The patch is not working at this time in our installations, Symantec just released a new worm, w32.blaster It appears this is what we are seeing. -----Original Message----- From: Jerod Alexander [mailto:jerod@private] Sent: Monday, August 11, 2003 2:19 PM To: 'Jim Wood' Subject: RE: CRIME WARNING FYI Jim, this information is about a week and a half old, and the patch from Microsoft has been available for about a month. For technical information about this vulnerability and links to patches, go here: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulleti n/MS03-026.asp As a temporary defensive measure, we have disabled all traffic from the OIT-maintained portions of the network (i.e., everything but CEX) on port 135. This may cause some issues with windows services on campus being accessed from off-campus and vice versa. This block will be removed once the crisis has passed. For machines that are already compromised: 1) As an administrator, kill any instances of "msblast.exe" that may be running. 2) Delete %SystemRoot%\System32\msblast.exe (%SystemRoot% is your C:\WINNT or C:\WINDOWS directory) 3) In the registry, check the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" for an entry called "windows auto update" set to "msblast.exe". Delete ONLY the entry containing "msblast.exe". 4) Patch IMMEDIATELY. --Jerod ============================================ Jerod Alexander Information Security Specialist Information Security Team Portland State University -.-. .. .- .... --- .--. . ..-. ..- .-.. ============================================ -----Original Message----- From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Jim Wood Sent: Monday, August 11, 2003 2:09 PM To: crime@private Subject: CRIME WARNING FYI We are seeing several customers equipment with a security hole that has been exploited Details are at the following on the hole: http://securityresponse.symantec.com/avcenter/security/Content/8205.html Customers that have been exploited get a window on their computer when connected to the internet that says the computer will be shut down in 1 minute, then the countdown begins. It is due to a failure in the RPC service. This exploit makes it so the user cannot access the internet, when they try it repeats itself every time If you have any information on fixes, cases, or further damage please email me immediately. Thanks Jim Wood jwood@private MW Technology Group Inc DBA: Zebra Computer Repair & Networking 360-736-7000 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.507 / Virus Database: 304 - Release Date: 8/4/2003 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.507 / Virus Database: 304 - Release Date: 8/4/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.507 / Virus Database: 304 - Release Date: 8/4/2003
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 14:56:39 PDT