PDA

View Full Version : Warning : New Worm Out. Please Read


GTGuy06
08-12-2003, 03:44 PM
I don't know if you have heard about this new worm or not. But, it affects the following systems: Windows NT 4.0, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP & Windows Server 2003. It does NOT affect Windows ME. What this worm does is allow you to get on the net, but will kick you off.


This is the link to Microsofts Website for the patch:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

I'm posting this because 1) I have been personally affected and 2) I want to warn everybody, so this does not affect them.

FoCaL
08-12-2003, 04:06 PM
Good job posting so people are aware, but next time please get your details strait. Please also post the a place to get ride of the worm if you have gotten it. This worm takes advantage of a hole in micorsoft, which you have closed, you have not gotten ride of the worm however. Please go the link below to read more about the worm, and to DL the worm removal, and removal instructions.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


Also not that when you go to DL the patch from microsoft, you should DL the 32bit versions, NOT the 64.

SilviaDriver
08-12-2003, 05:34 PM
how does one go about getting this worm?

zero.counter
08-12-2003, 05:41 PM
Originally posted by SilviaDriver
how does one go about getting this worm?
Quoted from the WOAI.com website from San Antonio.
"The MSBlast worm has infected as many as 100,000 computers in the past 24 hours, but the program's spread has slowed, said security researchers on Tuesday.

The worm, dubbed Blaster but also known as LoveSan or MSBlaster, first emerged on Monday carrying a message for the Microsoft chairman: "Billy Gates why do you make this possible? Stop making money and fix your software!!"

Click here for a "W32.Blaster.Worm Removal Tool" from Symantec.com...

Blaster targets the latest versions of the Windows software and experts predict home users will be the worst affected. The vast majority of the world's computers are equipped with one form or other of Windows software.

Microsoft urged computer users to visit WindowsUpdate.com to download the patch to protect their system.

"I anticipate that Blaster will have its biggest impact on the home user community as they are more laid back about keeping their anti-virus and patches up-to-date and may have insufficient firewalls in place," said Graham Cluley, a technology consultant at British-based Sophos Anti Virus.

Blaster is unusual in that it does not spread specifically via e-mail as it can travel through a normal Internet connection making any computer running unsecured versions of Windows software vulnerable.

Once Blaster infects a computer, it scans the Internet for other vulnerable machines to infiltrate.

In some cases the worm causes the computer to crash, but does not infect it, said Johannes Ullrich, chief technology officer at the Internet Storm Center at the SANS Institute in the United States.

"It's dangerous from the perspective that it can consume a lot of bandwidth," said Russ Cooper of TruSecure Corp. "Every compromised machine is constantly attacking."

Computer experts said the worm had been programmed to knock the security site offline on August 16.

Last month, Microsoft warned of the hole in its Windows system. After that, security experts warned it was only a matter of time before a worm appeared to exploit the vulnerability.

In January, a worm dubbed "Slammer" that exploited a hole in Microsoft SQL database software brought automatic teller machines in the United States to a standstill, paralyzed corporate networks worldwide and nearly shut down Web access to South Korea.

The worm is programmed to cause infected computers to send a flood of data to Microsoft's Windows Update service, starting Saturday morning. The denial-of-service attack could slow down, and even halt access to, the primary way Microsoft customers receive updates for their computers.

Microsoft said it was taking precautions to keep the site up and running. "We will do everything to ensure visiting the (security) Web site will be a safe and secure experience," the spokesman said.

The Update service suffered a different kind of denial-of-service attack on Tuesday as people rushed to patch their PCs. The increased volume slowed, or prevented, access to the service.

The worm's infection rate climbed throughout the day on Monday, but overnight the spread of the program dropped off, said Alfred Huger, senior director of engineering for security company Symantec. The reason for the slower spread is likely because of the poor programming of the worm, rather than a lack of vulnerable computers, he said.

"This is the best-case worm," Huger said. "This didn't turn out to be Slammer, which is good for us, but there is still all the variants" that are likely to crop up.

The worm, which security experts believe started spreading early Monday, scans for vulnerable computers so widely that an unpatched Windows XP computer on the Internet could be infected in as little as 25 minutes, according to Symantec studies.

The introduction of the MSBlast worm--also known as W32.Blaster and W32/LuvSan--ends nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm to take advantage of a vulnerability in a widely used feature of Microsoft Windows.

The new worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools, such as the Trivial File Transfer Protocol (TFTP) server.

MSBlast's first attack will last until the end of the year, security researchers said, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.

The worm still hasn't reached the levels of Code Red II, which infected more than 300,000 servers in 10 hours. However, the original Code Red spread very slowly until some online vandal modified the worm and fixed a critical flaw in how it spread. Symantec's Huger worries that someone might do the same with the MSBlast worm.

"This was written very poorly," Symantec's Huger said. "It's the children of Blaster that I fear now."

OldSklS13
08-12-2003, 06:58 PM
getting a dialog box that shuts down the whole system- over and over.


same thing happened to me:mad:

GTGuy06
08-12-2003, 08:05 PM
Originally posted by James
Yeah, What the [email protected]$%$!T%$ piece of doo-doo that thing is.
I was [email protected]^@^&$ up and down last night- kept on getting connection to my ISP and getting a dialog box that shuts down the whole system- over and over.
I feel violated, :D
Thought some Zilvia member hacked my computer and was laughing in the background:mad:

Thanks for the heads up!

Yea, thats exactly what happened to me, get on the net and then the whole comp shuts down. It sucked.

When I orginally posted this, I was funkin ****ed so thats why it doesnt give exact details. But the link I listed above, you can get the patch for it from there(you have to look a little), or if you have a antivirus program, you can go to there site.

mistaanime
08-12-2003, 08:23 PM
heh aiite thanx..I got this message from AOL too when I juss signed on. Best thing is probably have good firewall..
I have Norton Internet Security...hopefully this will stop the worm..:D :D :D

Rennen
08-12-2003, 10:14 PM
Another reason I'm glad I have a mac

http://www.hackerstickers.com/images/macospirate.gif

-Matt

zero.counter
08-12-2003, 10:23 PM
Originally posted by Rennen
Another reason I'm glad I have a mac

http://www.hackerstickers.com/images/macospirate.gif

-Matt
Yeah, and Linux! :)

FoCaL
08-13-2003, 09:45 AM
if you guys have trouble getting to microsofts site feel free to download those fixes from my website. got to the link below and theres two link one for 2000 and one for XP.


http://stats.omegaadmin.com

Maeda
08-13-2003, 02:22 PM
I have 3 Firewalls. 1 hard, 2 soft... and I STILL got this %@^@%^ BUG!!! Havn't seen the niceness of zilvia for the better part of 2 days... poo

s13silady
08-22-2003, 02:35 AM
hahaha... yes the infamous w32.blaster.worm... just got done disinfecting... www.symantec.com will provide excellent info on the worm and step by step instructions to getting rid of the bloodsucker...

when it hit me it got to the point that whenever i reformatted it would still be in my system.. so beware reformatting will not get rid of it...

oh and if your DLLHOST.EXE (all uppercase) is infected you have no choice but to leave it in your system but quarantined...it will make it so that your anti virus software will make the file access denied... so be careful on what you download...

-ryan