I haven't had the (dis)pleasure of fixing one of these machines; doing
the <CTRL>+<ALT>+<DEL> and ending Task doesn't buy you any additional
time? I know that is what is recommended by Symantec....
Rich Logan
IS Manager
Stokes Lawrence, P.S.
(206) 892-2154
-----Original Message-----
From: James Montgomery [mailto:jmont007 (at) earmyu (dot) com [email concealed]]
Sent: Tuesday, August 12, 2003 10:10 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
I have noticed that there has been a problem with end users and their
ability to "snuff" the worm. Many of my remote users cannot stay
connected to the internet long enough to download the patch or the
msblast.exe fix. Approximate up time is 2 minutes once connected to the
internet. Users receive "System is shutting down because of remote
procedure service termination unexpected"
Has anyone else had this problem? And if so is their an alternative to
physically making a disk to distribute to end users?
I suspect this will be a problem for many, as most of us are just
worried about our key systems and servers.
Thank you,
James
-----Original Message-----
From: Michael LaSalvia [mailto:mike (at) genxweb (dot) net [email concealed]]
Sent: Monday, August 11, 2003 3:47 PM
To: Lee_Fisher (at) NAI (dot) com [email concealed]; morris_minchu (at) iwon (dot) com [email concealed];
focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: What the heck is this msblast.exe
The msblast.exe is the dcom worm that was just released earlier today.
Been seeing this in my IDS logs all day.
- -----Original Message-----
From: Lee_Fisher (at) NAI (dot) com [email concealed] [mailto:Lee_Fisher (at) NAI (dot) com [email concealed]]
Sent: Monday, August 11, 2003 6:27 PM
To: morris_minchu (at) iwon (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: What the heck is this msblast.exe
- From your description I would imagine it to be the Blaster ( We called
it W32/Lovsan.worm )
Many posts on forums - We list it as a Medium On Watch alert - other AV
orgs have a similar classification.
http://vil.nai.com/vil/content/v_100547.htm
Lee Fisher
Solutions Architect
McAfee Product Management
- -----Original Message-----
From: Minchu Mo
To: focus-ms (at) securityfocus (dot) com [email concealed]
Sent: 11/08/03 15:00
Subject: What the heck is this msblast.exe
The code resides in c:\winnt\system32.
It somehow change my registry and pretend to be Window autoupdate in
\Localsystem\software\microsoft\window\run, so it can run when I boot
the
machine. Now it sending out packet to random(?)IP 's endpoint port
- ----------------------------------------------------------------------
- --
- ---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
- ----------------------------------------------------------------------
- --
- ---
- ----------------------------------------------------------------------
- -----
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
- ----------------------------------------------------------------------
- -----
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
the <CTRL>+<ALT>+<DEL> and ending Task doesn't buy you any additional
time? I know that is what is recommended by Symantec....
Rich Logan
IS Manager
Stokes Lawrence, P.S.
(206) 892-2154
-----Original Message-----
From: James Montgomery [mailto:jmont007 (at) earmyu (dot) com [email concealed]]
Sent: Tuesday, August 12, 2003 10:10 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
I have noticed that there has been a problem with end users and their
ability to "snuff" the worm. Many of my remote users cannot stay
connected to the internet long enough to download the patch or the
msblast.exe fix. Approximate up time is 2 minutes once connected to the
internet. Users receive "System is shutting down because of remote
procedure service termination unexpected"
Has anyone else had this problem? And if so is their an alternative to
physically making a disk to distribute to end users?
I suspect this will be a problem for many, as most of us are just
worried about our key systems and servers.
Thank you,
James
-----Original Message-----
From: Michael LaSalvia [mailto:mike (at) genxweb (dot) net [email concealed]]
Sent: Monday, August 11, 2003 3:47 PM
To: Lee_Fisher (at) NAI (dot) com [email concealed]; morris_minchu (at) iwon (dot) com [email concealed];
focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: What the heck is this msblast.exe
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
The msblast.exe is the dcom worm that was just released earlier today.
Been seeing this in my IDS logs all day.
- -----Original Message-----
From: Lee_Fisher (at) NAI (dot) com [email concealed] [mailto:Lee_Fisher (at) NAI (dot) com [email concealed]]
Sent: Monday, August 11, 2003 6:27 PM
To: morris_minchu (at) iwon (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: What the heck is this msblast.exe
- From your description I would imagine it to be the Blaster ( We called
it W32/Lovsan.worm )
Many posts on forums - We list it as a Medium On Watch alert - other AV
orgs have a similar classification.
http://vil.nai.com/vil/content/v_100547.htm
Lee Fisher
Solutions Architect
McAfee Product Management
- -----Original Message-----
From: Minchu Mo
To: focus-ms (at) securityfocus (dot) com [email concealed]
Sent: 11/08/03 15:00
Subject: What the heck is this msblast.exe
The code resides in c:\winnt\system32.
It somehow change my registry and pretend to be Window autoupdate in
\Localsystem\software\microsoft\window\run, so it can run when I boot
the
machine. Now it sending out packet to random(?)IP 's endpoint port
- ----------------------------------------------------------------------
- --
- ---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
- ----------------------------------------------------------------------
- --
- ---
- ----------------------------------------------------------------------
- -----
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
- ----------------------------------------------------------------------
- -----
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBPzgc6XAnVb+gRdsVEQIxfQCeKC1utno1oDrWrvmKpHTCKM+cIQUAn1+x
wcaDQq8UvNrA/O6KTmT8yqUc
=pqjM
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":http://www.securityfocus.com/Kavado-focus-ms
------------------------------------------------------------------------
---
[ reply ]