Okay...

[edg]

I've been hit with MSBlast twice in the last hour. larryalton has more information on this new Windows worm here. (Thanks to melpomenes_mask for the tip.)

Comments

[elissa-carey.livejournal.com]

There's been a patch available for several weeks now that protects you from it. Run your Windows Update; it'll be listed.

[edg.livejournal.com]

Oh, I know. I've installed it at home. ;) I just hadn't run it here at work - forgetfulness, I suppose, and I have installed it now - and I hadn't run across the worm itself before this morning.

[elissa-carey.livejournal.com]

*nod* It's been running around in the wild. (The Linux goob/MS hater on RPG.net said that it was "guaranteed" to hit people. *snort*)

[cherrypep.livejournal.com]

Weird turn of phrase. Guaranteed, as in backed by a financial organisation? Or guaranteed, as in Most Windows People Don't Run Windows Update? The first makes a better conspiracy theory.

I'm somewhat inclined to agree with the second of the two in the workplace, since I have found that most people sort of assume that keeping pcs updated is the Administrator's - capitalised, as his apparent deity status deserves - job (unless they're either PhDs and therefore obsessive work-avoidance engineers, or in a very small company). Where of course irl the Administrator, except in large companies, has never got around to installing any sort of centralised update scheme, and therefore spends a good day or two running around and fixing pcs. If yesterday was any indication. But YMMV.

And as for residential users I'm still getting NIMDA (and the odd mutant Code Red v2) from residential people (bredbandsbolaget.se I am pointing at you!!!) Since my CDWriter install reboot last sunday:

grep /var/log/apache/access_log -e 'c+dir' | wc -l
439
grep /var/log/apache/access_log -e 'default.ida?XXXXX' | wc -l
170

xxx.xxx.xxx.xxx - - [12/Aug/2003:08:40:43 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXX... HTTP/1.0" 404 276

So not everybody patches. Ever. Code Red has been dead for years... Microsoft may provide the update mechanism but the world doesn't seem to want to use it; the existence of a two (three?) year old operational worm implies that any bug that uses recent vulnerabilities would seem to be guaranteed to find an unsuspecting audience out there somewhere :-/

And on the topic of irrelevant log files, let me add:

xxx.xxx.xxx.xxx - - [09/Aug/2003:06:01:23 +0200] "\xe3H" 501 -
xxx.xxx.xxx.xxx - - [09/Aug/2003:06:01:36 +0200] "\xe3F" 501 -

Or
GET ./HASH=av3ryl0ngh4sh

This had me worried for a while, but then I discovered that eDonkey apparently shares on port 80. And the HASH is winmx. Grr.

[cpip.livejournal.com]

Ah, the joys of archaic Win95 on my home machine...

Okay, so this may be the ONLY joy of having Win95 on my machine at home. But I gotta take what I can get, neh?

[aliaswestgate.livejournal.com]

It gave me HELL last night, since i ended up getting XP on this Dell i run at home. but.....i managed to track down a page with a patch small enough for me to download before the ominous countdown began--and now i'm running. Before that, oh gods, i was ready to chew iron and spit nails again, it was so frustrating! Particuarly when you're stuck on a dialup connection instead of broadband >_<

[cherrypep.livejournal.com]

Just in case anybody finds themselves fighting with it:

When you get a countdown, you can stop it by: open up start > run and type in "shutdown.exe -a" (minus the quotes)

You can also stop the shutdown by going into Computer Manager -> Services and Applications -> Services and changing the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service". Or so I am informed...

also, running the inbuilt Windows XP firewall will stop you getting the pc shutdown commands (which you can do by going into Connect To -> Show all connections and then right clicking on the connection you use, choosing 'Properties', then the 'Advanced' tab and enabling windows internet connection firewall).

The best way we found was 1. unplug the machine, 2. stop the msblast program (you can corrupt it so windows won't run it again by searching for msblast.exe, opening it in notepad, typing random characters into the binary and saving over it :-), and 3. enable firewall. Then go back online and download the patch from microsoft and the official worm removal thingy off symantec (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html).

It's a good thing to patch this vulnerability anyway btw because anybody who uses irc is likely to pick up backdoor.irc.Cirebot and others (http://www.symantec.com/avcenter/venc/data/backdoor.irc.cirebot.html). Best to play with a virus scanner... also best to buy yourself one of those pointless looking little hardware firewalls if you're not entirely confident with the options.

Incidentally, I am told that opening this worm in notepad lets you see the author's signature: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"

And finally, I didn't get it - windows update, you see. All of my friend's university office did, however.

Of course, on a more thoughtful note, letting windows update run does tend to unpredictably screw up my visual wossname dot net -- but even though I'm unproductive, at least I'm not in the ranks of the 952 poor buggers whose computers have scanned mine since yesterday morning :-P

*sigh*

[sife.livejournal.com]

the way i tell people to abort a shutdown (which doesn't required admin privs) is simply
Start(key, faster) -> Run (R key, faster), notepad
smack some keys and when notepad gets the terminate signal, it will prompt to save. click cancel.


/shrug/