Security Basics mailing list archives

Re: Purging Blaster.worm

From: "Meritt James" <meritt_james () bah com>
Date: Fri, 15 Aug 2003 13:26:46 -0400

Anyone who saw your worm on their machine and could identify where it
came from.

TheFueley wrote:


There's a user on Astalavista.net saying that he made a "counter-worm" to
nullify this w32.blaster.worm. says he coded it in VC++. i havent seent the
code myself, but have seen that others at the site that have, give it props.
Says it can block 4 of the 6 variants...or something like that. the whole
legality discussion went on there too. Personally i think its a good idea to
try and combat the thing, legal or not. who would really sue for trying to
block it? unless M$ created it. oh well
The Fueley

-----Original Message-----
From: Duston Sickler [mailto:dustons () charter net]
Sent: Wednesday, August 13, 2003 7:53 PM
To: Stuart; security-basics () securityfocus com
Subject: Re: Purging Blaster.worm

You would be stepping on a lot of toes by doing that.  Not to mention
breaking several laws.

This hack patch discussion has been had before.  The area sounds appealing
but when it comes down to who is responsible if the "Patch Worm" breaks my
"whatever" it starts to loose its luster.

Duston Sickler
CompTIA A+ Certified
"Cedo nulli."
----- Original Message -----
From: "Stuart" <secmail () patchsupplier dyndns org>
To: <security-basics () securityfocus com>
Sent: Wednesday, August 13, 2003 5:14 PM
Subject: RE: Purging Blaster.worm


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Is it not possible to create another worm or modify this worm to
actually patch the machines? :)
Looking at the Symantec removal tool there is a silent mode.. A few
days back I was on the Microsoft site and I also saw an option for a
non interaction install for the RPC patch but looking through the
site now I cannot find it :(
The "fixing worm" could scan for 2 hours then purge itself?

Just a thought

Stu

- -----Original Message-----
From: Andreas Rothlauf [mailto:security () bitgui de]
Sent: 13 August 2003 21:25
To: security-basics () securityfocus com
Subject: Re: Purging Blaster.worm

Hi,

JG>  Has anyone successfully purged the MSBlaster worm. There is a
tool out
JG> there that can do it but is it reliable?

Symantec has made a tool available:
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.to
ol.html

A friend told me that it works.

greetZ //AndY



- ----------------------------------------------------------------------
- -----
- ----------------------------------------------------------------------
- ------


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPzq4K5MRMj30dWmZAQIOCBAAy73WqYpzZSyjKb530Gefx+cJ3vhV73RN
aiFGkEtN+zaGio14/TWNNgFEDpY3DxNtbQF5GPAtw7OBV61qTsg9NOOxAJioyZV/
qftWulRdv9P7AmJ96c50ge9Gb5bVb2u6w0xIgS8pk5ButD5/z5QOOQ4mK0BRboyP
Du4EdphbMQNd6DI1cdWnQV6tX++jtMh2BnUwFSIj7WTwXIpUg4/H9PzJ/TZYx5Ro
swymEnfAusWUFWCljBG0PwTdNqFwmy4LWaCHJEIH/2MJ8ZdMlvUza6nX79yn12j6
OmavfnW0uUEX5bp3w4qF9C1b/6C7ajRlzBmqX4gG5iY28fGC+BlPAJgwhndbsJaz
id9Za7LhaErG5r3gpJiPL+Xv6nv7PCwBM0p+WhX19d1Z3JUIfmbCHekifLydmwm6
bYnG5tK9oH2K3IgzmM9m5oZYOD4sf/gUrqEGI0oK5md393xdfqv/ce/mS+VvShEk
59yuldmgV6pG8Yg5FF+bKI2lf1f35J4iWRknHEa114i3+PveJgSOtMdR71h7Rrnk
8j829JAtN66Z8Ndf14U2mtMmKlIIkoiq6lnc5kvq5tjKjJFTODlR70VPWfT/fu7+
C+MZulc55R2ZBp4cDe0ZriNtv9rEqWykQfc2GgIxTYvYYK1M3/861cnsoPCHudVS
37cjHXHGHds=
=eKYz
-----END PGP SIGNATURE-----


--------------------------------------------------------------------------

--------------------------------------------------------------------------

--


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------


-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: Purging Blaster.worm, (continued)
- - Re: Purging Blaster.worm Schneider Sebastian (Aug 13)
    - Re: Purging Blaster.worm Todd (Aug 14)
    - Re: Purging Blaster.worm Schneider Sebastian (Aug 14)
  - RE: Purging Blaster.worm Stuart (Aug 13)
    - RE: Purging Blaster.worm Andrew Hecox (Aug 14)
    - Re: Purging Blaster.worm Duston Sickler (Aug 14)
    - RE: Purging Blaster.worm Stuart (Aug 14)
    - Re: Purging Blaster.worm Todd (Aug 14)
    - RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
    - RE: Purging Blaster.worm TheFueley (Aug 15)
    - Re: Purging Blaster.worm Meritt James (Aug 15)
    - RE: Purging Blaster.worm Stuart (Aug 16)
    - Re: Purging Blaster.worm Meritt James (Aug 14)
    - Re: Purging Blaster.worm Meritt James (Aug 19)
    - RE: Purging Blaster.worm David Gillett (Aug 19)
    - Ethics Question Mike Taylor (Aug 21)
    - Re: Ethics Question Adam Newhard (Aug 21)
    - Re: Ethics Question Suzanne Rodday (Aug 21)
    - Re: Ethics Question Sebastian Schneider (Aug 22)
    - Re: Ethics Question Michael Thornhill (Aug 21)
    - Re: Ethics Question Schneider Sebastian (Aug 21)

(Thread continues...)