Security Basics mailing list archives

RE: Purging Blaster.worm

From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 19 Aug 2003 11:28:48 -0700

  Note that MSBlast.D apparently leaves port 707 open as a
backdoor....

David Gillett

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: August 19, 2003 06:12
To: Stuart; security-basics () securityfocus com
Subject: Re: Purging Blaster.worm

Which has not stopped someone from trying:

"New 'Good' Worm Attempts To Repair Security On Infected Systems"

A new worm takes a different twist by trying to repair
systems infected
by Blaster and patch the vulnerability it exploits, antivirus vendors
said Monday.

The worm, called Nachi or MSBlast.D, tries to delete Blaster from some
infected systems and install patches, according to Trend Micro. Last
week's Blaster worm, also called MSBlast and Lovsan, infected hundreds
of thousands of systems  by exploiting a Remote Procedure Call (RPC)
flaw  in Microsoft Windows.
................................................................

Full article at
http://www.internetweek.com/security02/showArticle.jhtml?artic
leID=13100535
Meritt James wrote:


Yes, it is possible.  No, it is not legal to do so.

It has been done with another.  The one who did it is on

jail for that

reason.  Modifying systems which belong to someone else, no

matter your

reasons, is a no-no.

Jim

Stuart wrote:

mode.. A few

days back I was on the Microsoft site and I also saw an

option for a

non interaction install for the RPC patch but looking through the
site now I cannot find it :(
The "fixing worm" could scan for 2 hours then purge itself?

Just a thought

Stu

- -----Original Message-----
From: Andreas Rothlauf [mailto:security () bitgui de]
Sent: 13 August 2003 21:25
To: security-basics () securityfocus com
Subject: Re: Purging Blaster.worm

Hi,

JG>  Has anyone successfully purged the MSBlaster worm. There is a
tool out
JG> there that can do it but is it reliable?

Symantec has made a tool available:

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.to

ol.html

A friend told me that it works.

greetZ //AndY

- ----------------------------------------------------------------------
- -----
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPzq4K5MRMj30dWmZAQIOCBAAy73WqYpzZSyjKb530Gefx+cJ3vhV73RN
aiFGkEtN+zaGio14/TWNNgFEDpY3DxNtbQF5GPAtw7OBV61qTsg9NOOxAJioyZV/
qftWulRdv9P7AmJ96c50ge9Gb5bVb2u6w0xIgS8pk5ButD5/z5QOOQ4mK0BRboyP
Du4EdphbMQNd6DI1cdWnQV6tX++jtMh2BnUwFSIj7WTwXIpUg4/H9PzJ/TZYx5Ro
swymEnfAusWUFWCljBG0PwTdNqFwmy4LWaCHJEIH/2MJ8ZdMlvUza6nX79yn12j6
OmavfnW0uUEX5bp3w4qF9C1b/6C7ajRlzBmqX4gG5iY28fGC+BlPAJgwhndbsJaz
id9Za7LhaErG5r3gpJiPL+Xv6nv7PCwBM0p+WhX19d1Z3JUIfmbCHekifLydmwm6
bYnG5tK9oH2K3IgzmM9m5oZYOD4sf/gUrqEGI0oK5md393xdfqv/ce/mS+VvShEk
59yuldmgV6pG8Yg5FF+bKI2lf1f35J4iWRknHEa114i3+PveJgSOtMdR71h7Rrnk
8j829JAtN66Z8Ndf14U2mtMmKlIIkoiq6lnc5kvq5tjKjJFTODlR70VPWfT/fu7+
C+MZulc55R2ZBp4cDe0ZriNtv9rEqWykQfc2GgIxTYvYYK1M3/861cnsoPCHudVS
37cjHXHGHds=
=eKYz
-----END PGP SIGNATURE-----


--------------------------------------------------------------------------


--------------------------------------------------------------------------

--


--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

--------------------------------------------------------------------------

--------------------------------------------------------------------------

--

--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Purging Blaster.worm, (continued)
- - - RE: Purging Blaster.worm Andrew Hecox (Aug 14)
    - Re: Purging Blaster.worm Duston Sickler (Aug 14)
    - RE: Purging Blaster.worm Stuart (Aug 14)
    - Re: Purging Blaster.worm Todd (Aug 14)
    - RE: Purging Blaster.worm Alexander Suhovey (Aug 16)
    - RE: Purging Blaster.worm TheFueley (Aug 15)
    - Re: Purging Blaster.worm Meritt James (Aug 15)
    - RE: Purging Blaster.worm Stuart (Aug 16)
    - Re: Purging Blaster.worm Meritt James (Aug 14)
    - Re: Purging Blaster.worm Meritt James (Aug 19)
    - RE: Purging Blaster.worm David Gillett (Aug 19)
    - Ethics Question Mike Taylor (Aug 21)
    - Re: Ethics Question Adam Newhard (Aug 21)
    - Re: Ethics Question Suzanne Rodday (Aug 21)
    - Re: Ethics Question Sebastian Schneider (Aug 22)
    - Re: Ethics Question Michael Thornhill (Aug 21)
    - Re: Ethics Question Schneider Sebastian (Aug 21)
    - Re: Ethics Question Paul Ledin (Aug 22)
- Re: Purging Blaster.worm Martchukov Anton (Aug 13)
  - Re: Purging Blaster.worm Ansgar Wiechers (Aug 16)
- RE: Purging Blaster.worm Bob Walker (Aug 14)

(Thread continues...)