This Blog has moved to http://www.falsepositives.com/

False Positives Adventures in Technology, SciFi and Culture from Toronto

Thursday, August 14, 2003

Get ready for More MSBlast worm

After cashing or slowing down the networks and computer of many organizations (large and small), new variants of the Blaster worm have already been reported. Since Microsoft had issued an alert July 16 about the vulnerability that Blaster exploits, they (at least the larger org's) have no one to blame but themselves for not a) testing the patch, b) deploying the patch c) running a MS OS on a net facing system, d) not running Linux/unix on their net facing systems.

Zone Alarm seems to have handled things okay. All laptops or PC's (corporate or personal) should be running something like this as well as anti-virus systems.

Meanwhile so many people (who should know better) have been trying to figure out what the RPC stands for (the worm exploits an RPC DCOM hole in windows) are doing a Google search on 'RPC' and driving up the traffic to the XML-RPC site (in order to explain to their PHB's?) (RPC = Remote Procedure Call)


Here's what TechWeb News says about correcting the problem :

Advice For Prevention, Cleansing Of MSBlast Worm By Gregg Keizer, TechWeb News

Experts from all quarters are offering advice on ways to prevent MSBlast worm infection, and how to remove it if it gains a foothold.

Vulnerable Windows systems, which include those running Windows NT 4.0, 2000, XP, and Server 2003, should be patched immediately,
Microsoft urged on the home page of its Web site. The patch can be obtained here.

The Redmond, Wash.-based developer also provided a link to instructions on how to set up Windows XP's Internet Connection Firewall to prevent the worm from spreading to users' PCs, as well as a toll-free number that users can call (866-727-2338) for help removing the worm from infected systems.

The CERT Coordination Center posted advice that included recommendations for enterprises to block
and/or monitor a slew of ports, including TCP and UDP ports 135, UDP port 69, and TCP port 4444.

Anti-virus vendors have updated their definition files to take MSBlast into account, and urge their users to update their anti-virus software immediately.

Several have also made available removal tools to cleanse infected systems, or placed step-by-step instructions for manually removing MSBlast on their Web sites.

Symantec, for example, offered an automated removal tool on its site that users can download for free. F-Secure provided a similar tool for downloading, as well as a separate text document that contains instructions on its use.

Internet Security Systems did not provide a hands-off cleanser, but did offer instructions for removing MSBlast manually. They can be found on
ISS' web site toward the end of this document. It requires editing of the Windows Registry.


Please Note that this Blog (False Positives) has moved to http://www.falsepositives.com/

Links to this post:

Create a Link

<< Home