Discussion:
OT: W32.Blaster.Worm virus alert
(too old to reply)
Keith S.
2003-08-13 07:55:06 UTC
Permalink
Folks,

I've noticed a huge increase in attempted TCP connections on port
135 in the last couple of days. It appears that they are from
hosts infected with the W32.Blaster.Worm virus (see
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html).
Hosts on NTL broadband (presumably dummies without a firewall) seem
particularly badly hit.

If you aren't running up to date virus protection, please do so NOW!

- Keith
Jason
2003-08-13 08:06:55 UTC
Permalink
Post by Keith S.
If you aren't running up to date virus protection, please do so NOW!
Can't I just snigger to myself instead?

Jason
--
http://www.scuba-addict.co.uk/ for Australian trip reports including
New South Wales, Queensland, Victoria and Western Australia
Keith Lawrence
2003-08-13 08:53:32 UTC
Permalink
Post by Keith S.
I've noticed a huge increase in attempted TCP connections on port
135 in the last couple of days. It appears that they are from
hosts infected with the W32.Blaster.Worm virus (see
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html).
Hosts on NTL broadband (presumably dummies without a firewall) seem
particularly badly hit.
If you aren't running up to date virus protection, please do so NOW!
Ditto. I'm being 'hit' roughly once every two minutes, they filled up my
firewall log this morning! Like Jason I just tend to smirk, anybody without
adequate firewall/virus protection deserves everything that they get :-)

Keith L
Keith S.
2003-08-13 09:11:03 UTC
Permalink
Post by Keith Lawrence
Ditto. I'm being 'hit' roughly once every two minutes, they filled up my
firewall log this morning! Like Jason I just tend to smirk, anybody without
adequate firewall/virus protection deserves everything that they get :-)
I don't think it's a smirking matter though, as it's my network
bandwidth being eaten up by the idiots who already have the virus trying
to send me a zillion tcp packets on port 135.

- Keith
CAS
2003-08-13 15:53:36 UTC
Permalink
Post by Keith S.
Post by Keith Lawrence
Ditto. I'm being 'hit' roughly once every two minutes, they filled up my
firewall log this morning! Like Jason I just tend to smirk, anybody without
adequate firewall/virus protection deserves everything that they get :-)
I don't think it's a smirking matter though, as it's my network
bandwidth being eaten up by the idiots who already have the virus trying
to send me a zillion tcp packets on port 135.
- Keith
Keith/Anyone,

Do you know if it only hits port 135?

My machine at home is almost certainly vulnerable and I don't fancy getting
walloped when I'm online tonight patching it up!

Cheers

CAS

--
Temperature @ Stoney? Been 2 Stoney?
Find it... Log it...
http://stoneytemps.port5.com/
Keith Lawrence
2003-08-13 16:04:40 UTC
Permalink
Post by CAS
Keith/Anyone,
Do you know if it only hits port 135?
Nope, when infected it uses others. The port 135 probe is it looking for
other machines that it could possibly infect.
Post by CAS
My machine at home is almost certainly vulnerable and I don't fancy getting
walloped when I'm online tonight patching it up!
See http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html for
full details, there's ways around it.

Alan H - the only real cure I can see for your situation is to put the
network admins up against the wall AND SHOOT THEM!

Keith L
rich
2003-08-13 16:11:15 UTC
Permalink
Post by Keith Lawrence
Post by CAS
Keith/Anyone,
Do you know if it only hits port 135?
Nope, when infected it uses others. The port 135 probe is it looking for
other machines that it could possibly infect.
Post by CAS
My machine at home is almost certainly vulnerable and I don't fancy
getting
Post by CAS
walloped when I'm online tonight patching it up!
See http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html for
full details, there's ways around it.
Alan H - the only real cure I can see for your situation is to put the
network admins up against the wall AND SHOOT THEM!
Keith... that's a little unfair... at least let them patch all the
machines first :D
D***@yahoo.com
2003-08-13 16:42:47 UTC
Permalink
Post by Keith S.
Post by Keith S.
Post by Keith Lawrence
Ditto. I'm being 'hit' roughly once every two minutes, they filled up my
firewall log this morning! Like Jason I just tend to smirk, anybody
without
Post by Keith S.
Post by Keith Lawrence
adequate firewall/virus protection deserves everything that they get :-)
I don't think it's a smirking matter though, as it's my network
bandwidth being eaten up by the idiots who already have the virus trying
to send me a zillion tcp packets on port 135.
- Keith
Keith/Anyone,
Do you know if it only hits port 135?
My machine at home is almost certainly vulnerable and I don't fancy getting
walloped when I'm online tonight patching it up!
Cheers
CAS
I've just switched live monitoring on and I'm
getting hit about every 30 sec

However my network speeds down 33k3 bps
(that's an average a couple of the readings could be beaten by an
acoustic coupler)

not bad for a 600kbps link!

