This is topic New Virus alert in forum Old Archives at The Letterville BullBoard.


To visit this topic, use this URL:
http://www.letterville.com/ubb/ultimatebb.php/topic/13/14758.html

Posted by Steve Burke (Member # 2674) on :
 
Hey all,

just to give you who haven't heard- UPDATE YOUR VIRUS SCANNING SOFTWARE! I got hit last night by the MSBLAST.EXE worm, and it was a bugger to get rid of it. I was lazy and hadn't updated my scan files for 12 days and the virus came out 12 days ago...doh!! MOst of the major companies have had an update out for 2 or 3 days now, and everyone I talk to is getting hammered by this bug...
 
Posted by PKing (Member # 337) on :
 
Thanks (I guess)Steve
Does this mean that when I turn on my puter and go to letterhead.com I will get this virus?
or are you speaking of some sort of non business
fuctions like electronic mail?
 
Posted by TJ Duvall (Member # 3133) on :
 
Basically what I have heard (and this might be completely wrong. But it travels along the internet from computer to computer somehow. I don't think it does any damage but it is suppossed to attack a Microsoft site on August 16th. There is a patch that you can download to get rid of it. That's all I really know maybe someone can clear it up better.
 
Posted by Curtis hammond (Member # 2170) on :
 
It is a bad one

It will shut down your machine and make it difficult to get it started again.
best way to avoid it is got MS and get the patches for the OS you use.
IT attacks any WIN NT XP machine thru port 135 from outside. So, i fyou are on broadband and do not have a router , you better get one fast. This is just the start of port attacks on NT software (XP). If you have a router between your machine and internet you likely will be protected if you close all ports that you do not need to have open.
You only have 64,0000 of them available..
goto:
http://www.cert.org/advisories
and look up the blaster worm. it has several other names too.

However if you get it.. there is a fix available

download.nai.com/products/mcafee-avert/stinger.exe

norton may have this fix too.. have not looked yet..

good luck.. and this is another reason I really like to run my win98se..
 
Posted by old paint (Member # 549) on :
 
i was just there at microsoft security....and tried to d/l patch. but there is such a run on it right now it was slower then my old 9600 bps modem...ill try later after midnite....should be easier to d/l.
 
Posted by Bill Cosharek (Member # 1274) on :
 
Just downloaded the latest virus definitions from Norton, dated 8-11-03, & the "msblast" isn't on the list. Since I'm running w98se, should I be concerned? Did a search & found no info to whether its a real virus or a hoax.
(didn't try the links referred to above & if I don't have to I probably wont)

Its been over 2 hours since I posted. Is it ok to edit? Now its on the front page when logged on to juno, an article at Nytimes (I think), explaining this virus. A link to microsoft technet has list of affected systems which are all newer than ME. Lists ME as not infected but doesn't list lower versions. Is that good or bad?

[ August 12, 2003, 08:13 PM: Message edited by: Bill Cosharek ]
 
Posted by Curtis hammond (Member # 2170) on :
 
Win 98 has no worries over this one

As I posted above. Only NT based machines (NT, win 2k, & XP, and 2003 server) are vulnerable.
Win 98 SE does not use RCP stuff..(MS Network Messenger)

M$ has a patch ready and is available. The ones being attacked are the ones who did not do an update last week.

Also M$ is under attack This worm is a denial of services attack on M$. Their site addres is temporarily set to 0,0,0,0 for protection. So you may not be able to get in to get the patch .

Its oficially called w32.blaster or lovsan..

[ August 12, 2003, 08:28 PM: Message edited by: Curtis hammond ]
 
Posted by Si Allen (Member # 420) on :
 
HEY!!! I'm running Win98SE and was greeted this morning by a Norton window saying that it had caught it and that it was in Quarentine! Did it mutate to attack Win98SE?

[Confused]
 
Posted by goddinfla (Member # 1502) on :
 
It got me through my DSL. I'm ok using dialup. I'm downloading a patch right now. Every time I reconnect the DSL line it shuts down the computer and restarts over and over and over.
 
Posted by Curtis hammond (Member # 2170) on :
 
You may have been probed Si. but not infected. it need RCP services used in NT rpoducts..

