I'll admit it..I left port 135 open.. why ? because I was doing something.. so yes I got hit by the blaster worm.
Firstly, it scans a huge amount of IPs and checks if the system has a vulnerable RPC service. If so it downloads the file, and then adds an entry into the registry so it starts up upon boot up.
The file name is msblast.exe - it is actually visible in the process list, so you can kill it and then restart the RPC service (assuming it crashed it like it did for me).
Then you need to remove the entry from the registry (look up the value, I'm too tired to bother with it but it's a common tree in the registry). Then get rid of msblast.exe so it's never ran again.
You should also get the patch from Microsoft.com IMMEDIATELY and apply it ASAP.
You then should, as I should have but did not, filter port 135.. or any rpc port for that matter.
Oh how I was mad when I found this out. It has hit businesses too.. so home and office. now why am I putting it in rant ? well.. because the coding of it was SHIT POOR..
it's bad enough people write intrusive code.. but damnit, if you want to put code in someone elses system, at least make it stable you idiotic coder. Not only would it not piss as many people off (well not as badlY) but it'd also make it more hidden.
I wish the writers of this shit a horrible, slow, painful, bloody, torturous death.
Met.
P.S. If anyone needs help with removing this, by all means, let me know. I'd be willing to help out.
There is a tool on Symantec's site that removes the worm from your system... as an added note, first thing to do is disconnect the system from the network or dialup to prevent spread and also to make the system a little more stable for the fix, otherwise it'll continually reboot the system.
The key in the registry to remove is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and the value is "windows auto update"="msblast.exe"
The worm is also included in a couple of other file names besides msblast.exe, but I forgot what they were...
yeah.. well I got rid of it before the tool was out..
doesn't matter though.. I didn't really 'care' about having my box as dmz.. I have a reason for it so oh well.
and yes that's the key in the registry
and yes it's always good to disconnect it from the network indeed. That goes without saying (I hope).
as far as msblast.exe, well.. I don't doubt it being other names.. that's usually the case. But primary one is msblast.exe I guess.. point is: if you see a program that shouldn't be there..
kind of a vague reply and I'm tired as hell... so I'll stop now.
Met.
hello all..
as much as this worm has kicked my ass.. no sleep, every client calling (except the unix ones) M$ creates jobs.. in a strange sort of way. M$'s faults are geeks gain
just my observation
True. True. Gotta love the Welchia one also. Hehe. Too bad the creator didnt think the code through too well though. Damn thing floods the network with ICMP traffic and slows everything down. It killed our Firewall (Netscreen) last Friday because for some odd reason one of the infected machines thought it was an M$ box.
Rumor has it the Blaster had a small part in the blackout a little bit ago back east. They're claiming it slowed down the network so much so that it made the backup systems slow in coming online and all.
Getting rid of M$ security problems:
how about getting rid of those dynamic link libraries for a start, then the executables, then start from there... ;)
Wilnix
I just love the way that even though we were patched and protected at the firewall level against MSBlaster and Welchia, we still got the fucked up residual effects coming from other LANS on our backbone. Our DNS took a shit on one instance trying to keep up with all the requests generated from infected machines on adjoining LANS (where I wish I could have bitch slapped their so called Admins for not taking the proper precautions), not to mention the DoS condition we recieved at our border gateway from all the damn ICMP traffic. Spent 2 days tracking IP's of infected machines causing me problems and calling the admins of those machines to inform them that they needed to take care of this problem ASAP. Idiots! Another day working in ACL's to block all that traffic on certain routers around our WAN. Gotta love the way MS works RPC, huh? :-\ >:(
The purple boxes [Sun] sound better every day....
Wilnix