Security Basics mailing list archives

RE: Purging Blaster.worm

From: "Bob Walker" <bobwalker8 () comcast net>
Date: Thu, 14 Aug 2003 00:47:18 -0500

We've had a crush of systems coming in the last 2 days in our small
store/shop, and yes, the Symantec removal tool works great.  I think the
key is booting the system up in safe mode, running the removal tool,
then rebooting and connecting directly to http://symantec.com and
following the link there on the left side of the page to
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
.html.  That will have a link directly to Microsoft's patch for this
worm,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS03-026.asp.  Download the patch, install it, and the
system is back out the door.  I've personally done about 15-20 of these
repairs over the last 2 days.  Hasn't left much time for motherboard
replacements, OS reloads, etc, but it's been easy money  :-)

I've seen some speculation here about possible reinfection between the
short time you're connected to the web after running the removal tool
but before the patch is installed.  That hasn't been my experience here
at all, but the fact that we're running a broadband connection behind a
pretty good firewall has probably mitigated that possibility
considerably.  This infection doesn't seem to be able to get past a
properly configured firewall, with ports 4400 and 135 locked down, which
could be why it's been so widespread, eh? ;-)  What does that tell us?

Regards,
Bob

-----Original Message-----
From: Jose Guevarra [mailto:jose () iquest ucsb edu] 
Sent: Tuesday, August 12, 2003 7:07 PM
To: security-basics () securityfocus com
Subject: Purging Blaster.worm


Hi,

 Has anyone successfully purged the MSBlaster worm. There is a tool out
there that can do it but is it reliable?

thanx,

============


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Purging Blaster.worm, (continued)
- - - RE: Purging Blaster.worm David Gillett (Aug 19)
    - Ethics Question Mike Taylor (Aug 21)
    - Re: Ethics Question Adam Newhard (Aug 21)
    - Re: Ethics Question Suzanne Rodday (Aug 21)
    - Re: Ethics Question Sebastian Schneider (Aug 22)
    - Re: Ethics Question Michael Thornhill (Aug 21)
    - Re: Ethics Question Schneider Sebastian (Aug 21)
    - Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
  - Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- RE: Purging Blaster.worm Blaxes (Aug 16)
- RE: Purging Blaster.worm Preston, Tony (Aug 13)
  - RE: Purging Blaster.worm Rory (Aug 13)
- Re: Purging Blaster.worm Jay Woody (Aug 13)
- RE: Purging Blaster.worm Parolini, Walter A REV:EX (Aug 13)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
  - RE: Purging Blaster.worm David Gillett (Aug 16)

(Thread continues...)