No worries. unles u use NT services.. [Smile]
 
Posted by goddinfla (Member # 1502) on :
 
Found this "cure" on another board.

Step 1
Disconnect from the web ENTIRELY. This is to prevent re-infection until the system is clean.

Step 2
There are 2 steps to remove the virus, you have to accomplish both to completely remove the virus from your system.

#1 Go to the Task Manager (Ctrl-Alt-Delete), go to PROCESSES. Under the processes option, you will find a process named MSBLAST.EXE. End the process by highlighting MSBLAST.EXE and hitting End Process in the lower right corner. Now you can easily delete the MSBLAST executable. You can find it by searching on the C: Drive for MSBLAST.exe or you can go to C:\WINDOWS\SYSTEM32 and delete MSBLAST.exe from there.

NOW

#2 Go to <START>, then <RUN> and type MSCONFIG in the run line. Click OK. This will bring up the system configuration utility. Go to the Startup Tab, where you will find MSBLAST.EXE running." Uncheck the box next to "MSBLAST.EXE" and click ok. It will then ask to restart the machine, which you want to do.

OK then. Go to Microsoft.com and update the new patch. You will see what I mean when you get there.

Tried it, haven't checked if it fixed it. Will check after downloading patches.
 
Posted by Don Coplen (Member # 127) on :
 
Does this thing effect Macs? I've never had a virus...knock on wood.
 
Posted by Henry Barker (Member # 174) on :
 
I don't think you have anything to worry about, I have been on holiday, and my annual renewal came up last month, and I didn't fix it until yesterday, but for me it was too late. I got MSblast, but went straight in to Symantecs website downloaded the fixtool and it says everything is OK, after you have downloaded the fix it directs you to microsoft, and the download for the patch.

So having been there and come out the otherside OK, I wouldn't worry too much.

I will in future update my NOrton AV when it runs out and not wait a couple of weeks though [Smile]
 
Posted by Steve Burke (Member # 2674) on :
 
I finally got the download that night from Microsoft- OP, it took me 2 hours for a 36 MB file (that update plus 26 other ones, most related to security issues)!!!...so yeah I guess a lot of people were frantically trying to download the same thing!!


PAt- I don't know where I got it. My wife was checking a bunch of job search websites, so I suspect it got in then. I don't know a lot about how long it takes them to activate, or how they get sucked in. I was playing an online game when it first started shutting me down, so maybe the game server was giving it to everyone logged in? Some of the more software-savvy guys can probably say where it's getting in.

Apparently it also runs a command that tries to prevent you logging onto Microsoft's update web page (clever bugger, eh?). The update will totally fix it. As for my config files, I didn't change that, but a website told me to go into my registry and delete the reference there.Also, it tries to stop your computer from recognizing good info coming in from bad, opening you up to further attacks.

Don- evidently Macs are immune from these nefarious attacks. They all take advantage of some loophole in Windows (quite a few of them judging by the 27 updates I installed). Macs don't have the same type of vulnerability.
 
Posted by Curtis hammond (Member # 2170) on :
 
You get this type of attack thru an open ports. This case port #135. Whenever you operate windows there are 64,000 ports open to the world through the internet so your computer can perform certain functions. You must close all unused ports.


To stop these attacks you will need a firewall such as Zone Alarm and get a router between you and the internet. Zone alarm closes the ports and the router makes you invisible to the net.

Once you install Zone Alarm you will be shocked to see just how much traffic there is probing your machine when your are online.

This is just the begining of this type of attack. A firewall and router is your protection before the attack gets to you,,, the Anti Virus is to protect you after the attack enters your machine.
 
Posted by Santo (Member # 411) on :
 
Open your task manager and look through your processes, if you have the Blaster worm, it will be seen as "msblaster.exe."
 
Posted by W. R. Pickett (Member # 3842) on :
 
Lets hear it for MACS! (and DOWN WITH Bill Gates too!)
 
Posted by Arthur Vanson (Member # 2855) on :
 
Yeah! Macs and Betamax and Sabre-tooth-tigers and all the other things on the wrong branch of the evolutionary tree. [Smile]
 
Posted by Linda Silver Eagle (Member # 274) on :
 
Dear Valued Clients,

ALERT! On Friday August 1, many of our customers started receiving email with an
attachment that contains the worm virus "W32.Mimail.A". These emails typically
say "your account" in the subject line and read as follows,

****************Virus Email Text*********************
Hello there,

I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.

