Check the clock on the affected user's computer. If it's set in the future, the worm may well have triggered, thinking that August 16th was already here. Also check for other malware. Since 135 was open, it's quite likely that the computer is vulnerable to other sploits. As previously suggested in this forum, please read the Symantec analysis at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf. To inhibit propagation of the worm to/from your network, block the following ports at (at least) all of your border routers (in/out), and preferrably (to inhibit infection within your netowkr) on your interior routers as well: * Close port 135/tcp (and if possible 135-139, 445 and 593) * Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for activity related to this worm. More details are available from the CERT advisory at: http://www.cert.org/advisories/CA-2003-19.html --Lloyd Taylor VP Technology & Operations Keynote Systems On Tue, 12 Aug 2003, Alavan wrote: > Date: Tue, 12 Aug 2003 12:40:43 -0700 > From: Alavan <alavanat_private> > To: incidentsat_private > Subject: Blasting Blaster.Worm (aka LovSan Virus) > > All, > > We're a small ISP providing T-1 access to residents of apartment > communities. Several of our communities have been hit hard by this recent > worm. Trying to identify who's infected is difficult. We've tried logging > UDP, TCP and IP in general, but there's nothing telling getting logged. > Reports indicate that the Virus will try a DDOS on Microsoft's Windows > Update site on 8/16/03, but we saw 1500 small packets per second leaving a > site and couldn't log them via the Cisco router using the above method. I > assumed they were destined for MS. After the flood stopped (some unknown > reason), we traced the flood to a customer using usage stats on our > switches throughout the property. > > Turns out that the customer was infected with Blaster.Worm (lovsan). So, it > sure seems that it's doing more than initially indicated. > > Does anyone know exactly what protocol is being used by this > "msblaster.exe" or this other shell program created? Any easy way to sniff > and log via our Cisco router? > > Any advice would help. We've currently got another property with 1352 > packets/second leaving a T-1 serial interface that only at 128/255, or > half-used. We never see that kind of pps. > > Thanks in advance. > > Alavan > > > --------------------------------------------------------------------------- > ---------------------------------------------------------------------------- > -- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 22:57:25 PDT