Merged: W32 Blaster Virus

[basa]

Quote:

Originally posted by trebor
the worm has the ability to execute any command on the pc
how about a quick format that wouldn't do your data much good.
as it is the worm is coded to just issue the shutdown command
but it could get a lot worse.
also the port hits on 135 are not getting any less I'm up to 157 today so there is still a lot of un patched pc's out there

The worm is not supposed to harm your PC but it is unstable and often terminates an important system process when you are online, this is why infected PCs restart after a couple of minutes online.

It is designed to send copies of itself to a range of IP addresses, starting in the same range as your own. If your IP address started with 81 for example, it would attempt to distribute itself around other people whose IP addresses also start with 81.

If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

[duncant403]

Quote:

Originally posted by basa
If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

Sort of true. The worm contains the exploit code for both Win2K systems and WinXP systems - the two exploits are different. The worm (being incredibly badly written) has no way of working out whether the system it is running on is Win2K or WinXP and so runs one of the exploit codes randomly (I gather it's 60% XP code and 40% 2K code). If it runs the wrong code for your version of Windows, this causes a crash that results in the shutdown.

The worry is that a new variant of the worm will get written that does check the version of Windows you're running and so only run the correct exploit. This way you won't get the shutdowns - and so won't be aware you've got it...

[distortal]

http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind

[basa]

Quote:

Originally posted by duncant403
<snip>The worry is that a new variant of the worm will get written that does check the version of Windows you're running and so only run the correct exploit. This way you won't get the shutdowns - and so won't be aware you've got it...

But you will be able to download the patch no problem !!

(Unless that gets blocked .. which would be a worry !)

Anyway, why should I worry, I'm using 98SE

[basa]

Quote:

Originally posted by distortal
http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind

You could also add links to Avast! AV (free and a good record) and Sygate FW (also free and v good)

[distortal]

Quote:

Originally posted by basa
You could also add links to Avast! AV (free and a good record) and Sygate FW (also free and v good)

Thanks - will add those shortly.
Edit: done.

[SMHarman]

Quote:

Originally posted by trebor
the worm has the ability to execute any command on the pc
how about a quick format that wouldn't do your data much good.
as it is the worm is coded to just issue the shutdown command
but it could get a lot worse.
also the port hits on 135 are not getting any less I'm up to 157 today so there is still a lot of un patched pc's out there

I had 1600 in my ZA log from Tuesday and Wednesday, with it not looking like it was dropping off.

My PC is set to auto run windows update and had patched itself on 20 July. Cool.

[BenH]

Quote:

Originally posted by basa
The worm is not supposed to harm your PC but it is unstable and often terminates an important system process when you are online, this is why infected PCs restart after a couple of minutes online.

It is designed to send copies of itself to a range of IP addresses, starting in the same range as your own. If your IP address started with 81 for example, it would attempt to distribute itself around other people whose IP addresses also start with 81.

If it cannot send itself it basically crashes, which is why you see your PC restart. By this time though it has probably sent itself many times.

The actual payload of the worm isnt intended to do serious damage to your pc, rather it appears to be gearing up for a DDOS attack against windowsupdate on the 16th. However given the publicity surrounding MS Blaster, it appears that it has already happened by users updating

For those of you still without protection, try the technet site which has been distributing the patch for over a month, while windowsupdate was crippling the acrobat plugin for IE because of a highly theoretical exploit, oddly enough just as M$ own pdf plugin goes into late beta.

Regards,

Ben

[BenH]

Quote:

Originally posted by distortal
http://msblast.cjb.net has received over a hundred visitors today despite not being promoted - it somehow found it's way into Google et al within 24 hours.

I've updated the page with links to AV and FW sites, and mirrored the MS patches in case WindowsUpdate goes down under the weight of panicking users - hope NTL don't mind

I could allways /. it for you. It'll be a good test of NTL's servers

Regards,

Ben

[distortal]

Quote:

Originally posted by BenH
I could allways /. it for you. It'll be a good test of NTL's servers

Regards,

Ben

Don't you dare! The single page is on my own server, not NTL, but SlashDot... oh man. I don't want the poor box to melt

Quote:

Originally posted by danielf
Doing that right now. Sounds good.

Cheers,

Daniel

Hi danielf - how did it go with LogViewer?

- I only got it recently & have, so far, found it invaluable for following the traffic trying to probe my ports during the - continuing - blaster worm phenomenon.

and 'cos it shows outbound stuff as well, you can see the connects when you do a normal port 80, as well - quite interesting when browsing forums

[BenH]

Quote:

Originally posted by distortal
Don't you dare! The single page is on my own server, not NTL, but SlashDot... oh man. I don't want the poor box to melt

A friend of mine was /.ed a few months back. We had to drag him out of the reminants of his server

[danielf]

Quote:

Originally posted by homealone
Hi danielf - how did it go with LogViewer?

- I only got it recently & have, so far, found it invaluable for following the traffic trying to probe my ports during the - continuing - blaster worm phenomenon.

and 'cos it shows outbound stuff as well, you can see the connects when you do a normal port 80, as well - quite interesting when browsing forums

I tried it and liked it, but am back to the linksys logviewer again (which also shows outbound traffic). I think I prefer the simplicity of the linksys one (I haven't really decided on one yet).

Oh, and it wasn't working earler as I did a clean install of Zonealarm, and forgot to add the router ip to the trusted zone...

But thanks for your help

Quote:

Originally posted by danielf
I tried it and liked it, but am back to the linksys logviewer again (which also shows outbound traffic). I think I prefer the simplicity of the linksys one (I haven't really decided on one yet).

Oh, and it wasn't working earler as I did a clean install of Zonealarm, and forgot to add the router ip to the trusted zone...

But thanks for your help

thanks, just saying what works for me - & thankyou for sharing your thought's too

[distortal]

Morning!

I see the worm still going round - any predictions on how long it's going to survive?

BlastBack v1.10 is available and now finds and kills W32.Blaster.Worm on your machine from both HD and RAM with continuous background scans.

Here's the usual page.

Direct link to BlastBack.