| Author |
Message |
    
Mikej
| | Posted on Wednesday, August 13, 2003 - 05:04 pm: | 
|
Got this in email from my ISP and thought it was worth sharing:
quote:
Date: Wed, 13 Aug 2003 16:35:59 -0400
From: CoreComm Support <support@core.com>
To: support@core.com
Subject: IMPORTANT SECURITY NOTICE TO OUR USERS All headers
Dear Valued CoreComm Internet Customer,
IMPORTANT SECURITY NOTICE TO OUR USERS
On Monday, August 11, 2003 a new worm virus was discovered by Antivirus Companies. This worm, known as Blaster, is known to attack Microsoft Windows operating systems and can crash your computer and even slow your Internet connections.
Blaster targets computers running the most popular Windows systems including all versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003. Once the computer is infected, the worm will attempt to infiltrate and infect other computers by using a normal Internet connection. This process has allowed the worm to spread worldwide in a very short period of time.
Is Your Computer Already Infected?
It is possible that the worm has already infected your computer if you notice sluggish performance, crashing or if you have received the following text:
"This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM"
Followed by a message box that states:
"Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"
How to Protect Your Computer:
This worm is able to infect and utilize systems through security vulnerabilities discussed in Microsoft Security Bulletins MS03-010 and MS03-026. Please visit both links below and make certain to patch your system for these two vulnerabilities. The security patches will secure your system and prevent the reboots. They will not remove the virus from your computer. See section "How to remove the virus:" for removal instructions after both patches below have been installed:
MS03-010: http://www.microsoft.com/technet/security/bulletin/MS03-010.asp
MS03-026: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
*Because of the virus, it may be impossible to stay connected to the Internet long enough to obtain the patch or removal tool before the computer reboots. Follow these steps if this is the case:
a. Do one of the following:
Windows 2000: Right-click the My Computer icon on the Windows desktop and then click Manage. The Computer Management window opens.
Windows XP: Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.
b. In the left pane, double-click Services and Applications and then select Services. A list of services appears.
c. In the right pane, locate the Remote Procedure Call (RPC) service.
IMPORTANT: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two
d. Right-click the Remote Procedure Call (RPC) service and click Properties.
e. Click the Recovery tab.
f. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
g. Click Apply and then OK
IMPORTANT: Make sure that you change these settings back after you have installed the security patches and have removed the virus.
If you receive the error message “Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer” then please visit the following website for information on how to resolve this behavior:
http://support.microsoft.com/default.aspx?scid=kb;en-us;822798
How to remove the virus:
A removal tool for this virus, with instructions, can be found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal .tool.html
Additional information on this virus can be found at:
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
Further information regarding the Microsoft vulnerability and this virus can be found at:
http://www.cnn.com/2003/TECH/internet/08/12/windows.worm/index.html
http://securityresponse.symantec.com/avcenter/security/Content/8205.html
http://isc.sans.org/diary.html?date=2003-08-11
http://www.cert.org/advisories/CA-2003-19.html
http://www.datafellows.com/v-descs/msblast.shtml
Protecting Your Computer From Viruses
Protect yourself and your computer from emailed virus attacks with CoreComm Defender. CoreComm Defender automatically scans all your incoming e-mail for viruses then notifies you and the sender should a virus be detected. All infected e-mails are quarantined and deleted ensuring you the best protection for your computer. In addition, CoreComm Defender monitors all major virus detection services and automatically updates the virus filters so you don’t have to. You can add CoreComm Defender to your account for just $2 a month. Call 1-877-CORECOMM to find out more.
You can also scan your computer for Worms, Malware, Trojans and Virii for free at:
http://housecall.antivirus.com
http://security.symantec.com/default.asp
*The worm is known by a number of names depending on the virus scanning program you use:
* W32.Blaster.Worm [Symantec]
* W32/Lovsan.worm [McAfee]
* Win32.Poza [CA]
* Lovsan [F-Secure]
* WORM_MSBLAST.A [Trend]
* W32/Blaster-A [Sophos]
* W32/Blaster [Panda].
