New worm attacking NT based PC's on the net: firewall and patch

F-Secure AV has info on this new worm. http://www.datafellows.com/v-descs/msblast.shtml

thanks!

Yea, we have several machiens internally affected. Blech.

http://grc.com/default.htm open link and click on 'probe=135' link to see if your port is open or closed.



[Message Edited]

My NT servers are secure and updated

Another update to be aware of is "Flaw in Windows Function Could Allow Denial of Service (823803)" This prevents access to the server by remote means. Please note installing this update disables RAS! After installing 823803 it took me a couple of hours to figure out why the RAS wouldn't run, un-installing the update cured the problem.

Thanks for that link yrag I am good to go

You're more then welcome

/me hopes everyone is good to go

Another news article, from CNET: http://news.com.com/2100-1002_3-5062364.html?tag=fd_top

McAfee apparently has a virus def for it now (perhaps had generic detection before): http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547 I'd imagine their online scanner would have it too?

Aargh....I'm clean, but a friend rang with the problem...so I had to walk him through it all by remote...a pain in the arse, really....

make you want to reach out and touch someone >

/me hits his computers with large stick

Dang it! All mine got infected, good excuse to format my main system though, since it really needs it. This thing is a pain, i think im gonna be doing a round of the nieghborhood since im the only one in at least a mile radius to know whats going on 0_o

well heck I guess if you are not running a registry monitor that intercepts every modification and demands you to either allow or disallow it you've got a good chance of being hit with it.

Must suck, "total rebuild" of the OS and applications, ack!

The easiest way to see if you have it is run Task Manager and see if Msblast.exe is running in processes. If it is, kill it and do the song and dance with the registry.


Guess I should have supplied edits to Registry:
Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor. Restart System.........




[Message Edited]

A friend of mine got this, didn't know what was going on and reformatted his machine, which he had completely rebuild last week.

Yay for my brand spanking new router with built-in firewall. And I think I have disabled RPC anyhow.

IPlural: what kind of registry monitor are you running then?

yarg never crossed my mind to get into cleaning it out, I do know that I laughed my butt off over that *total system rebuild* on the one link. You know they did not go into manually cleaning the system up and restoring dcom configuration to the original because of the depth involved if someone has not done something like it before

------------------------------------

FYI: for those who do not really understand net security these are some simpler things you can do to protect your system. There are many more things you can/could do but that would take some typing extrema.

Also to prevent this from happening in the first place.

Lavasofts Ad-aware come with ad-watch3 which plays a part in watching registry modifications as do many different Active Registry monitors. Before any changes to the registry plays games install one.

RegHance is a very good registry editor which is also Lavasofts product.

Registry Firstaide is a good one for backing up the registry with protection from anything messing with the backups.

GFi has a freeware version of it's lan monitor/security scanner and patch monitor.

Norton Internet Security is one of the better active firewalls on the software side and also comes with Norton Virus which is also an active memory scanner behind as a back ground process.

There are loads more apps that help keep this kind of crap happening, but you have to use them and not turn them off while online or they make no difference.

Broadband users should have a NAT gateway/router at least between their cable/dsl router and their computer. A Software firewall is still a must because when your on the web either/and/or Newsgroup downloads, Web downloads, cookies, malware, scripts and Web Browsers will kill your system sooner or later.

If someone else uses the system create an Administrative account in your firewall software and user accounts otherwise you do not know when little Billy is going to turn it off so he can visit the Disney Web or Download something.

Good luck to everyone and I hope if you haven't been nicked by this, you won't!

This worm is expected to unleash itself this weekend....if you cannot get thru to MS update site (and it will get more difficult as time goes on, and in fact will probably go off line completely on Saturday since this site is the target of the worm), here is a back door to the file. Download the file (it will save to your hard drive) for your OS and and then install.........http://www.microsoft.com/security/incident/blast.asp

Someone may have posted this already. This is the tool I am using at work to fix infected machines...It's called FixBlast.exe

http://securityresponse.symantec.com/avcenter/FixBlast.exe

when it's run is completed you get a prompt to click on a link that takes you to the page with the patches for the various os's.
It's very easy to use and does a good job. You don't have to be a Norton customer to use it either like my company which uses Command Anti-Virus ( I hate it)

here's the page http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
[Message Edited]