[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] RE: Lovsan Worm
- Subject: [cobalt-security] RE: Lovsan Worm
- From: "Jon Grey Davies" <jon.gd@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 Aug 2003 21:15:51 +0100
- Organization: Essential Logic Ltd
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
In addition to the measures: (you could download the removal tool from
Symantec as it's a whole lot simpler)
1. As soon as you get into windows, go to task manager and end process
on msblast.exe
2. Run regedit and remove the key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe
3. Search for msblast.exe on the system drive and delete any copy that
is found.
4. Disconnect any connection to the internet or to the network.
5. Reboot the computer.
You need to download the Windows update (only affects W2k, XP, Win2003) from
MS (see bulletin MS03-026) before running the above.
Does not affect Linux, Mac, OS/2 (really!:), UNIX according to Symantec so
not a prob at all for RAQs
Jon Grey Davies
Jon Grey Davies
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of
cobalt-security-request@xxxxxxxxxxxxxxx
Sent: 12 August 2003 20:00
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: cobalt-security digest, Vol 1 #1244 - 10 msgs
Send cobalt-security mailing list submissions to
cobalt-security@xxxxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
http://list.cobalt.com/mailman/listinfo/cobalt-security
or, via email, send a message with subject or body 'help' to
cobalt-security-request@xxxxxxxxxxxxxxx
You can reach the person managing the list at
cobalt-security-admin@xxxxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of cobalt-security digest..."
Today's Topics:
1. test for echo (Jaana Jarve)
2. W32/Lovsan.worm Attacking Port 135 (Rex Gaylord)
3. RE: W32/Lovsan.worm Attacking Port 135 (Graeme Fowler)
4. W32/Lovsan.worm Attacking Port 135 (Rex Gaylord)
5. Re: test for echo (David Black)
6. Re: W32/Lovsan.worm Attacking Port 135 (Jaana Jarve)
7. Re: test for echo (Robbert Hamburg (HaVa Web- & Procesdesign))
8. RE: test for echo (Bob Noordam)
9. php upload_tmp_dir & sanity (Jaana Jarve)
10. Re: test for echo (Greg Boehnlein)
--__--__--
Message: 1
Date: Tue, 12 Aug 2003 20:07:32 +0300 (EEST)
From: Jaana Jarve <netcat@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] test for echo
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
hi..
is this list still working?
half a month of nothing makes one wonder.
rgds,
netcat
--__--__--
Message: 2
Date: Tue, 12 Aug 2003 10:21:53 -0700
From: "Rex Gaylord" <rex@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: [cobalt-security] W32/Lovsan.worm Attacking Port 135
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Is anybody else getting attacks on Port 135 that is related to this new
virus and do you know if we are vulnerable. It looks like it only
infects windows machines to me so far?
Thanks, Rex Gaylord
============================
A NEW VIRUS HAS BEEN DETECTED, NAMED W32/Lovsan.worm
Symptoms of Infection :
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
This worm spreads by exploiting a recent vulnerability in Microsoft
Windows. The worm scans random ranges of IP addresses on port 135.
A definition file will be sent to me from our virus lab in about 2
hours. Please go to ftp://65.3.178.52 at around 5:15pm PDT. After
downloading it, extract it to a folder, such as PANDA, and then update
from the program with the update source pointing to the folder you
extracted the signature file to.
In the meantime, here is a manual solution for it in case you did get in
case you already got infect:
1. As soon as you get into windows, go to task manager and end process
on msblast.exe
2. Run regedit and remove the key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe
3. Search for msblast.exe on the system drive and delete any copy that
is found.
4. Disconnect any connection to the internet or to the network.
5. Reboot the computer.
Steve Demogines, Director
Panda Software Technical Support
sdemo@xxxxxxxxxxxxxxxxx
818-543-6901
This e-mail message is virus free, having been scanned and cleaned by
Panda Software, the leading international antivirus company declared
"The Undisputed Champ" by PC World Magazine! For more information, go
to: www.pandasoftware.com
--__--__--
Message: 3
Subject: RE: [cobalt-security] W32/Lovsan.worm Attacking Port 135
Date: Tue, 12 Aug 2003 18:44:55 +0100
From: "Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On 12 August 2003 18:22, Rex Gaylord wrote:
> Is anybody else getting attacks on Port 135 that is related to this
> new virus and do you know if we are vulnerable. It looks like it only
> infects windows machines to me so far?
1. Yes
2. No [see below]
3. Indeed, it is another worm exploiting another vulnerability in the
underlying Windows subsystems (this time it's the RPC subsystem, crucial
to normal operation).
[note]
If you're running a publically-accessible Samba server (on a Qube, for
example), it _might_ cause a local service DoS if it manages to make the
daemon crash. It won't, however, exploit it since the hole is in
Windows, not Samba, code.
Graeme
--__--__--
Message: 4
From: "Rex Gaylord" <rgaylord@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Date: Mon, 11 Aug 2003 16:07:24 -0700
Organization: CCC/America
Subject: [cobalt-security] W32/Lovsan.worm Attacking Port 135
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Is anybody else getting attacks on Port 135 that is related to this new
virus and do you know if we are vulnerable. It looks like it only infects
windows machines to me so far?
