VIRUS ALERT

[Maria]

 

There sems to be a viruS going around with NTL but it seems to be getting around with other ISPs. An attatchemnt is being sent to mail clients and when opened it reboots your system into safe mode. This Should work for dial up and broadband customers as follows -

 

Make sure the machine has no active connection (With BB remove the CATv Cable preferably)

When the machine has started open up task manager (via CTRL + ALT + Delete).

Click on Proccess, and find Msblast.exe.

Highlight the file and click 'end process' at the bottom right

Say 'Yes' to the warning.

Do a find files (or search) for Msblast.exe

Windows should find at least 2 instances of the file.

Delete all of them.

Restart the machine (again making sure that there is no net connection)

 

This should allow you to get the firewall enabled on XP machines.

 

This is by no means a total fix and wont work for everyone, but it may help so give it a go!

 

[Scream]

IT'S NOT A VIRUS!!!!!!!!!!!!!!!!!!!!!!!!!!

 

it's a worm as i said lsat night, it's obvious by the behaviour it has taken. It's how it was able to spread so fast. Which was strange as it spread like wildfire. Worms and virus's are different.

 

check it out here

http://news.bbc.co.uk/1/hi/technology/3143625.stm

[Spunkmonkey]

still a pain in the arse all the same, wether it's a worm or a virus though, no?!

[Maria]

Scream said:

IT'S NOT A VIRUS!!!!!!!!!!!!!!!!!!!!!!!!!!

 

it's a worm as i said lsat night, it's obvious by the behaviour it has taken. It's how it was able to spread so fast. Which was strange as it spread like wildfire. Worms and virus's are different.

 

check it out here

http://news.bbc.co.uk/1/hi/technology/3143625.stm

 

Aaah yes - my mistake - it is a worm indeed. I came home from work just now to find that my pc had rebooted itself

 

Scream - dont spose tyou know why I can't access my task manager ? When I try and bring it up it says "Task manager has been disabled by the administrator" well I am the admin and I aint touched it !

 

I cant for the life of me root the problem out

 

(windowsxp home btw)

[Maria]

If anyone else gets the same problemo - you can download a "Patch" which will restore your service. here.

 

[Phil rr]

it's a windows exploit (vulnerability) which works by sending badly formed packets of data to ur machine.

 

it sends MORE data to ur machine than windows is expecting, and the 100110101 contents of the extra bit can be cleverly written to form commands, which are then executed by your own machine.

 

this form of exploit is extremely common and MS issue patches by the day to fix the different ways it can be exploited by (nasty) ppl in the know. it so happens that someone obviously was quick in finding a way to [censored] up ppl's machines when they found out how to use the exploit. (the exploit and patch was found/released 6 weeks ago)

 

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp (probably what Maria posted, and it's in my msn username)

 

has the fix for this. it's set to 'trigger' some sort of flood on august 16th , so fix urself by then.

Edited August 12, 2003 by Phil_raa

[Maria]

This worm / exploit effected NTL only last night at 7pm.

 

What other ISP's is it effecting ?

[Phil rr]

it will exploit anyone at all. (xp/2000 machines)

 

 

http://isc.sans.org/diary.html?date=2003-08-11

 

u get 'attacked' on port 135 - this is the port, that if you don't forcefully close, will allow the toher machine to request that u get sent msblast.exe, which is the lil proggy that sets up your registry entries and does the damage.

 

after that it sets up other ports and does small dodgy things to ur system (see that link)

 

if in the first place u ensure that your port 135 is closed (by applying the patch, or by running a firewall program which closes all ports except the ones you confgigure it to pass), the 'attacking' computer won't be able to send the commands to your computer to start it happenin

 

ps: if i'm talking [censored], say. i think I'm accurate in saying this so far

Edited August 12, 2003 by Phil_raa

[Maria]

Nice one

 

Iv just forwarded that into work - what they put up about it on our databases explains naf all really - so maybe they will put this up as it seems to be a bit more explanitory than what they decribed the problem was.

 

Fannies.

 

Cheers bud

[Phil rr]

 

this sort of area is one i wanna learn more about - ports n udp n tcp and other insane abbreviations.....

[Lisa]

dont mean to be totally dense like, but how do you know if have this worm thing & how to deal with it etc?? im totally crap with pc's!!

[Maria]

Im learning TCP/IP at the moment here at hme. Bought a book about it a few weeks ago - only just getting into it.

 

Funnily enough tho, I was learning about TFTP today - so that link pretty much made sence to moi.

 

[Maria]

miss_diddy said:

dont mean to be totally dense like, but how do you know if have this worm thing & how to deal with it etc?? im totally crap with pc's!!

 

Follow the microsoft link up there ^ if it happens on your compoota.

 

Basically, it reboots your system into safe mode - but an alert will come up on your screen saying that your pc is about to shut down in such and such seconds.

 

Actually - Im sure this happened to TomD the other night and he didn;t realise it was a worm haha oooops

[Phil rr]

it started happening to me on sunday evening and i was getting well suspicious....found the patch yesterday evening.

 

thought a re install was coming up, and when win rebooted and told me some core system files had been replaced, i started HMMMMM'ing :\

 

then bunnykins told me she was getting it and i put up a post on anandtech.com forums about it and gots loads of replies

 

btw i think bunnykins still needs the patch cos on dialup she cant download b4 she reboots, can sum1 send her the patch more quickly than i can post it?

 

fank oo to mr happy for hangin on the fone wiv me

Edited August 12, 2003 by Phil_raa

[Lisa]

which link hon there is afew above!! & what do I do when i get there etc???