[AccessD]OT martin's problem

William Hindman wdhindman at bellsouth.net
Mon Aug 11 21:23:36 CDT 2003 

...more ...msblast.exe is the destructive package the worm downloads once
you're infected ...you can get rid of msblast and the worm itself is not
affected ...and may download msblast again ...you apparently need to block
outbound on port 69 :(

"From the reports so far, if you block outbound requests to any IP
address where the destination port is 69, you should be able to block
any attempt to get the actual worm component. Suggestions are that after
the initial connection from attacker, the victim then does a TFTP call
to known IP addresses (which are being blocked as we speak, but there's
some doubt as to whether or not the list is static or dynamic.) If it
reaches one of these TFTP servers, it will then download the component
which does the replication and attacking.

One report says that an XP Pro system had its RPC crash, then the system
rebooted, then due to a run key under WindowsUpdate, it started the
MSBLAST.EXE tool (that was, presumably, brought in via TFTP.) That
executable started launching attacks.

William Hindman
So, then, to every man his chance -- to every man, regardless of his birth,
his shining golden opportunity -- to every man his right to live, to work,
to be himself, to become whatever his manhood and his vision can combine to
make him -- this, seeker, is the promise of America.
-- Thomas Wolfe



----- Original Message ----- 
From: "Stuart McLachlan" <stuart at lexacorp.com.pg>
To: "Access Developers discussion and problem solving"
<accessd at databaseadvisors.com>
Sent: Monday, August 11, 2003 8:07 PM
Subject: Re: [AccessD]OT martin's problem


> On 11 Aug 2003 at 19:52, Susan Harkins wrote:
>
> > Internet Virus Alert: Central Command Warns Of New RPC
> > Computer Worm Named Worm/Lovsan.A
> >
> >
> >
http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.ph
> > p?p_faqid=506
> >
> >
> > ========I'll be looking for more info on how to get rid of this -- info
> > talks as though msblast.exe is the virus file and I've got it. :( Not
sure
> > where I got it from though if that's the case -- the wording is a bit
>
> Are you firewalled? If not, it snuck into your system using the
> "Buffer Overrun In RPC Interface Could Allow Code Execution "
> exploit.
>
> See http://support.microsoft.com/?kbid=823980
>
>
> > ambiguous and I'm not positive that msblast.exe isn't a valid file.
> >
> Doubt if it is a valid file.  There's none on my W2k system.
>
> > If anyone finds more info on how to get rid of this sucker, let me know
> > please.
> >
>
>
> Looks like it's just a case of deleting the reg key:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> "windows auto update"="msblast.exe"
>
> and the MSBLAST.EXE file.
>
>
> -- 
> Lexacorp Ltd
> http://www.lexacorp.com.pg
> Information Technology Consultancy, Software Development,System
> Support.
>
>
>
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
>

More information about the AccessD mailing list