msblast.exe on W2K

[knurpsl]

Hi!

today i noticed a msblast executable that listens on Port 1308
whenever i connect to the net. Checking with openport
if find that there are at least 13 processes running.
the File msblast.exe is in %systemroot%\winnt\system32\
and is dated to 11/08/03.

did i catch a virus/trojan whatever?
i can´t really believe it is a system file since it is that new.

typed msblast in a couple of search engines so far and did not find any
results.

Please advise!

Klaus

 

[Devast8or, work]

Hi!

today i noticed a msblast executable that listens on Port 1308
whenever i connect to the net. Checking with openport
if find that there are at least 13 processes running.
the File msblast.exe is in %systemroot%\winnt\system32\
and is dated to 11/08/03.

did i catch a virus/trojan whatever?
i can´t really believe it is a system file since it is that new.

typed msblast in a couple of search engines so far and did not find any
results.

Please advise!

Klaus

This is what you have:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Hereøs a remover:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

And here's a patch for WinBlows:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Devast8or

 

[Forceshield]

I just got the exact some thing today. For some reason, my computer kept
turning off when I was turning off so I came to this newsgroup. I looked
through my files and lo and behold! The frickin msblast file was there.
Thanks to the other guys for the links, I'm downloading them now.

 

[Ian.H [dS]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on Tue, 12 Aug 2003 23:02:02 +1000,

I just got the exact some thing today. For some reason, my
computer kept turning off when I was turning off so I came to this
newsgroup. I looked through my files and lo and behold! The
frickin msblast file was there. Thanks to the other guys for the
links, I'm downloading them now.

See, this is the problem!

The patch has been available since July!! and only now, when people
find themselves compromised, and helpiong conbtribute to the mass
spread of this worm, that they decide to engage their brain and think
(or rather, be told) "oh! I'll go grab them patches now".


"The frickin msblast file was there."


You make it sound like it's someone elses fault. Why didn't _YOU_ put
some preventative measures in place? Don't hint blame on others or
try and pass the buck for your own stupidity.



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzjo+2fqtj251CDhEQI09gCg4sopHvyqg6W3IBBaIcZMqX0+8igAoONf
Ok8UYG48OLT58HxGqyUwoxGY
=7+yy
-----END PGP SIGNATURE-----

 

[Michael Cecil]

See, this is the problem!

The patch has been available since July!!

And it's been on WindowsUpdate that long too. Not like you had to
hunt down the knowledgebase article to find the patch.

Too many people take the AAA mindset about maintaining their PCs,
except they don't realize that when their PC "gets a flat" that
they'll be infecting others, or sending out their credit card info, or
whatever.

 

[Ronald ALPIAR]

Symantec provide a clever tool to kill the virus. Howe ver they warn users
to temporarily switch 'System Restore' off whilst killing the beastie.

They provide several links to documention on how to switch 'System Restore"
of and on again in Windows XP.

Sadly all the links bounce back with 'Page Unobtainable'.

Any suggestions (especially from Symantec) received with gratitude

 

[FromTheRafters]

Although I did not intend to sound like I'm blaming anybody for this, I was
a bit of an idiot for not preventing this from happening. But I've learnt
my lesson from this little experience. I'll be downloading all the
Microsoft security patches that automatically comes up while I'm on the net
from now on.

Unfortunately, this has its downside too. Microsoft's patches
can be as bad as their other software. Still, I think it is better
to patch the critical ones.

BTW, while downloading the patch, the virus struck again (even though I had
cleaned it once with that Symantec cleaner) and I had to download it all
again. Scary little bugger, isn't it?

Since it affects exploited machines, it is the vulnerability that needs
to be addressed first. They have some pointers on how to (and what
to) block until you are patched.

 

[Ian.H [dS]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on Tue, 12 Aug 2003 11:17:05 -0400,

Microsoft's patches
can be as bad as their other software. Still, I think it is better
to patch the critical ones.

Ultimate critical patch for your windoze OS:


<URL:http://freebsd.org/>


8)



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzkGJ2fqtj251CDhEQK2lwCgwcCSp7/YovzWf83Dg8hDmO4IxpoAn0zh
xwZGfo/CX2+lGk6rpAuh3M3n
=G/70
-----END PGP SIGNATURE-----

 

[Jeffrey A. Setaro]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on Tue, 12 Aug 2003 11:17:05 -0400,



Ultimate critical patch for your windoze OS:


<URL:http://freebsd.org/>

Uh-huh... I can see it now... A typical Windows user switches to
FreeBSD, gets seriously owned, and complains nobody told me running as
root was a bad thing.

It's not the OS it's the idiot's using/administering the OS that are the
problem. How many network aware worms have we seen in the past few
years? How many of the "usual suspects" have taken even the most basic
mitigation steps?

Instead of blasting Microsoft at every opportunity (even in jest) lets
turn our attention to the all the chronically clueless, stupid,
careless, nit wit users and administrators who still haven't gotten the
@#$%^&* hint!

--
Cheers-

Jeff Setaro
(e-mail address removed)
http://people.mags.net/jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99 New RSA: 0xA19EBD34

 

[Ian.H [dS]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on Tue, 12 Aug 2003 12:04:26 -0400, Jeffrey A.

