|
Blaster Worm RPC patch
heres a hotlink for you people for the patch to fix the vulnerbility in Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server™ 2003 Details: Microsoft Security Bulletin MS03-026 Print Buffer Overrun In RPC Interface Could Allow Code Execution (823980) Originally posted: July 16, 2003 Revised: July 21, 2003 Summary Who should read this bulletin: Users running Microsoft ® Windows ® Impact of vulnerability: Run code of attacker’s choice Maximum Severity Rating: Critical Recommendation: Systems administrators should apply the patch immediately LINK FOR DOWNLOAD |
Oh, nice, when the school IT "experts" emailed it to us they said that it only affected 2000, not XP. Thanks for the heads-up
|
This worm is currently hitting my network pretty hard trying to find a hole. Luckily, all it is doing is eating up bandwidth (not my users files and OSs).
|
I just had to whip out the crowbar and pry Blaster out of our network (~150 pooters, about half of them NT-200-XP). What a way to spend a birthday.
We got it out without too much damage, but it did take out one guy's OS on a bad shutdown. And it took down at least one local radio station. Has anyone heard if the Macy's billboard went down? :p What time did it strike you guys, out of curiosity? 30 pooters on our network died right on the dot of 11AM (local time). |
It started here (Michigan) yesterday at about 2:00 EST. I was getting hit from Qwest IPs in Tenn. Pretty much all the traffic is spawning from 63.146.*.*
What a mess! |
I was wondering why my firewall has been flagging up attempts to connect 135 all day! I just put it on auto-deny and forgot about it. I think I'll turn back on the logging so I can warn friends etc...
|
This got me yesterday, and yes it bloody well does affect XP. Anyway for more help and support (and to read people crying about how it affected them) click on below:
http://computing.net/hardware/wwwboard/forum/15396.html |
I saw the news mentioning it, and saw the reports online. To be honest, I had not seen any real evidence until just moments ago, when I checked my firewall logs - lots of 135s there.
If I'm not mistaken, I've been patched since the update was posted - my liveupdate keeps bugging me everytime it's essential. |
no problems here - but I do have a 3com router as my primary firewall and kaspersky anit-hacker in stealth mode on the software side. (running winXP pro corporate w/o SP1)
looked at the anti-hacker logs and no activity shows up there at all. |
Quote:
|
Disrupted our whole uni. Classes got cancelled because no one could use the computers.
Then the damn thing hit res (the dorms).. I got about 5 calls in 20 minutes... and they just kept going. |
I bet a few admins just lost their jobs.
|
Yesterday I got called out to five different locations having to heal up this worm problem, then once I was done with my clients a couple of friends called up to ask for my assistance.
Word of advice to you all, DOWNLOAD AND INSTALL THE PATCH NOW If one techie (me) had to fix 7 instances of this problem in one day imagine how far stretched this problem really is. p.s. the only positive thing to come of this mess is that yesterday I went to sleep a rich man. |
Oh and here's another link regarding the Worm and how to fix it.
http://www.techspot.com/vb/showthread.php?threadid=6651 |
|
and another
http://www.freevideo.nu/rpc/ |
I just patched my moms machine yesterday and today on my 98 machine I see 192 attempts to access port 135 in my firewall logs...
|
Hey Mods, can you put some tag on this thread so it stays near the top? People are going to be needing this info for quite a while.
|
Man has this worm caused alot of hell. The question I'm wondering about is do they have any idea who is responsible for it? From my personal experience, its not like any virus I've ever seen, from an execution point of view anyways. I'm not trying to give the wrong impression or anything, but its the most clever worm I've seen in a long time. Not real devasting to the home user (just annoying), but could cause havok on servers and such... primarily WinXP/2000 servers..... hmmmm.... perhaps a disgruntled former MS employee? Sure, abusing Windows flaws is nothing new, but then shutting down RPC services, subsequently shutting down the PC as well. Ingenious, if not evil. I could see a hefty charge against the culprit if caught, but in this case I wouldn't be surprised if he was hired after it all settles. I'm just wondering how I got it after doing a fresh install and seconds after my first dialup connection to the 'net after the install..... makes you think....
|
Quote:
This has happened before too, just not with such widespread vulnerabilities. Examples include Code Red, Nimda, and SQL Slammer. |
I'm running Windows 98... which patch do I need to install?
|
Quote:
|
I had the patch installed on both of our home network computers when the patch came out, a couple of months ago.
Behind the hardware and software firewall, everything is cool. This is one of those days where I'm glad I do as much as I understand to protect my network. Whew. |
just checked my logs in kaspersky again and there has been ZERO hits on my ports in the past umpteenth weeks - I am assuming that my router and stealthed ports via software are the reason for that.
did look at my router logs before posting this and it did show "unauthorised HTTP access" on a few times in the week or so |
Ahh, sweet. Thanks for your help. None of the sites I found mentioned anything about '98... even in the unaffected software parts.
...I guess I just need to upgrade my computer one of these days. |
billege - the patch came out in July, not several months ago, but yea, I understand what you mean. I had it patched on all of my personal computers the day after the patch was out.
I heard a really interesting conspiracy theory today at work that some government agency (NSA? who knows) created and released the worm to get people to update, as everyone (Dep't Homeland Security, etc.) has been really worried about how this vulnerability hasn't been getting patched. Because if you'll notice, this worm (strangely enough) does nothing at all malicious, except bounce your computer. I don't believe it, but it gives you something to think about. |
Pragma: apparently everyone infected is set to DOS windows update on Saturday.
|
Amusing - when it first broke, they only "thought" it was set to DDoS WindowsUpdate. I guess I've been too busy working on other stuff at work to read updates.
I guess no "white hat" group would DDoS WindowsUpdate. So much for that conspiracy theory. |
******** UPDATE *******EASIEST WAY TO REMOVE**************
First Download this tool. Make sure you store it in a place where you can find it. http://securityresponse.symantec.com...r/FixBlast.exe this is the link to download the tool from. Don't run it or open it yet. Next shut down your computer. Before the computer Boots press the F8 button. Then select the safe mode option. When the computer is fully booted up run the utitliy. (The screen will look funky but dont' worry about it, it's perfectly normal.) Then after the tool has removed all the files. Download this patch and install it. http://www.microsoft.com/technet/tre...n/MS03-026.asp here is the link for the patch...the download option is on the right hand side of the screen. Once you install that you should be virus free. |
I thought it was June, ahhh heck.
|
Glad it doesnt attack Windows 98, cause the worm window just appeared before.
|
|
Hell, I'm more of a novice, I checed and my auto-update on XP it did download the patch but i'm not using a firewall. Do I need to?
Is the firewall that comes with XP good enough? Is easy set up? Are there any drawbacks to firewalls? Thanks all! |
How long does this take to download over dialup? http://securityresponse.symantec.com...r/FixBlast.exe
A friend and client got the virus and I'm going to try to fix her computer tonight. She's tried to download the patch but it takes too long and is too big to get in time before the worm shuts down her windows. I'm hoping this file is smaller and takes less time. Is it possible to load this onto disk? Any suggestions? |
I guess everyone has seen MS's site where they have details how to remove this worm... http://www.microsoft.com/security/incident/blast.asp
|
| All times are GMT -8. The time now is 01:12 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project