September 25, 2018, 04:03:43 AM

Author Topic: blaster worm  (Read 7345 times)

0 Members and 1 Guest are viewing this topic.

Offline Metgod

  • the deranged hacker
  • Administrator
  • Forum Hero
  • *****
  • Posts: 1116
  • Country:
  • Gender: Male
blaster worm
« on: August 12, 2003, 04:50:54 PM »
I'll admit it..I left port 135 open.. why ? because I was doing something.. so yes I got hit by the blaster worm.

Firstly, it scans a huge amount of IPs and checks if the system has a vulnerable RPC service. If so it downloads the file, and then adds an entry into the registry so it starts up upon boot up.

The file name is msblast.exe - it is actually visible in the process list, so you can kill it and then restart the RPC service (assuming it crashed it like it did for me).

Then you need to remove the entry from the registry (look up the value, I'm too tired to bother with it but it's a common tree in the registry). Then get rid of msblast.exe so it's never ran again.

You should also get the patch from Microsoft.com IMMEDIATELY and apply it ASAP.

You then should, as I should have but did not, filter port 135.. or any rpc port for that matter.


Oh how I was mad when I found this out. It has hit businesses too.. so home and office. now why am I putting it in rant ? well.. because the coding of it was SHIT POOR..

it's bad enough people write intrusive code.. but damnit, if you want to put code in someone elses system, at least make it stable you idiotic coder. Not only would it not piss as many people off (well not as badlY) but it'd also make it more hidden.

I wish the writers of this shit a horrible, slow, painful, bloody, torturous death.


Met.

P.S. If anyone needs help with removing this, by all means, let me know. I'd be willing to help out.


"My Terminal is my Soul"

Offline Uneek

  • Administrator
  • Seasoned Poster
  • *****
  • Posts: 306
  • Country:
  • Gender: Male
    • HFX International Org.
Re:blaster worm
« Reply #1 on: August 18, 2003, 12:44:03 AM »
There is a tool on Symantec's site that removes the worm from your system... as an added note, first thing to do is disconnect the system from the network or dialup to prevent spread and also to make the system a little more stable for the fix, otherwise it'll continually reboot the system.

The key in the registry to remove is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and the value is "windows auto update"="msblast.exe"

The worm is also included in a couple of other file names besides msblast.exe, but I forgot what they were...
*** Sleep: A completely inadequate substitute for caffeine. ***
01010010010101000100011001001101

Offline Metgod

  • the deranged hacker
  • Administrator
  • Forum Hero
  • *****
  • Posts: 1116
  • Country:
  • Gender: Male
Re:blaster worm
« Reply #2 on: August 18, 2003, 01:39:13 PM »
yeah.. well I got rid of it before the tool was out..

doesn't matter though.. I didn't really 'care' about having my box as dmz.. I have a reason for it so oh well.

and yes that's the key in the registry

and yes it's always good to disconnect it from the network indeed. That goes without saying (I hope).

as far as msblast.exe, well.. I don't doubt it being other names.. that's usually the case. But primary one is msblast.exe I guess.. point is: if you see a program that shouldn't be there..


kind of a vague reply and I'm tired as hell... so I'll stop now.

Met.
"My Terminal is my Soul"

deadcpu

  • Guest
Re:blaster worm
« Reply #3 on: August 21, 2003, 03:40:34 AM »
hello all..
as much as this worm has kicked my ass.. no sleep, every client calling (except the unix ones) M$ creates jobs.. in a strange sort of way. M$'s faults are geeks gain

just my observation


Offline Tazinator

  • BOFH
  • Administrator
  • Forum Hero
  • *****
  • Posts: 524
  • Country: us
  • Kermit 0wnz j00!
    • https://keybase.io/portabletaz
Re:blaster worm
« Reply #4 on: September 07, 2003, 11:27:22 PM »
True. True. Gotta love the Welchia one also. Hehe. Too bad the creator didnt think the code through too well though. Damn thing floods the network with ICMP traffic and slows everything down. It killed our Firewall (Netscreen) last Friday because for some odd reason one of the infected machines thought it was an M$ box.

Rumor has it the Blaster had a small part in the blackout a little bit ago back east. They're claiming it slowed down the network so much so that it made the backup systems slow in coming online and all.
"A well known hacker is a good hacker, an unknown hacker is a great hacker..."

I don't care what your parents told you, you aren't special.

Offline wilnix

  • mv user /dev/null
  • Administrator
  • Forum Hero
  • *****
  • Posts: 690
  • Country:
  • Gender: Male
  • You're not the fastest packet in the subnet...
    • Wilnix - The NetAdmin's Resource
Re:blaster worm
« Reply #5 on: September 25, 2003, 06:27:31 PM »
Getting rid of M$ security problems:
how about getting rid of those dynamic link libraries for a start, then the executables, then start from there... ;)

Wilnix
alt email address: wilnix@hackphreak.org

Offline Uneek

  • Administrator
  • Seasoned Poster
  • *****
  • Posts: 306
  • Country:
  • Gender: Male
    • HFX International Org.
Re:blaster worm
« Reply #6 on: September 29, 2003, 03:52:13 PM »
I just love the way that even though we were patched and protected at the firewall level against MSBlaster and Welchia, we still got the fucked up residual effects coming from other LANS on our backbone. Our DNS took a shit on one instance trying to keep up with all the requests generated from infected machines on adjoining LANS (where I wish I could have bitch slapped their so called Admins for not taking the proper precautions), not to mention the DoS condition we recieved at our border gateway from all the damn ICMP traffic. Spent 2 days tracking IP's of infected machines causing me problems and calling the admins of those machines to inform them that they needed to take care of this problem ASAP. Idiots! Another day working in ACL's to block all that traffic on certain routers around our WAN. Gotta love the way MS works RPC, huh?  :-\  >:(
*** Sleep: A completely inadequate substitute for caffeine. ***
01010010010101000100011001001101

Offline wilnix

  • mv user /dev/null
  • Administrator
  • Forum Hero
  • *****
  • Posts: 690
  • Country:
  • Gender: Male
  • You're not the fastest packet in the subnet...
    • Wilnix - The NetAdmin's Resource
Re:blaster worm
« Reply #7 on: November 04, 2003, 12:30:20 AM »
The purple boxes [Sun] sound better every day....

Wilnix
alt email address: wilnix@hackphreak.org