et al, # has she tried booting into safe mode ? # then removing the msblast or what not program ? If everyone hasn't seen it by now, the problem is endless rebooting; we've seen it with a number of clients...good luck updating before the system goes down again... It's part of the offset the exploit uses and which OSes/events it overwrites the proper part of the stack to exploit, and which events it just crashes the OS...(the vast majority of crashes we are seeing are XP, though some 2k server...) Bottom line: the endless shutdown cycle is part of the story of the worm, given the OS and how the worm hits it. But there is a solution: # cannot use Windows update because when the RPC is shutdown, # SYSTEM automatically initiates a shutdown of the computer as # you are all aware of. What is the best solution to keep data files # intact while removing this worm? The endless shutdowns are a result of getting banged on repeatedly by this worm. Options: NT 4.0: hmmm...probably disable RPC service... Windows 2000: |Network|Local Area Connection (or whatever you have named this)|Properties|Advanced|Options|>TCP/IP Filtering> |Properties|x-enable TCP/IP filtering| >Permit only on UDP and ICMP. Do not define. >Permit only on TCP and define 80 and 443 (http and https). Continue on to windowsupdate.microsoft.com and update w/out further issue. Later, if you feel comfortable (or have the need), relax your filter settings. Windows XP: turn on the included firewall, found under the similar options to above for 2k (sorry--I don't have an XP machine handy or I'd list the exact steps...) Good luck, Cheers, Arian J. Evans ps// if bugtraq cross-post is inappropriate, apology to admins for having to remove. There's been a lack of OS-native controls mitigation discussed on this issue... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 00:14:24 PDT