Thanks, Rex Gaylord
============================
A NEW VIRUS HAS BEEN DETECTED, NAMED W32/Lovsan.worm
Symptoms of Infection :
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
This worm spreads by exploiting a recent vulnerability in Microsoft Windows.
The worm scans random ranges of IP addresses on port 135.
A definition file will be sent to me from our virus lab in about 2 hours.
Please go to ftp://65.3.178.52 at around 5:15pm PDT. After downloading it,
extract it to a folder, such as PANDA, and then update from the program with
the update source pointing to the folder you extracted the signature file
to.
In the meantime, here is a manual solution for it in case you did get in
case you already got infect:
1. As soon as you get into windows, go to task manager and end process on
msblast.exe
2. Run regedit and remove the key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe
3. Search for msblast.exe on the system drive and delete any copy that is
found.
4. Disconnect any connection to the internet or to the network.
5. Reboot the computer.
Steve Demogines, Director
Panda Software Technical Support
sdemo@xxxxxxxxxxxxxxxxx
818-543-6901
This e-mail message is virus free, having been scanned and cleaned by Panda
Software, the leading international antivirus company declared "The
Undisputed Champ" by PC World Magazine! For more information, go to:
www.pandasoftware.com
--__--__--
Message: 5
From: "David Black" <DavidBlack@xxxxxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] test for echo
Date: Tue, 12 Aug 2003 12:25:41 -0500
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
Echo... from Houston, TX.
--
David Black, Web Developer
http://SiteDesignAndHosting.com
Professional Web Design, Hosting,
Programming, Animation and more!
----- Original Message -----
From: "Jaana Jarve" <netcat@xxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, August 12, 2003 12:07 PM
Subject: [cobalt-security] test for echo
>
> hi..
>
> is this list still working?
> half a month of nothing makes one wonder.
>
> rgds,
> netcat
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
--__--__--
Message: 6
Date: Tue, 12 Aug 2003 20:42:22 +0300 (EEST)
From: Jaana Jarve <netcat@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] W32/Lovsan.worm Attacking Port 135
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Tue, 12 Aug 2003, Rex Gaylord wrote:
> Is anybody else getting attacks on Port 135
yes.
> virus and do you know if we are vulnerable.
no
> It looks like it only infects windows machines
yes, see below
> This worm spreads by exploiting a recent vulnerability in Microsoft
> Windows.
rgds,
netcat
--__--__--
Message: 7
From: "Robbert Hamburg \(HaVa Web- & Procesdesign\)" <user@xxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: Re: [cobalt-security] test for echo
Date: Tue, 12 Aug 2003 20:11:33 +0200
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
----- Original Message -----
From: "David Black" <DavidBlack@xxxxxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, August 12, 2003 7:25 PM
Subject: Re: [cobalt-security] test for echo
> Echo... from Houston, TX.
>
>
Echo from Amsterdam, NL
--__--__--
Message: 8
From: "Bob Noordam" <bno@xxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Subject: RE: [cobalt-security] test for echo
Date: Tue, 12 Aug 2003 20:12:30 +0200
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
>
> hi..
>
> is this list still working?
> half a month of nothing makes one wonder.
>
ping ? pong !
--__--__--
Message: 9
Date: Tue, 12 Aug 2003 21:18:34 +0300 (EEST)
From: Jaana Jarve <netcat@xxxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] php upload_tmp_dir & sanity
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
i'd be interested to know where raq4 owners keep their upload_tmp_dir
these days.
it was recently brought to my attention that the uploaded files don't
get the proper site gid after being moved under site directories.
since system default is to use /tmp (symlinked to /home/tmp) the group
would be root.
this doesn't look especially sane to me. besides obvious security
concerns, users could upload to their hearts desire without it ever
affecting their quota.
other opinions? it looks to me the best bet is to set ./tmp in php.ini.
does that have any negative sides to it?
rgds,
netcat
--__--__--
Message: 10
Date: Tue, 12 Aug 2003 14:36:08 -0400 (EDT)
From: Greg Boehnlein <damin@xxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] test for echo
Reply-To: cobalt-security@xxxxxxxxxxxxxxx
On Tue, 12 Aug 2003, David Black wrote:
> Echo... from Houston, TX.
>
> --
> David Black, Web Developer
> http://SiteDesignAndHosting.com
> Professional Web Design, Hosting,
> Programming, Animation and more!
Ping response from Cleveland, Ohio.
> ----- Original Message -----
> From: "Jaana Jarve" <netcat@xxxxxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Tuesday, August 12, 2003 12:07 PM
> Subject: [cobalt-security] test for echo
>
>
> >
> > hi..
> >
> > is this list still working?
> > half a month of nothing makes one wonder.
> >
> > rgds,
> > netcat
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> >
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
--
Vice President of N2Net, a New Age Consulting Service, Inc. Company
http://www.n2net.net Where everything clicks into place!
KP-216-121-ST
--__--__--
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security
End of cobalt-security Digest