have blocked all inbound and outbound TCP135 and are getting thousands of hits per minute.  These seems to be more damaging than the SQL Slammer worm

-katia
I <3 Nicole

We want the unicorns to live! - Vanessa Carlton

GermanSusi

  • Just a day, just an ordinary day
  • ****
  • Posts: 257
    • ICQ Messenger - 261212972
    • MSN Messenger - susi_from_germany@hotmail.com
    • AOL Instant Messenger - phoebetivia
    • View Profile
    • http://www.vanessacarlton.net.ms
    • Email
w32.blaster.worm
« Reply #6 on: August 13, 2003, 04:38:25 am »
I had this ***** wurm :evil:

But now everything it is ok  :)

Will

  • Moderators
  • Fine as dandelions
  • *****
  • Posts: 1735
  • Advanced anti-spam registrations filter
    • View Profile
w32.blaster.worm
« Reply #7 on: August 13, 2003, 08:43:23 am »
I'm not affected because my mini-network is behind a firewall. Never mind that I only have two (patched) windows machines in the house. The rest is Mac/Linux/BSD/IRIX/BeOS. :P

I still have to patch 260 machines at work. My boss doesn't want to force it down, the easy way.  :?

I'm scared that one of the administrators is going to bring in their infected laptop from home and screw us all over.
"Of all the things I've lost, I miss my mind the most." -Ozzy Osborne

Zebrakorn

  • You aren't tryin'
  • *****
  • Posts: 953
    • View Profile
w32.blaster.worm
« Reply #8 on: August 14, 2003, 10:18:39 am »
My network at work is all patched up and safe .. I sorted it today =)