Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Purging Blaster.worm

From: "Alexander Suhovey" <asuhovey () mtu-net ru>
Date: Sat, 16 Aug 2003 00:49:40 +0400
As for Windows 2000 domain, you can use startup script which executes
with local system rights.

Btw hfnetchk it is not only tool that can help. You can check for
existence of particular file, date/size/version of files or for registry
paths that should be changed by worm or security patch using OS shell
commands or vbs. 
Or you can use MS03-026 Scanning Tool as part of script. Here is the
link:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
C8F04C6C-B71B-4992-91F1-AAA785E709DA
Assuming that this script should be run only once on each host, maybe it
will be a better idea to make a script to use administrative
shares/remote reg. and run it manually from support host. At least you
will have centralized report already. Though this will probably not work
for already infected and thus unstable systems.

And last thing: the story does not end when you get rid of Blaster :) So
I would suggest you think about some sort of Patch Management System. MS
Software Update Services plus MBSA/hfnetchk/"your favorite scanner here"
may be an example of easy (though limited in features) way to manage
critical patches. 
It's free (afaik) and easy to implement and manage. 
http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/tools/Tools/MBSAhome.asp

Al.



-----Original Message-----
From: Meidinger Chris [mailto:chris.meidinger () badenit de]
Sent: Friday, August 15, 2003 4:14 PM
To: 'Todd'; security-basics () securityfocus com
Subject: RE: Purging Blaster.worm

remember that in an NT domain your login script runs with user rights.



i don't believe that would be enough to apply a hotfix, but correct me



someone.

badenIT GmbH
System Support

Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Original Message-----
From: Todd [mailto:tod () megachump com]
Sent: Thursday, August 14, 2003 7:49 PM
To: security-basics () securityfocus com
Subject: Re: Purging Blaster.worm


Does anyone have an NT login script they've used to run the update and



symantec worm fix?

I've considered putting together something that will first run 
HfNetChk, IF
"* WINDOWS 2000 SP4\nInformation\nAll necessary hotfixes have been 
applied" does not exist, then run the update and wormfix.

Any suggestions?

--
Todd
tod () megachump com



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: