Security Basics mailing list archives
RE: Purging Blaster.worm
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Wed, 20 Aug 2003 10:16:38 +0100
Never take a worm from the wild and put it in a trusted network unless you are prepared to analyze it by hand byte-for-byte. You have no way of knowing that the creator was truly 'altruistic'. Referring to David Gillett's post, it sounds like the work leaves a backdoor on port 707. So (this is conjecture) it sounds like it is essentially fixing the problem after infection to secure the backdoor access for its creator. not a good idea to use :p badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg -----Original Message----- From: Alfred.Diggs () STIS com [mailto:Alfred.Diggs () STIS com] Sent: Tuesday, August 19, 2003 9:09 PM To: meritt_james () bah com; secmail () patchsupplier dyndns org; security-basics () securityfocus com Subject: RE: Purging Blaster.worm I have to networks here, a test and production. currently both netwoks are dealing with the virus assult. I would like to test this new variant on my test network but i dont know where to obtain it from. So can anyone tell me where to start looking. Thanks Alfred -----Original Message----- From: Meritt James [mailto:meritt_james () bah com] Sent: Tuesday, August 19, 2003 9:12 AM To: Stuart; security-basics () securityfocus com Subject: Re: Purging Blaster.worm Which has not stopped someone from trying: "New 'Good' Worm Attempts To Repair Security On Infected Systems" A new worm takes a different twist by trying to repair systems infected by Blaster and patch the vulnerability it exploits, antivirus vendors said Monday. The worm, called Nachi or MSBlast.D, tries to delete Blaster from some infected systems and install patches, according to Trend Micro. Last week's Blaster worm, also called MSBlast and Lovsan, infected hundreds of thousands of systems by exploiting a Remote Procedure Call (RPC) flaw in Microsoft Windows. ................................................................ Full article at http://www.internetweek.com/security02/showArticle.jhtml?articleID=13100535 Meritt James wrote:
Yes, it is possible. No, it is not legal to do so. It has been done with another. The one who did it is on jail for that reason. Modifying systems which belong to someone else, no matter your reasons, is a no-no. Jim Stuart wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Is it not possible to create another worm or modify this worm to actually patch the machines? :) Looking at the Symantec removal tool there is a silent mode.. A few days back I was on the Microsoft site and I also saw an option for a non interaction install for the RPC patch but looking through the site now I cannot find it :( The "fixing worm" could scan for 2 hours then purge itself? Just a thought Stu - -----Original Message----- From: Andreas Rothlauf [mailto:security () bitgui de] Sent: 13 August 2003 21:25 To: security-basics () securityfocus com Subject: Re: Purging Blaster.worm Hi, JG> Has anyone successfully purged the MSBlaster worm. There is a tool out JG> there that can do it but is it reliable? Symantec has made a tool available: http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.to ol.html A friend told me that it works. greetZ //AndY - ---------------------------------------------------------------------- - ----- - ---------------------------------------------------------------------- - ------ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.2 iQIVAwUBPzq4K5MRMj30dWmZAQIOCBAAy73WqYpzZSyjKb530Gefx+cJ3vhV73RN aiFGkEtN+zaGio14/TWNNgFEDpY3DxNtbQF5GPAtw7OBV61qTsg9NOOxAJioyZV/ qftWulRdv9P7AmJ96c50ge9Gb5bVb2u6w0xIgS8pk5ButD5/z5QOOQ4mK0BRboyP Du4EdphbMQNd6DI1cdWnQV6tX++jtMh2BnUwFSIj7WTwXIpUg4/H9PzJ/TZYx5Ro swymEnfAusWUFWCljBG0PwTdNqFwmy4LWaCHJEIH/2MJ8ZdMlvUza6nX79yn12j6 OmavfnW0uUEX5bp3w4qF9C1b/6C7ajRlzBmqX4gG5iY28fGC+BlPAJgwhndbsJaz id9Za7LhaErG5r3gpJiPL+Xv6nv7PCwBM0p+WhX19d1Z3JUIfmbCHekifLydmwm6 bYnG5tK9oH2K3IgzmM9m5oZYOD4sf/gUrqEGI0oK5md393xdfqv/ce/mS+VvShEk 59yuldmgV6pG8Yg5FF+bKI2lf1f35J4iWRknHEa114i3+PveJgSOtMdR71h7Rrnk 8j829JAtN66Z8Ndf14U2mtMmKlIIkoiq6lnc5kvq5tjKjJFTODlR70VPWfT/fu7+ C+MZulc55R2ZBp4cDe0ZriNtv9rEqWykQfc2GgIxTYvYYK1M3/861cnsoPCHudVS 37cjHXHGHds= =eKYz -----END PGP SIGNATURE-----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
-- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566
---------------------------------------------------------------------------
---------------------------------------------------------------------------- -- James W. Meritt CISSP, CISA Booz | Allen | Hamilton phone: (410) 684-6566 --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
- RE: Purging Blaster.worm David Gillett (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 15)
- RE: Purging Blaster.worm Vachon, Scott (Aug 15)
- RE: Purging Blaster.worm Jay Woody (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 18)
- RE: Purging Blaster.worm Alfred . Diggs (Aug 19)
- RE: Purging Blaster.worm Meidinger Chris (Aug 20)