MSBlast worm alert ( Originally called Billy)
Looks like a worm based on the recent windows RPC exploit is slowly infecting the windows hosts on the net. In the past hour, there has been a lot of traffic and random machine reboots ( of even machines that are not even connected directly to the net, but inside a LAN – a sure sign of a worm).
If you are sysadmin please block ports 135/139/445 and 4444 ( the worm executes commands remotely via this port ) at your router. If your windows machine is rebooting after every 1 min or so, then unplug your machine from the network, search for msblast.exe and delete that file
Billy Blaster worm updates
I’ve setup this page for more updates on this. Wont be updating about this in my blog.
I am still in the process of fixing my laptop from this RPC bullshit. I’m damn lucky to have another computer. I’m just about to put the microsoft patch on a 3.5 floppy to transfer it to the laptop. Grrr, this has taken hours of my time today to figure out what was up.
Also, thanks for the tip for which file to delete. I’m back online with the laptop! Serious appreciation!
Glad to know the information came of some use.
As the worm started to spread, the number of mails I was getting started exponentially increasing too. Anyway this is a badly written worm and it made everyone patch up their systems before the killer one came out.
I still seem to have a slight problem. I installed the MS patch and erased msblast.exe once, but later tonight it was there again. There also seems to be a file in C:\Windows\SYSTEM32 called msblast (no suffix) that doesn’t seem to want to be erased. Is there a way I can eliminate this?
I dont work on windows, so dont know too well. Perhaps this should help ya : http://www.cert.org/advisories/CA-2003-20.html
technically, the exploit isn’t recent. It’s only recently been discovered (and it has also been discovered it effects every version of Windows except ME). Just a little nit-pickyness (I run RedHat Linux 9.0 myself ;)).
right. this is an exploit which is about a month old. But since this effects all windows machines, a worm ( well designed ) can cause havoc. Thought this one was badly designed, I’m sure a worm could have been written which could have done more damage then slammer.
In a way its good this thing came out. Most of the people are applying the patches 🙂
A relatively oldish one – but yes seems to be an epidemic in last couple of days…
I am pissed that this is such a shabby job. I want to see something which does the winduhs equivalent of rm -rf /* 😉
well the worm runs tftp in dos. I’m sure it can be made it do
c:> del *.*
😉
i had realized the problem and deleted the file, but good to know i did the right thing… guess it was time for me to set up virus checking and a firewall huh?
THANKS for the post!
I deleted the file and still have the problem. Damn it.
deltree! del *.* wouldn’t do anything.
Use this program to fix the machine
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Thanks for the link. Norton was my first stop after I posted that comment. I appreciate the help. 🙂
hahah! so all of us who have been bitching of the pain of ME for three years now find it’s worth something after all…
:p
month old? lol Yeah right. It exists in EVERY copy of Windows except ME, which makes the exploit more then a month old. Think of the date when Win95 was released to the time this exploit was “found”. That’s a hella lot of time.
It just hasn’t been exploited until the past month when it was independently discovered. The fact that M$ released a patch in a day says alot for how long they knew the exploit existed.
The flaw was dicovered about a month ago. and this is one of the many flaws that have been discovered over the years.
I knoew there are zillon more, but its about people knowing them and exploiting them. Hard core hackers know all the holes, but they dont publish them o\r write mass worms
It was discovered independently a month ago. I have no doubts M$ knew about it earlier. If not, they are entirely incompetent.
True, true hackers DON’T write virii and worms, they are clever programers. Virii and worms are the work of script kiddies with nothing better to do.
You’ve been Rediffed. Not quite like being Slashdotted, but you’ve been Rediffed all the same.
wah
did not realise it all. And I was wondering why people were pinging me in email. I havent updated the page in 2 days. Now all the sites have info about it. When I caught the worm in the 1st 5 min, Mine was the only site which had any info at all about the existance of the worm. Infact thats why i created the page.
Anyway happy to see it was rediffed 🙂
I got slashdotted couple of months ago and you wont believe the size of my access log 🙂