How is the Blaster worm caught?

I looked at http://vil.nai.com/vil/content/v_100547.htm
but I was no wiser.

A worm to me is something which propagates by email. But some tech
support guy I spoke to said that Blaster propagated just by the user
visiting a web page.

Can anyone advise me on the true way Blaster is caught.

"Martin C.E." <(E-Mail Removed)> wrote in message
news:93D7B98B2AAFF835A@130.133.1.4...
> How is the Blaster worm caught?
>
> I looked at http://vil.nai.com/vil/content/v_100547.htm
> but I was no wiser.
>
> A worm to me is something which propagates by email. But some tech
> support guy I spoke to said that Blaster propagated just by the user
> visiting a web page.
>
> Can anyone advise me on the true way Blaster is caught.

It catches you, AFAIK..

--
Tetsuo

On Thu, 14 Aug 2003 18:14:22 +0100 in
<message-id:93D7B98B2AAFF835A@130.133.1.4>
"Martin C.E." <(E-Mail Removed)> wrote:

> How is the Blaster worm caught?
>
> I looked at http://vil.nai.com/vil/content/v_100547.htm
> but I was no wiser.
>
> A worm to me is something which propagates by email.


Someone has seriously misinformed you =)


> But some tech
> support guy I spoke to said that Blaster propagated just by the user
> visiting a web page.


Your tech support guy needs shooting too!


>
> Can anyone advise me on the true way Blaster is caught.


Why does this post scream "I still haven't patched my box"? =\

It exploits the RPC DCOM process.. and as stated, it catches you!



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

"Martin C.E." <(E-Mail Removed)> wrote in message
news:93D7B98B2AAFF835A@130.133.1.4...
> How is the Blaster worm caught?
>
> I looked at http://vil.nai.com/vil/content/v_100547.htm
> but I was no wiser.
>
> A worm to me is something which propagates by email. But some tech
> support guy I spoke to said that Blaster propagated just by the user
> visiting a web page.

I hope he wasn't Tech. Support for a major anti-virus company!

As someone else said, it catches you. If your system is unpatched, another
PC on the network infected with the virus will scan random IP addresses
looking for its next victim. If your system happens to be unpatched and
response to DCOM RPC requests, it'll send its packet to effictively change
the operation of DCOM RPC to server another function: listen for remote
connections.

When this remote connection comes in, it essentially commands your PC to
download and run a file. From there it continues (scanning, infecting,
executing).

-TIm

>
> Can anyone advise me on the true way Blaster is caught.

On Thu, 14 Aug 2003 18:14:22 +0100, "Martin C.E."
<(E-Mail Removed)> wrote:

>How is the Blaster worm caught?
>
>I looked at http://vil.nai.com/vil/content/v_100547.htm
>but I was no wiser.

That description has your answer.

>A worm to me is something which propagates by email.

No. Not just email.

>But some tech
>support guy I spoke to said that Blaster propagated just by the user
>visiting a web page.

The support guy is wrong.

>Can anyone advise me on the true way Blaster is caught.

You have the answer in your post. You need more descriptions? Google
them up.

Art
http://www.epix.net/~artnpeg

Martin C.E. wrote:

> How is the Blaster worm caught?

computer A executes the worm... the worm sends specially crafted
traffic to computer B to exploit a buffer overrun vulnerability in the
DCOM RPC interface on computer B in order to execute a command shell (a
dos window) to launch an ftp utility to download the worm and then
execute the worm on computer B... at this point you can think of
computer B as being computer A...

> I looked at http://vil.nai.com/vil/content/v_100547.htm
> but I was no wiser.

well it looks like all the info is there...

> A worm to me is something which propagates by email. But some tech
> support guy I spoke to said that Blaster propagated just by the user
> visiting a web page.

i would suggest you don't listen to virus information from this person
again...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"

>
> Can anyone advise me on the true way Blaster is caught.

Look at this url
http://www.trendmicro.com/vinfo/viru...LAST.A&VSect=T
(one of the best description, IMHO)
The author of blaster worm says the truth:
"billy gates why do you make this possible ?
Stop making money and fix your software!!"

> As someone else said, it catches you. If your system is unpatched, another
> PC on the network infected with the virus will scan random IP addresses
> looking for its next victim...

So, if the PC is scanning for IP addresses, and if your broadband connection
is running through a router, the virus will only see the router and your
computer won't be affected? (That's a question.)

Thanks.

Sheldon
(E-Mail Removed)

"Sheldon" <(E-Mail Removed)> wrote in message
news:2hV_a.146494$Ho3.17823@sccrnsc03...
> > As someone else said, it catches you. If your system is unpatched,
another
> > PC on the network infected with the virus will scan random IP addresses
> > looking for its next victim...
>
> So, if the PC is scanning for IP addresses, and if your broadband
connection
> is running through a router, the virus will only see the router and your
> computer won't be affected? (That's a question.)
>


This is correct unless your router is configured to forward the offending
ports to a PC within your network.

It is best to go ahead and patch your PCs.

--

Rob

As I said in a previous post, none of my clients with a router called me,
but I am patching computers as I go. Also, the only time I open access is
when an IT person I'm working with needs to get through, and then we always
close it when finished.

BTW, you might want to check out my FYI post. First official word from
Microsoft to its partners.

Thanks for the info.

Sheldon
(E-Mail Removed)


"Leythos" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> In article <2hV_a.146494$Ho3.17823@sccrnsc03>, (E-Mail Removed)
> says...
> > > As someone else said, it catches you. If your system is unpatched,
another
> > > PC on the network infected with the virus will scan random IP
addresses
> > > looking for its next victim...
> >
> > So, if the PC is scanning for IP addresses, and if your broadband
connection
> > is running through a router, the virus will only see the router and your
> > computer won't be affected? (That's a question.)
>
> If the router is blocking direct access to your computers behind it,
> then you can't get it through direct connection to the internet. Routers
> block unsolicited INBOUND, so you should be safe.
>
> --
> --
> (E-Mail Removed)
> (Remove 999 to reply to me)