Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 081039.html (Request Expert securityfocus.com Support)

RE: What the heck is this msblast.exe

From: Bruce Martins <BMartins(at)extend.COM>
Date: Tue Aug 12 2003 - 10:00:32 EDT


I agree it's not the first nor the last time someone will create a worm that will use and exploit a known vulnerability most people should have learned their lesson with the SQL slammer worm but apparently not, whether or not AV vendors give it a medium or high risk level should not matter, and I am sure a lot of people have a false sense of security because they use a firewall, I am sure that everyone agrees that it was only a matter of time when someone would use this exploit considering how many systems it would affect and knowing the havoc the SQL slammer created, but again the patch has been out for almost a month now, the AV vendors have done a great job in getting the info out there as soon as it was available

Bruce Martins
Systems Administrator
EXTEND>>MEDIA
190 Liberty Street
Toronto, Ontario
Canada
M6K 3L5 

e:bmartins@extend.com
t: (416) 535-4222 ext. 2307
f: (416) 535-1201

http://www.extend.com

-----Original Message-----

From: Rod Trent [mailto:rodtrent@yahoo.com] Sent: Monday, August 11, 2003 7:17 PM
To: Lee_Fisher@NAI.com; morris_minchu@iwon.com; focus-ms@securityfocus.com

This is the worm experts have been waiting for. There's been a week or two build-up prior to this occurrence. Now, that the worm has reared its head, it should be critical to apply MS03-026.

I really don't even see this as an anti-virus vendor issue. Kudos that the anti-virus vendors post the information because a lot of companies look there first, but it should be important to get systems patched correctly, with the proper security patches. So, instead of listing a worm in a "virus assessment" and giving it a 'medium' label, maybe we should all pull together and make sure the public knows its critical that the proper patches be applied -- and doctor the messages accordingly.

-----Original Message-----

From: Lee_Fisher@NAI.com [mailto:Lee_Fisher@NAI.com] Sent: Monday, August 11, 2003 6:54 PM
To: rodtrent@yahoo.com; morris_minchu@iwon.com; focus-ms@securityfocus.com
Subject: RE: What the heck is this msblast.exe

I agree that the vulnerability is critical, but this classification refers to the worm exploiting it.

Earlier exploits have not been as widespread as this worm is, and have been classified as low. We could not classify malware based on the risk assessment of the vulnerability alone - otherwise they would all be 'critical', and that is simply not accurate.

Do you need help?X

AVERT can and will change the risk assessment as and when required.

For more information about the AVERT RA, see:

http://www.avertlabs.com

Lee Fisher
Solutions Architect
McAfee Product Management

-----Original Message-----

From: Rod Trent
To: Fisher, Lee; morris_minchu@iwon.com; focus-ms@securityfocus.com Sent: 11/08/03 15:44
Subject: RE: What the heck is this msblast.exe

Medium???? That's an irresponsible rating, considering that both MS and the Department of Homeland Security have listed the vulnerability as critical.

-----Original Message-----

From: Lee_Fisher@NAI.com [mailto:Lee_Fisher@NAI.com] Sent: Monday, August 11, 2003 6:27 PM
To: morris_minchu@iwon.com; focus-ms@securityfocus.com Subject: RE: What the heck is this msblast.exe

>From your description I would imagine it to be the Blaster ( We called it W32/Lovsan.worm )

Do you need more help?X

Many posts on forums - We list it as a Medium On Watch alert - other AV orgs have a similar classification.

http://vil.nai.com/vil/content/v_100547.htm

Lee Fisher
Solutions Architect
McAfee Product Management

-----Original Message-----

From: Minchu Mo
To: focus-ms@securityfocus.com
Sent: 11/08/03 15:00
Subject: What the heck is this msblast.exe

The code resides in c:\winnt\system32.

It somehow change my registry and pretend to be Window autoupdate in

\Localsystem\software\microsoft\window\run, so it can run when I boot the

machine. Now it sending out packet to random(?)IP 's endpoint port


---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms
Received on Tue Aug 12 11:52:02 2003
Can we help you?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:35 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library