From: Larson, Chris (CLarson@usaid.gov)
Date: Tue Aug 12 2003 - 13:40:09 GMT-3
There is another variant of this worm that came on the scene yesterday.
Maybe the name in your post is just different, but the variant reported
yesterday is msblast.exe
Maybe this is the same worm, but it seems to be a new variant of the
previous worm and was announced on SANS. At any rate, I think the RPC patch
provided by Microsoft closes the whole for all of them however SANS suggests
that:
"Once you are infected, we highly recommend a complete rebuild of the site.
" blah blah blah , these tools can not clean-up damage from other RPC DCOM
malware such as the recent sdbot irc bots. This method of cleaning your
system is _not_ recommended, but the URLs are presented below for
completeness.
<http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html>
<http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip>
I forget the reasons why. It was either explained on the SANS link or one of
the Microsoft links.
<http://isc.sans.org/diary.html?date=2003-08-11>
> -----Original Message-----
> From: John Smith [SMTP:c00per_omers1@yahoo.com]
> Sent: Tuesday, August 12, 2003 12:10 PM
> To: MADMAN; Snow, Tim
> Cc: 'ccielab@groupstudy.com'
> Subject: Re: Virus Alert - W32.Blaster.Worm
>
> I got hit with it as well. I was wondering what this msblaster.exe was
> doing in the taskmgr.... a google search brought me to realize it was a
> worm.
>
> I updated Win 2K Pro to service pack 3 added the MS fix, then went to
> symantec, got the latest virus sig file ( which started to tell me 30
> times I had the worm... ) and used their exe to fix the problem. They got
> rid of the worm, the msblaster.exe, fixed the registry settings.
>
> Now all I need to do is get my taskmgr working again, cause I can't see my
> the buttons to change to view the utilization and can't shut it down
> without killing the taskmgr process (luckily the only screen available)
>
> MADMAN <dave@interprise.com> wrote:
> Yes I was fortunate enough to get paged yesterday evening regarding
> this. Here is some more info for those so inclined:
>
>
>
> Dave
>
>
> Snow, Tim wrote:
> > Anyone else going through the W32.Blaster.Worm?
> >
> >
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.h
> tm
> > l
> >
> > Big pain in the ....
> >
> > Tim
> >
> >
> > Timothy Snow
> > CCIE #12042
> > EDS - Network Operations
> > MS 3B
> > 1075 W. Entrance Drive
> > Auburn Hills, MI 48326
> >
> > * phone: +01-248-754-7900
> > * mailto:timothy.snow@eds.com
> > pager: 888-351-4584
> > www.eds.com
> >
> >
> > _______________________________________________________________________
> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
> --
> David Madland
> CCIE# 2016
> Sr. Network Engineer
> Qwest Communications
> 612-664-3367
>
> "Government can do something for the people only in proportion as it
> can do something to the people." -- Thomas Jefferson
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> ---------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:57 GMT-3