*********************END*****************************

This is obviously a trick. There is nothing wrong with your email address and
Email addresses do not expire!

Please update your Virus Protection software and also update your Windows
operating system with Windows Update at the Microsoft website. The new virus
attacks a vulnerability in all Windows operating systems.

**************************************************


Dear Charter Customer:
As you may have heard on the news, many Internet users are experiencing problems with their computers shutting down abruptly. This is not a problem with Charter Pipeline service. It is the result of a computer vulnerability and is being experienced by computer users around the world. It is due to a computer worm that scans computers checking to see if port 135 is open. If so, the worm takes advantage of the computer and shuts it down.

If your computer has not been infected, you should go to one of the web sites shown below to update your anti-virus software or install a patch to prevent infection.

Here is a Microsoft bulletin regarding this vulnerability:

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Here is an update from Symantec:

http://www.sarc.com/avcenter/security/Content/8205.html

Here is an update from McAfee:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

If your computer becomes infected and gets shut down, you will need to follow these steps (you may want to print them for future reference):


Unplug modem.
Restart computer.
Go to Start / Search / For Files and Folders.
Confirm that Look in is set for C: drive.
Search for files and folders named: "MSBLAST.exe"
When computer finds the msblast file(s), right click on the file names and delete all copies of the file.
Shut down the machine.
Plug the modem back in.
Restart the machine.
Go directly to one of the web sites above and install the patch and/or update.
Please do not reply to this email. It is for informational purposes only.
Sincerely,

Charter Communications

These are two letters I received from my domain host and ISP on the subject.

Thought maybe it would help a bit.

[Big Grin]
 
Posted by Dave Johnson (Member # 2535) on :
 
I just checked my last update of Norton (8-11-03 rev. 19). It has the mblaster.exe definition listed as W32.Blaster.Worm.
 
Posted by Dave Grundy (Member # 103) on :
 
Got it...downloaded the patch...downloaded the removal program from Norton..ran the patch..ran the removal program...1 hr later I no longer am infected.

Pretty easy fix, in my view.
 
Posted by goddinfla (Member # 1502) on :
 
Unplugged my DSL and logged on by dialup. Went to symantec.com and downloaded the removal. Ran it and then it sent me to microsoft.com for the patch. Hooked the DSL back up, works great.
 
Posted by david drane (Member # 507) on :
 
So does it or doesn't it affect "Windows '98".??
 
Posted by Dave Grundy (Member # 103) on :
 
Doesn't affect Win 95/98/98SE.
 
Posted by Curtis hammond (Member # 2170) on :
 
AS I posted above, this variant will not infect win 98 because you do not use RCP services,,

However, there is a mutant variation comming back around that will attack win98 machines. It has a different name.

This is just the begginning of port style attacks. There is much discusion on certain "security" boards about the newest ways to attack M$ operating systems.

Your protection is the following..
Firewall. (Zone Alarm free) ..Closes yor access ports. And alerts you ask if you want to allow something tries to accces the net.
Router.. Stealths your machine from the net
Anti virus,, protects if something does get thru..
 
Posted by Bill Modzel (Member # 22) on :
 
Life happens....

http://www.macdailynews.com/comments.php?id=P1573_0_1_0

and the Mac answers....
 
Posted by Curtis hammond (Member # 2170) on :
 
Another variant, already,,,,,

The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE, different code compression, and different signatures in the body of the worm.
 
Posted by AdrienneMorgan (Member # 1046) on :
 
I guess there is some merit to be still using Win98.....

Also, I no longer use an email account like Incredimail or Outlook Express...I use a remote email account like Hotmail or MSN....I'm assuming this will keep me from getting a virus (unless I download something to my computer right?)

A:)

Stay clean, and use protection!!
 
Posted by Curtis hammond (Member # 2170) on :
 
yes, not using Outlook or outlook express is a great way to avoid email virii.. Lots of virii are done thru email and exploit M$'s lack of security. Outlook has some features that allow virii to come through..
 


Powered by Infopop Corporation
UBB.classic™ 6.7.2