Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 03 > 081050.html (Request Expert securityfocus.com Support)

RE: What the heck is this msblast.exe

From: Rich Logan <ral(at)stokeslaw.com>
Date: Tue Aug 12 2003 - 14:19:39 EDT


I haven't had the (dis)pleasure of fixing one of these machines; doing the <CTRL>+<ALT>+<DEL> and ending Task doesn't buy you any additional time? I know that is what is recommended by Symantec....

Rich Logan
IS Manager
Stokes Lawrence, P.S.
(206) 892-2154

-----Original Message-----

From: James Montgomery [mailto:jmont007@earmyu.com] Sent: Tuesday, August 12, 2003 10:10 AM
To: focus-ms@securityfocus.com

I have noticed that there has been a problem with end users and their ability to "snuff" the worm. Many of my remote users cannot stay connected to the internet long enough to download the patch or the msblast.exe fix. Approximate up time is 2 minutes once connected to the internet. Users receive "System is shutting down because of remote procedure service termination unexpected"

Has anyone else had this problem? And if so is their an alternative to physically making a disk to distribute to end users?

I suspect this will be a problem for many, as most of us are just worried about our key systems and servers.

Thank you,

   James

Do you need help?X

-----Original Message-----

From: Michael LaSalvia [mailto:mike@genxweb.net] Sent: Monday, August 11, 2003 3:47 PM
To: Lee_Fisher@NAI.com; morris_minchu@iwon.com; focus-ms@securityfocus.com
Subject: RE: What the heck is this msblast.exe

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

The msblast.exe is the dcom worm that was just released earlier today. Been seeing this in my IDS logs all day.

  • -----Original Message----- From: Lee_Fisher@NAI.com [mailto:Lee_Fisher@NAI.com] Sent: Monday, August 11, 2003 6:27 PM To: morris_minchu@iwon.com; focus-ms@securityfocus.com Subject: RE: What the heck is this msblast.exe
  • From your description I would imagine it to be the Blaster ( We called it W32/Lovsan.worm )

Many posts on forums - We list it as a Medium On Watch alert - other AV orgs have a similar classification.

http://vil.nai.com/vil/content/v_100547.htm

Lee Fisher
Solutions Architect
McAfee Product Management

  • -----Original Message----- From: Minchu Mo To: focus-ms@securityfocus.com Sent: 11/08/03 15:00 Subject: What the heck is this msblast.exe

The code resides in c:\winnt\system32.

Do you need more help?X

It somehow change my registry and pretend to be Window autoupdate in

\Localsystem\software\microsoft\window\run, so it can run when I boot the

machine. Now it sending out packet to random(?)IP 's endpoint port

  • ----------------------------------------------------------------------
  • --
  • --- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms
  • ----------------------------------------------------------------------
  • --
  • ---
  • ----------------------------------------------------------------------
  • ----- Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products. Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms
  • ----------------------------------------------------------------------
  • -----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPzgc6XAnVb+gRdsVEQIxfQCeKC1utno1oDrWrvmKpHTCKM+cIQUAn1+x wcaDQq8UvNrA/O6KTmT8yqUc
=pqjM
-----END PGP SIGNATURE----- 

---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":
http://www.securityfocus.com/Kavado-focus-ms

------------------------------------------------------------------------


---


------------------------------------------------------------------------


---
Your network firewall and IDS products do not prevent Web application
attacks - the most common form of online exploitation- resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":
http://www.securityfocus.com/Kavado-focus-ms

------------------------------------------------------------------------


---


---------------------------------------------------------------------------


Your network firewall and IDS products do not prevent Web application 
attacks - the most common form of online exploitation- resulting in Web 
defacement, data theft, sabotage and fraud.
KaVaDo is the only company that provides a complete suite of Web 
application security products.
Download a FREE whitepaper on "Security Policy Automation for Web
Applications":
http://www.securityfocus.com/Kavado-focus-ms

---------------------------------------------------------------------------
Received on Tue Aug 12 14:27:46 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:35 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library