Uh-huh... I can see it now... A typical Windows user switches to
FreeBSD, gets seriously owned, and complains nobody told me running
as root was a bad thing.

lol.. but, while it's probably the case, it's only the same as
running a windoze box as admin.. unfortunately, this never seems to
be frowned upon by as many.

It's not the OS it's the idiot's using/administering the OS that
are the problem.

Not always.

Yes, ultimately, it's down to the user to keep their box sorted,
however; if M$ actually made an effort into producing code that's
actually _usable_ and not beta shit, then people wouldn't have to
spend half of their online life trawling through M$' site for
patches.

Doesn't matter how light you are.. dance on soacked tissue, and you
will fall through.

How many network aware worms have we seen in the past few
years? How many of the "usual suspects" have taken even the most
basic mitigation steps?

Agreed, it shouldn't happen, at least not in the masses that it does,
but it's a bit of give and take I think. The user _SHOULD_ keep their
box patched.. but M$ _SHOULD_ release properly tested, publically
stable / secure / usable code.

Instead of blasting Microsoft at every opportunity (even in jest)
lets turn our attention to the all the chronically clueless,
stupid,
careless, nit wit users and administrators who still haven't gotten
the @#$%^&* hint!

Heh.. can't really comment on this from a non-biased opinion.. I
_HATE_ M$ and it's software.. but currently, need to run apps that
require it =)



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzkSBGfqtj251CDhEQKhcwCgoj6t/7BnPUQpnLOjqc8o8WqSuLIAoJRg
pSrijIJvxQJ/zQS28XqUf8Rc
=z2pw
-----END PGP SIGNATURE-----

 

[Dark vader]

Although I did not intend to sound like I'm blaming anybody for this, I was
a bit of an idiot for not preventing this from happening. But I've learnt
my lesson from this little experience. I'll be downloading all the
Microsoft security patches that automatically comes up while I'm on the net
from now on.

speaking as a regular idiot who doesn't live in outer space, I do that
without fail and I still got the worm.

 

[Gabriele Neukam]

On that special day, Ian.H [dS], ([email protected]) said...

Ultimate critical patch for your windoze OS:


<URL:http://freebsd.org/>

Nonono. First _patch_ the hole *in* FreeBSD. I found that in a PC mag
just today:

Advisory: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt

Valid for *all* versions of BSD.


Gabriele Neukam

(e-mail address removed)

 

[me]

On that special day, Ian.H [dS], ([email protected]) said...

Ultimate critical patch for your windoze OS:


<URL:http://freebsd.org/>

Nonono. First _patch_ the hole *in* FreeBSD. I found that in a PC mag
just today:

Advisory: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt

Valid for *all* versions of BSD.

Gabriele Neukam

(e-mail address removed)

Howdy -- can't find it!?

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

 

[me]

On that special day, Ian.H [dS], ([email protected]) said...

Ultimate critical patch for your windoze OS:


<URL:http://freebsd.org/>

Nonono. First _patch_ the hole *in* FreeBSD. I found that in a PC mag
just today:

Advisory: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt

Valid for *all* versions of BSD.

Gabriele Neukam

(e-mail address removed)

Nevermind -- found it at (wrap):
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

 

[GSV Three Minds in a Can]

What if the vulnerability had been exploited prior to that date? If
people would disable all unneeded services, outbreaks like this one
would be minimal.

Or just get a firewall, or drop in at a 'shields up' type website and
discover whether they actually have any obvious loopholes. Maybe we can
get 'running an unprotected computer on a public network' added to the
list of felonies??

 

[YK]

Or just get a firewall, or drop in at a 'shields up' type website and
discover whether they actually have any obvious loopholes. Maybe we
can get 'running an unprotected computer on a public network' added
to the list of felonies??

ShieldsUp!! is being hammered by testers lately. Maybe a few people
have awoke and sniffed their coffee! Luckily my ISP blocks the incoming
13x ports and 445 so I have not seen any probes in my Kerio firewall.

 

[YK]

ShieldsUp!! is being hammered by testers lately. Maybe a few
people have awoke and sniffed their coffee! Luckily my ISP blocks
the incoming 13x ports and 445 so I have not seen any probes in my
Kerio firewall.

ShieldsUp!! stats:
http://grc.com/x/ne.dll?bh1akydu

 

[GSV Three Minds in a Can]

Bitstring
<[email protected]>, from the

ShieldsUp!! is being hammered by testers lately. Maybe a few people
have awoke and sniffed their coffee!

Yes, but remember 'there's (a new) one born every minute'. Or these
days, probably every 30 seconds.

 

[Lee Higdon]

Yes you did catch it. Why? Because you're an idiot who didn't apply the
patch available from Windows Update since July 16th.

Conor, a little diplomacy goes a long way .

 

[null]

ShieldsUp!! stats:
http://grc.com/x/ne.dll?bh1akydu

Then spread out the server loads a bit and test more ports besides:

http://scan.sygate.com/prequickscan.html
http://www.pcflank.com/


Art
http://www.epix.net/~artnpeg