Date: Wed, 13 Aug 2003 11:10:44 -0300
From: Dexter J <lamealameadingdongnopsamlamelame.org>
Subject: Re: OT - Windows port 135 virus alert


Salutations: Yeah - everyone is seeing that from their mobile staff.. The worm attaches silently then runs it's range based on DHCP settings found on the infected machine (i.e.: 123.123.123.000 - through 999) - then activates later.. The sales staffer booting is actually not a threat NOW as his/her machine is booting instead of silently torpedoing targets around the LAN.. You would be well advised to bring all your machines in - patch them and run a complete system scan on them all given you are an ISP.. Moreover - if you are running VPN - you will also need to get everyone who logs in to do the same on their home machines.. The problem is that it is svchost based worm and thusly it has free range around all network ports regardless of settings on any individual machine.. It morphs and while port 135 is main entry point - once it's in the works - not the only one and it probes out on all. I think we can safely expect several variations on this theme in the coming months as well given that even if everyone patchs the buffer overflow exploit at the heart of this problem - the problem of open dynamic RPC services on W32 systems will have now caught the attention of the brighter crackers out there.. I would suggest you are going to have to spend some time on the 'wetware' end at your shop.. and sadly - the patch load will very probably start their own much less fatal system error messages depending on how your farm is set up.. I've worked my thin server prototype here so I don't need a firewall - but I'm still looking for a native W2K OS control point that would allow me to close or redirect the ports without loading up the CPU with a software firewall and supporting transactions.. W32 allows you to control outbound ports directly - I'm not sure why they haven't provided the facility to control inbound natively in the network config.. Perhaps they have - and I can't find it outlined in such a way that it leaves the system stable.. I am concerned that the overhead dealing with a really solid worm breach on RPC port(s) could well trigger an effective DoS on the CPU/LAN if the worm really gets a foothold inside.. Which this one could well be able to do in short order given that a lot of places locked down at SP3 some time ago given the weirdness surrounding IE6 and SP4.. I don't know who put this one out - but hats off - they should have called it: "Dottie - a vicious life sucking b**ch from which there is no escape" - like from the movie Armageddon.. :/ .. .. CNN is reporting no e-mail based versions - I think they are wrong - it should read: "no e-mail based versions - as yet".. I just got a 550 security alert from my mailserver here running Norton.. .. standing by for the obligatory linux vs W2K flaming.. :) .. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Colin James - Cadillac Baby http://www.dexterdyne.org/888/066.RAM MeatballTurbo wrote: > > In article <3F38231E.D0126C52nopsamlamelame.org>, > lamealameadingdongnopsamlamelame.org says... > > Salutations: > > > > port 135 Virus Alert XP W2K W23K and IIS (again) > > > > http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html > > > > It's one could be a real hippo brothers and sisters - time to update your > > virus definitions and I'm afraid right now.. arrggg.. :/ .. > > > > yeah heard about this yesterday. Checked my system over. seemed cool. > Got a mail from sysadmins this morning that we should all patch anyway. > > Ran the patch. > han heard some real moaning and whinging going on from the sales office. > > One of the sale guys was screaming about his pc being "F*&ked, and > rebooting itself every time he goes on the network". guess who didn't > read his morning security mail. > > Thing is, we should all be on a private IP range, and be behind our very > own very solid ISP standard firewall with very facist rules and logging > (we are an ISP). > -- > The poster formerly known as Skodapilot. > http://www.bouncing-czechs.com

Return to Main Index

The content on this site may not be republished without permission. Copyright © 1988-2019 - The Saab Network - saabnet.com.
For usage guidelines, see the Saabnet.com Mission and Purpose Page.
[Contact | Site Map | Saabnet.com on Facebook | Saabnet.com on Twitter | Shop Amazon via TSN | Site Donations]