Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 081990.html (Request Expert securityfocus.com Support)

Re: Blasting Blaster.Worm (aka LovSan Virus)

From: Lloyd Taylor <ltaylor(at)keynote.com>
Date: Tue Aug 12 2003 - 23:51:36 EDT


Check the clock on the affected user's computer. If it's set in the future, the worm may well have triggered, thinking that August 16th was already here.

Also check for other malware. Since 135 was open, it's quite likely that the computer is vulnerable to other sploits.

As previously suggested in this forum, please read the Symantec analysis at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf.

To inhibit propagation of the worm to/from your network, block the following ports at (at least) all of your border routers (in/out), and preferrably (to inhibit infection within your netowkr) on your interior routers as well:

  • Close port 135/tcp (and if possible 135-139, 445 and 593)
  • Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for activity related to this worm.

More details are available from the CERT advisory at:

        http://www.cert.org/advisories/CA-2003-19.html

--Lloyd Taylor
  VP Technology & Operations
  Keynote Systems

On Tue, 12 Aug 2003, Alavan wrote:

Do you need help?X

> Date: Tue, 12 Aug 2003 12:40:43 -0700
> From: Alavan <alavan@pangeatech.com>
> To: incidents@securityfocus.com
> Subject: Blasting Blaster.Worm (aka LovSan Virus)
>
> All,
>
> We're a small ISP providing T-1 access to residents of apartment 

-- 



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Received on Wed Aug 13 02:03:12 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:16 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library