The worm is not supposed to harm your PC but it is unstable and often terminates an important system process when you are online, this is why infected PCs restart after a couple of minutes online.

It is designed to send copies of itself to a range of IP addresses, starting in the same range as your own. If your IP address started with 81 for example, it would attempt to distribute itself around other people whose IP addresses also start with 81.

If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

Sort of true. The worm contains the exploit code for both Win2K systems and WinXP systems - the two exploits are different. The worm (being incredibly badly written) has no way of working out whether the system it is running on is Win2K or WinXP and so runs one of the exploit codes randomly (I gather it's 60% XP code and 40% 2K code). If it runs the wrong code for your version of Windows, this causes a crash that results in the shutdown.

The worry is that a new variant of the worm will get written that does check the version of Windows you're running and so only run the correct exploit. This way you won't get the shutdowns - and so won't be aware you've got it...

http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind :)

But you will be able to download the patch no problem !! :D :D

(Unless that gets blocked .. :eek: which would be a worry !)

Anyway, why should I worry, I'm using 98SE :D :D

You could also add links to Avast! AV (free and a good record) and Sygate FW (also free and v good) ;) ;)

Thanks - will add those shortly.
Edit: done.

I had 1600 in my ZA log from Tuesday and Wednesday, with it not looking like it was dropping off.

My PC is set to auto run windows update and had patched itself on 20 July. Cool.

The actual payload of the worm isnt intended to do serious damage to your pc, rather it appears to be gearing up for a DDOS attack against windowsupdate on the 16th. However given the publicity surrounding MS Blaster, it appears that it has already happened by users updating :D

For those of you still without protection, try the technet site which has been distributing the patch for over a month, while windowsupdate was crippling the acrobat plugin for IE because of a highly theoretical exploit, oddly enough just as M$ own pdf plugin goes into late beta.

Regards,

Ben

I could allways /. it for you. It'll be a good test of NTL's servers :devsmoke:

Regards,

Ben

Don't you dare! :) The single page is on my own server, not NTL, but SlashDot... oh man. I don't want the poor box to melt :)

Hi danielf - how did it go with LogViewer?

- I only got it recently & have, so far, found it invaluable for following the traffic trying to probe my ports during the - continuing - blaster worm phenomenon. :)

:notopic: and 'cos it shows outbound stuff as well, you can see the connects when you do a normal port 80, as well - quite interesting when browsing forums ;)

A friend of mine was /.ed a few months back. We had to drag him out of the reminants of his server :D

I tried it and liked it, but am back to the linksys logviewer again (which also shows outbound traffic). I think I prefer the simplicity of the linksys one (I haven't really decided on one yet).

Oh, and it wasn't working earler as I did a clean install of Zonealarm, and forgot to add the router ip to the trusted zone...

But thanks for your help;)

thanks, just saying what works for me - & thankyou for sharing your thought's too:)

Morning!

I see the worm still going round - any predictions on how long it's going to survive? :)

BlastBack v1.10 is available and now finds and kills W32.Blaster.Worm on your machine from both HD and RAM with continuous background scans.

Here's the usual page.

Direct link to BlastBack.