Security Basics mailing list archives

RE: Purging Blaster.worm

From: Alfred.Diggs () STIS com
Date: Tue, 19 Aug 2003 15:08:35 -0400



I have to networks here, a test and production. currently both netwoks are
dealing with the virus assult. I would like to test this new variant on my
test network but i dont know where to obtain it from. So can anyone tell me
where to start looking.

Thanks

Alfred

-----Original Message-----
From: Meritt James [mailto:meritt_james () bah com]
Sent: Tuesday, August 19, 2003 9:12 AM
To: Stuart; security-basics () securityfocus com
Subject: Re: Purging Blaster.worm


Which has not stopped someone from trying:

"New 'Good' Worm Attempts To Repair Security On Infected Systems" 

A new worm takes a different twist by trying to repair systems infected
by Blaster and patch the vulnerability it exploits, antivirus vendors
said Monday. 

The worm, called Nachi or MSBlast.D, tries to delete Blaster from some
infected systems and install patches, according to Trend Micro. Last
week's Blaster worm, also called MSBlast and Lovsan, infected hundreds
of thousands of systems  by exploiting a Remote Procedure Call (RPC)
flaw  in Microsoft Windows.
................................................................

Full article at
http://www.internetweek.com/security02/showArticle.jhtml?articleID=13100535
Meritt James wrote:


Yes, it is possible.  No, it is not legal to do so.

It has been done with another.  The one who did it is on jail for that
reason.  Modifying systems which belong to someone else, no matter your
reasons, is a no-no.

Jim

Stuart wrote:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Is it not possible to create another worm or modify this worm to
actually patch the machines? :)
Looking at the Symantec removal tool there is a silent mode.. A few
days back I was on the Microsoft site and I also saw an option for a
non interaction install for the RPC patch but looking through the
site now I cannot find it :(
The "fixing worm" could scan for 2 hours then purge itself?

Just a thought

Stu

- -----Original Message-----
From: Andreas Rothlauf [mailto:security () bitgui de]
Sent: 13 August 2003 21:25
To: security-basics () securityfocus com
Subject: Re: Purging Blaster.worm

Hi,

JG>  Has anyone successfully purged the MSBlaster worm. There is a
tool out
JG> there that can do it but is it reliable?

Symantec has made a tool available:
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.to
ol.html

A friend told me that it works.

greetZ //AndY

- ----------------------------------------------------------------------
- -----
- ----------------------------------------------------------------------
- ------

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQIVAwUBPzq4K5MRMj30dWmZAQIOCBAAy73WqYpzZSyjKb530Gefx+cJ3vhV73RN
aiFGkEtN+zaGio14/TWNNgFEDpY3DxNtbQF5GPAtw7OBV61qTsg9NOOxAJioyZV/
qftWulRdv9P7AmJ96c50ge9Gb5bVb2u6w0xIgS8pk5ButD5/z5QOOQ4mK0BRboyP
Du4EdphbMQNd6DI1cdWnQV6tX++jtMh2BnUwFSIj7WTwXIpUg4/H9PzJ/TZYx5Ro
swymEnfAusWUFWCljBG0PwTdNqFwmy4LWaCHJEIH/2MJ8ZdMlvUza6nX79yn12j6
OmavfnW0uUEX5bp3w4qF9C1b/6C7ajRlzBmqX4gG5iY28fGC+BlPAJgwhndbsJaz
id9Za7LhaErG5r3gpJiPL+Xv6nv7PCwBM0p+WhX19d1Z3JUIfmbCHekifLydmwm6
bYnG5tK9oH2K3IgzmM9m5oZYOD4sf/gUrqEGI0oK5md393xdfqv/ce/mS+VvShEk
59yuldmgV6pG8Yg5FF+bKI2lf1f35J4iWRknHEa114i3+PveJgSOtMdR71h7Rrnk
8j829JAtN66Z8Ndf14U2mtMmKlIIkoiq6lnc5kvq5tjKjJFTODlR70VPWfT/fu7+
C+MZulc55R2ZBp4cDe0ZriNtv9rEqWykQfc2GgIxTYvYYK1M3/861cnsoPCHudVS
37cjHXHGHds=
=eKYz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------

----------------------------------------------------------------------------


--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------

----------------------------------------------------------------------------

-- 
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Purging Blaster.worm, (continued)
- RE: Purging Blaster.worm Parolini, Walter A REV:EX (Aug 13)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Jay Woody (Aug 14)
- RE: Purging Blaster.worm Bob Walker (Aug 14)
- Re: Purging Blaster.worm Ken Jacobs (Aug 14)
  - RE: Purging Blaster.worm David Gillett (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 15)
- RE: Purging Blaster.worm Vachon, Scott (Aug 15)
- RE: Purging Blaster.worm Jay Woody (Aug 16)
- RE: Purging Blaster.worm Meidinger Chris (Aug 18)
- RE: Purging Blaster.worm Alfred . Diggs (Aug 19)
- RE: Purging Blaster.worm Meidinger Chris (Aug 20)