WORM from MS Update Site

[RJ]

In the past few weeks after completing a fresh install on
a new PC and after the customers requests doing all the
critical updates from the MS UPDATE site we have on 3
seperate occasions got the MBLAST worm installed.
This was checked and verified as NO other applications was
installed, no email address or accounts installed, just
the O/S ( WinXP-Pro) and Microsoft Critical Updates.

This morning I had a associate from the West Coast phone
me and he has now encountered the same exact problem.

I am not sure if somebody is monitoring connections to the
MS UPDATE site and using a BNC connection and placing the
worm virus on pc when connecting to the MS UPDATE site or
what. BUT, this needs to be looked at immediately.
..

 

[Jupiter Jones [MVP]]

RJ;
You are not getting the Blaster worm from Windows Update.
That is similar to "I used the phone from home and called McDonalds,
my house caught fire while I was on the phone. Who do I call at
McDonalds to prevent this from happening again?"
You may be at Windows Update when the worm gets to your computer but
Microsoft did not deliver the worm.

Once you are connected to the internet, the computer is not limited to
the single site you are surfing.
In fact your computer can be doing other things.
As well other computers can be searching for your computer and
infecting the computer with Blaster.
You need to have a properly configured firewall.

******************************
DISCONNECT the subject computer from any network IMMEDIATELY.

If necessary to stop the reboot process:
Start/Run
Type "shutdown -a" ENTER

Install or enable a firewall IMMEDIATELY, before connecting to the
internet:
http://support.microsoft.com/?kbid=283673

VERY IMPORTANT to follow ALL steps, closing ports or installing the
patch is NOT enough.
Download the patch and regedit referenced in the article below.
You may need to do this at an uninfected computer and burn to CD or
save on floppies.
Each file is small enough to fit on a floppy.

Follow this to clean and protect your computer:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

After this is resolved prevent similar occurrences by installing ALL
Critical Updates from Windows Update.
Keep antivirus up to date and run at least weekly.
Install or enable a firewall.

See also:
http://support.microsoft.com/?kbid=826955
http://www.microsoft.com/security/incident/blast.asp

 

[randwulf57]

RJ:
Did you have a firewall enabled while downloading the updates? If not, you
may want to do some research on this worm, especially in regards to its
method of infection.
randwulf57

 

[jlenhart]

You know what, now you've got me thinking. I did a fresh
install from a formatted c drive and wound up with the
blaster. I never get viruses. If that blaster comes as
an a attachment I didn't get it from email because I have
not opened any attachments. You may have something here.

 

[Jupiter Jones [MVP]]

Not at all.
Blaster comes to your unprotected computer, you do not get Blaster by
surfing a site.
If you are connected to the internet, dial-up, DSL, cable etc, whether
you are surfing or not, do not have the appropriate patches and do not
have a firewall.
You stand a good chance of getting Blaster or others .
You need to forget the idea of the only ways of getting a virus or
worm is Email or visiting bad sites.
Blaster can and does come to unprotected computers.

To protect the safety and security of your computer:
Install or enable a firewall IMMEDIATELY, before connecting to the
internet:
http://support.microsoft.com/?kbid=283673

Install ALL Critical Updates IMMEDIATELY.
Start/All Programs/Windows Update

Install an antivirus application
Update it weekly
Run it at least weekly

Also see:
http://www.microsoft.com/security/protect/default.asp
http://www.microsoft.com/security/home/
http://www.microsoft.com/technet/tr...l=/technet/columns/security/5min/5min-105.asp

 

[Roger Abell]

Any unpatched system connected to the network
and accepting traffic on its network interface will
by just sitting there become infected by blaster and
its successors in almost no time whatsoever.

 

[Bruce Chambers]

Greetings --

You're not getting the worm from the Microsoft site.

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the worm.

W32.Blaster.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

 

[Lloyd Hayes]

I am not a big Microsoft fan, but my system is updated
automatically. I use Norton Firewall and virus protection.
The firewall reports regular attacks on my system. I'm
surprised when I log onto the Internet when I doen't see
an attack.

But I have never gotten Blaster or any other worm.
(But on the other hand, my regular browser is Netscape....)

Lloyd Hayes

 

[Jupiter Jones [MVP]]

You also have the necessary firewall