*IMPORTANT*:
You are installing these Microsoft provided patches and the Symantec Blaster removal tool at your own risk. CoreComm is not responsible for any problems or data loss associated with installing them nor does CoreComm support these items.
Thank You,
CoreComm
Support@core.com
|
Josh_
| | Posted on Wednesday, August 13, 2003 - 05:18 pm: |
|
Yup, hit http://windowsupdate.microsoft.com occasionally to stay updated if you run Windoze.
(I beleive they removed Win95 support and maybe Win98 pre-SE from windowsupdate)
'Course the downside is they occasionally release patches that do more harm than good.
|
Viros
| | Posted on Wednesday, August 13, 2003 - 05:20 pm: |
|
Thanks for sharing... That virus hit about 10 computers here at work, and my laptop at home. I will try to delete it once I get home. |
Bluzm2
| | Posted on Wednesday, August 13, 2003 - 05:33 pm: |
|
We got hammered pretty good here also.
Lots more then 10 PC's unfortunately.
Long day yesterday, I'm actually going to get out of here on time today.
Sometimes being a network guy sucks.
It's even worse when you do networks and intrusion detection/firewalls.
Been a rough week.
|
Darthane
| | Posted on Wednesday, August 13, 2003 - 05:56 pm: |
|
I got nailed with this one a couple days ago. Out of sheer frustration I simply reformatted...and contracted it AGAIN the very second my computer booted up (curse my cable modem). A second format gave me enough time on the internet to successfully d/l all the required patches and such. I wish I could understand why people do shit like this. Are their lives THAT pathetic that this is all they can think of to do with their free time? (rhetorical question) |
M2me
| | Posted on Wednesday, August 13, 2003 - 08:09 pm: |
|
We didn't get hit at all at work. I think my dad got it though. I've downloaded the removal tool from Symantec and the patch from Microsoft so I'll put them on a CD and take it over to my parent's.
Brad,
Don't you use a firewall? I've got a SonicWall firewall at work and I'm using NAT. We didn't get hit at all. I did apply the patch awhile ago on the Win2K web servers that have public IP addresses. I'm not sure if the patch helped or the firewall blocked it since the only thing open on the firewall is what is needed. Port 80 for http for example. But I know that most of the workstations did not have the patch and none were affected. I'm going around now and just making sure the workstations are up to date. The trouble is, you have to be logged in as Administrator to do that.  |
Bluzm2
| | Posted on Wednesday, August 13, 2003 - 08:41 pm: |
|
John,
We use 2 seriously industrial grade FW's for our dual T3 internet links. Both are big Nokia units running Checkpoint.
We have 6 or so others scattered about the network for various functions.
We have over 10,000 PC's on our network and probably 400 or so servers.
After a bit of forensics today, it looks like someone got infected at home from a cable/dsl connection, then VPNed into work. The bastards didn't have a router at home like is required.
That started the ball rolling.
Most servers and PC's were current on fixes but some at few a plants were not.
Guess where we got hit.....
We had to put outbound filters at the plant routers to block port 135 so the cootie wouldn't spread, then onsite staff got in and cleaned up.
Pretty much had it knocked by noon today.
Now have to do a post mortum and fix a couple of holes.
I've got a lot to do tomorrow if I want to take Friday off....
Brad
|
Chainsaw
| | Posted on Wednesday, August 13, 2003 - 08:51 pm: |
|
Damn! If I would get rid of this damn Macintosh, I could get some of these love notes to Bill Gates! |
Ray_maines
| | Posted on Friday, August 15, 2003 - 07:22 am: |
|
Don't be so smug. The only reason Mac's don't get more virus attacks is that there aren't enough of them to attract virus writers. You’re running under the radar, so to speak. That’s good for you I suppose, but it’s not reason to feel smug. |
Mikej
| | Posted on Friday, August 15, 2003 - 08:48 am: |
|
Oh man could you imagine what would happen if the viral folks started targeting Apple folks? I don't have a Mac so I don't know if Symantec or Norton or others even support them much. If Apple had won the war instead of IBM/MS/DOS then the game would be different, the same but different.
Anybody want to buy a Basis 108 Apple clone? I think I still have access to one out west in a storage shed. |
|