Still can't moan at NTL for this (yet)

Port 135's getting hit badly as is 1027

still at least I kow the system works!

DaveA
Steve Parry
2003-08-13 12:28:02 UTC
Permalink
Post by Keith S.
Folks,
I've noticed a huge increase in attempted TCP connections on
port
Post by Keith S.
135 in the last couple of days. It appears that they are from
hosts infected with the W32.Blaster.Worm virus (see
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html).
Post by Keith S.
Hosts on NTL broadband (presumably dummies without a firewall)
seem
Post by Keith S.
particularly badly hit.
If you aren't running up to date virus protection, please do so NOW!
- Keith
http://www.europe.f-secure.com/v-descs/msblast.shtml

although the removal tool link is incorrect ... it should be

ftp://ftp.f-secure.com/anti-virus/tools/F-Lovsan.zip
--
Steve Parry

http://www.gwynfryn.co.uk

http://wrexhamseals.tripod.com
Alun Harford
2003-08-13 13:00:10 UTC
Permalink
Post by Keith S.
Folks,
I've noticed a huge increase in attempted TCP connections on port
135 in the last couple of days. It appears that they are from
hosts infected with the W32.Blaster.Worm virus (see
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html).
Hosts on NTL broadband (presumably dummies without a firewall) seem
particularly badly hit.
If you aren't running up to date virus protection, please do so NOW!
Up to date anti-virus will usually not stop it. This is a problem with
windows. Download the patch.

If it tries to shut down your computer while you're using it click
start -> Run...
And type in: shutdown -a

I've been working for Notts Uni atm so I'm spending the day
disinfecting machines that some moron didn't bother to update

Alun Harford
Keith Lawrence
2003-08-13 14:07:40 UTC
Permalink
Post by Alun Harford
I've been working for Notts Uni atm so I'm spending the day
disinfecting machines that some moron didn't bother to update
Seems to be leveling off a bit, there will probably be another big surge
this evening when the AOL type people connect - it's currently running at a
port probe every 20 seconds or so...

Keith L
Alun Harford
2003-08-13 14:49:35 UTC
Permalink
Only affects Windows 98 XP and 2000. Glad I did not upgrade. My firewall and
virus protection catch the nasties. Mailwasher catches all the SPAM.
It affects WinNT, Win2000 and WinXP (not 95,98 or ME). Your anti-virus
probably wouldn't protect you - firewall needed (or have an updated
version of Windows - Microsoft released the RPC path on the 16th July)

The funniest thing is that the sysadmins for the main network here
were too dumb to update their windows servers.
And there's no firewall (or security of any sort really).

I'm not saying where I work but there's almost certainly in excess of
50,000 machines here running affected windows systems.

I got in at 7:30 and realised that the servers were infected - that
made me laugh. I did feel sorry enough for them to go down there as
soon as anybody was in and say "over 100 machines in the building are
infected with a virus because you didn't update the server's software.
Pull the servers and the main hub and take the entire network offline
before you have a nightmare situation on your hands". You should've
seen their faces - if only I had my new digital camera with me...

Alun Harford
Not Me.
2003-08-14 00:48:36 UTC
Permalink
Did I not mention that 'My firewall and virus protection catch the nasties"?
Post by Alun Harford
Only affects Windows 98 XP and 2000. Glad I did not upgrade. My firewall and
virus protection catch the nasties. Mailwasher catches all the SPAM.
It affects WinNT, Win2000 and WinXP (not 95,98 or ME). Your anti-virus
probably wouldn't protect you - firewall needed (or have an updated
version of Windows - Microsoft released the RPC path on the 16th July)
The funniest thing is that the sysadmins for the main network here
were too dumb to update their windows servers.
And there's no firewall (or security of any sort really).
I'm not saying where I work but there's almost certainly in excess of
50,000 machines here running affected windows systems.
I got in at 7:30 and realised that the servers were infected - that
made me laugh. I did feel sorry enough for them to go down there as
soon as anybody was in and say "over 100 machines in the building are
infected with a virus because you didn't update the server's software.
Pull the servers and the main hub and take the entire network offline
before you have a nightmare situation on your hands". You should've
seen their faces - if only I had my new digital camera with me...
Alun Harford
Michael Forster
2003-08-14 04:23:53 UTC
Permalink
"Not Me." <***@email.com> wrote in message news:***@corp.supernews.com...

Oh what fun, I was on to my ISP yesterday and my account mananger said "be
careful about the MSBlaster worm I am infected at work and at home, Then I
reminded him that all my M$ machines are behind a L:inux Firewall with port
351 Blocked. - So I am completely secure here - Shame about his PC though
:-)

Mike.

Loading...