Forums General Discussion Windows users get stuffed around once more.

Uh, as some of you may know, some of Microsoft's programs are affected by a worm, the programs affected are;
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

W32.Blaster.Worm is a worm that exploits and disconnects you within 60 seconds, there's a little timer or something, when the timer pops-up on you ctrl + alt + del and close msblast.exe

More Info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Latest updats and patches fix this.. Its a month old, and any who're being affected, are due to their own lack of updating.

People, please dont wait for the little icon on th ebottom right to say "You have an update". Please check the update website (Start Menu>>Program List>>"Windows Update") And make sure you have the latest patches.

Kingtomato is quite correct here, I've had the patches for a few weeks now. I also download updated virus signatures each day. It's not a case of Windows users being stuffed around anyway as dangerous files existed well before Windows was even conceived. People will write virii for anything that is popular because it gives the best affect.

I dont know about you, but there have been lots of cases reported today, 12-8-03. So...go get the patch and stuff everyone, also sorry about the name of the post, but I needed something catchy and it does make sense :tongue:

That's because too many people have the "It won't happen to me so I'm not having anti-virus software or Windows updates" attitude. For the reasons I outlined above I have nothing to fear from the latest curses. (Mimail worm or the Poza/Blaster worm)

Yea, I also used to be your average teenager where you aren't cool unless you can crack computers, so I know several security sites. These sites have not only thr enotice, but proof of concept (the very reason i dont post these sites) code. So, chances are none of this is new to me >:D

Again, just run windows update, and make sure your all updated and you should be find.

Additionally, if you are farmiliar with your router, you may block ports 135,139,142,145,4444, and i forget the others. The 135/139 is NetBIOS (Exploited Port) the others (except 4444) are other services that are exploited, and the 4444 is like a console login to the remote computer where the user can execute a "download" command and execution command.

If anyone is farmiliar with the cisco routers, it works just like the router stacks, in that it references itself with a tftp site for updated versions. Just be careful >:D

Additionally if you have xp, you may try the following

1. Open control panel (Start>>Control Panel)
2. Switch to "classic view" (top left of window)
3. Open Network Connections
4. Right click your active connection (non faded icon) and select properties.
5. Click "Internet Protocol (TCP\IP)" from the list box, and clikc the properties button
6. Click the Advanced button on the bottom left of the General Tab
7. Select WINS tab at top of the new window.
8. At the bottom, you'll notice the "NetBIOS setting" box. Make sure to disable NetBIOS over TCP\IP.
9. Click Okay (x3) and restart. You should then be more secure as far as allowing (Internet) access to your computer on port 135/139

I've also blocked port 69, this worm listens on that port for connection possibilites.

i just enabled the built in XP firewall which stopped it downloading msblast.exe and allowed me to scan to remove the files
kt: windows update keeps saying there's an error

The worm is able to DDoS the Windows Update server so I would say this is why it's not reachable at the moment. This is why it pays to beat the morons who make these things at their own game and get the updates and patches when Microsoft release them and not wait weeks and months later when they are actually needed. I personally believe that few people have learned any lessons from the Slammer debacle.

microsoft has published information about this vulnerability in Microsoft Security Bulletin MS03-026 (url already posted)
dont forget registry entries

some affected machines are not able to stay connected to the network long enough to download patches from Microsoft, Trendmicro and CERT have info to help

KT: what i read so far (but i still have catch up on current info to wade thru) * 69/UDP * 135/TCP * 135/UDP * 139/TCP
* 139/UDP * 445/TCP * 445/UDP * 4444/TCP * 593

All this is helpful to know, but better that anyone wanting the most current and accurate info and help to deal with this check out the sites that specialize in security. Which should have been already done, as was pointed out. Amazing how many ppl who should know better dont, lol

i scanned, it found 1 infected file(msblast.exe), i deleted windows auto update="msblast.exe" in registry(or something along those lines),i turned off restore points, but i definitely have the infection somewhere because as soon as i turn off my firewall msblast.exe gets downloaded

i havent looked into this yet:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Trendmicro also has help

block the ports mentioned elsewhere too

i assume you mean the blahblah \Run\windows auto update with a value of msblast.exe is what you removed?

Honestly, far better you go to those that specialize in this for help rather than be asking here

i think ill just keep my firewall on until i get a better antivirus.

It's probably a good idea to keep your firewall on regardless of how good your virus scanner is.

i certainly agree with codemastr. Altho, no disrespect intended, but considering how many trojans you tell us you get, perhaps you might want to consider modifying your online activities.

i have done, which is why i was shocked to find that worm...

In addition, Gibson, of Gibson Research always does and excellent job on windows security, and provides patched at no addition cost. his website can be found at: http://grc.com/default.htm

He also offers a free port scan that is used to test firewalls/routers for security. It probes the ports and notifies you if they are open, closed, or stealth.