I should explain that the detail above is referring to Blaster itself NOT the variant Blaster.b .
I wish I could edit my posts 
and a minor update the new variant is using a executable called penis32.exe not penis.exe as previouslystated
:dubious: :mad: I wish I could edit my posts !! :mad: :dubious:
That’s the patch. Notice in my instructions that I posted a link at the end. That’s the same file that your “IT boy” (does that put us in the same league as a cabana boy or a pool boy? :)) put on CD for you.
Well, you never had to yank all of the cables. Or even most of them. Hell, you might not have to yank any. If you have dialup access, just don’t connect. If, however, you have an always-on high-speed Internet connection, you’ll need to pull the wire that provides it or disable the connection.
Start the computer like you normally would. Like I said above, just make sure you’re not connected to the Internet at the time, or your computer will reboot.
Since you already have the patch on CD, you won’t have to worry about going to download it. That’s a good thing. It means you can ignore steps 1, 2, and 3, on my explanation of Anthracite’s step 6. Does that make sense? No? Okay, well then just skip this part:
These steps would have allowed you to use your Internet connection to download the patch without the computer rebooting in the middle of your download. Since you now have the file on a CD, you can ignore these steps.
To run the patch, just go to Windows Explorer, click “D:” (or whatever letter your CD-ROM is) and run the EXE file.
“Install or update your antivirus signature software” is just a nerdy way of saying “make sure your antivirus software is up-to-date and will catch the newest viruses.” The worm removal tool does automatically what you’ll be doing manually when you delete the affected files. In other words, if you just follow the instructions, you won’t need it.
Not from this worm, no, but it’s worth noting that if you had been running firewall software, you’d have never been infected, even if your computer wasn’t updated. I’d recommend that you download some firewall software. Essentially, what this does is prevents other computers on the Internet from “talking” to your computer unless you initiate the “conversation” yourself.
ZoneAlarm and Outpost Firewall are two good software firewall programs. Both have a free version you can download, and a Pro version with more features. I get by with the free version of Outpost just fine.
Slight Hijack:
Why couldn’t Microsoft automatically have the patch downloaded through XP’s automatic update service? That would have made so much sense.
Questions (from a not-too-'puter-savvy dude):
First, running Windows ME, is there any reason at all I would have to do anything at all?? (i.e. regarding the current worm in question wise*ss)
Second, if this worm infects through the same vulnerability that allows MS automatic updates through, and if (as I believe I’ve read here) a Linksys router provides a firewall which effectively protects against this worm, how does the firewall differentiate between MS updates and the worm?
Duly printed out, neutron star, thanks!
I have a horrible feeling that when I get home tonight my computer will be waiting for me with a knife, like in Trilogy of Terror . . .
I’ve been getting about 40 hits/hr for the last couple of days. That’s an average of one every 1.7 minutes. It only takes a few seconds to get a virus, whether computer or biological.
Lots of concern about the resources used in the DOS attack out there.
The DoS traffic has the following characteristics:
The DoS packet has no payload.
It’s a simple SYN packet to port 80 with an IP and TCP header, but not TCP payload.
Is a SYN flood on port 80 of windowsupdate.com.
Tries to send 50 RPC packets and 50 HTTP packets every second.(there’s a sleep() in the code to cause this)
Each packet is 40 bytes in length.
Some fixed characteristics of the TCP and IP headers are: IP identification = 256 Time to Live = 128 Source IP address = a.b.x.y, where a.b are from the host ip and x.y are random.
In some cases a.b are random.
Destination IP address = dns resolution of “windowsupdate.com” TCP Source port is between 1000 and 1999 TCP Destination port = 80 TCP
Sequence number always has the two low bytes set to 0; the 2 high bytes are random. TCP Window size = 16384
The DoS packet has no payload.
It’s a simple SYN packet to port 80 with an IP and TCP header, but not TCP payload.
It will try to send out 50 RPC packets and 50 HTTP packets every second (there’s a sleep() in the code to cause this)
Some common approached and wuestionss
Internal dns-spoofing of windowsupdate.com to a special ip-address.
Good idea. This will alert you to infected machines if you have a ‘listening server’ catching the syn flood.
However, alternatively using 127.0.0.1 can be effective or if you have it FAIL resolution, the worm will never send the packet.
However even if you remap it to 127.0.0.1, you may see lots of RSTs on your network (Windows may send RSTs from 127.0.0.1 to the spoofed addresses)
If your DNS server allows, remapping to the illegal IP 0.0.0.0 should do the trick.
This would be the best option The Pakistani govt. did this with infopak.gov.pk and Yaha).
Blocking of outbound connections to microsoftupdate.com:80.
Exception for web-proxies Did they mean windowsupdate.com?
They should leave (if they want) windowsupdate.microsoft.com open
Configuration of anti-spoofing-rules on routers if not already implemented
This will prevent 99% of packets leaving the network. Using uRPF or egress ACLs will be highly effective
Questions: What is the exact technical behavior after 16th of August of the worm?
If the current month is after August, or if the current date is after the 15th, the worm will attempt to perform a Denial of Service (DoS) on Windows Update.
The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
However, the attempt to perform the DoS will succeed only if one the following conditions is true:
The worm is running on a Windows XP computer. The worm is running on a Windows 2000 computer that has not been rebooted since it was infected.
The worm is running on a Windows 2000 computer that has been rebooted since it was infected and the currently logged in user is Administrator.
The worm creates packets with /16 spoofed IP addresses (based on the IP of the infected machine) and sends packets out in a relatively
tight loop (every 20ms + time to generate the packet and send it, this is negligible)
What special functions are included in the worms code (e.g. using 127.0.0.1 as source-address for a syn-flood against the own network if windowsupdate.com resolves as 127.0.0.1)?
If windowsupdate.com resolves to 127.0.0.1 it will attempt to send a SYN to the localhost over and over again.
This can cause some resource utilization on the infected host – but it is infected already so, it probably doesn’t matter.
It will not hit the network.
Does the bandwidth-usage for the flood depend on the machine’s power?
Do you mean if it is a more powerful machine does it use more of its own bandwidth for any DoS attack?
Or do you mean if it is a more powerful machine, will it generate more traffic and consume more network bandwidth.
Think the key thing here is the speed of the connection that the machine has, not the speed of the CPU. No (unless the machine is like a old old old 286 or something 
).
It sends out packets at 20ms intervals which is easily enough handled by any standard system.
When is the ddos triggered (after reboot or when the day switches?) The worm checks the date trigger when it is EXECUTED.
After it is executed and already running it does not check the time. Thus, if one REBOOTS after the 15, it will begin the DoS.
Or if one becomes infected after 15, it will perform the DoS. Or if one kills the process and re-runs the executable after the 15, it will perform the DoS.
What special measures suggest Symantec regarding W32.Blaster and its variants to protect the network infrastructure from saturation with SYN-storms?
Redirecting windowsupdate.com to 127.0.0.1. Using uRPF or appropriate egress filtering.
Filter port 135 on the firewall, stop logging dropped packets on that port Filter packets on port 80 to windowsupdate.com Spoof protection (SEF does this by default)
It would be preferable if filtering was done by routers where possible, rather than the firewall What problems can emerge e.g. on firewall’s statetables?
If they have a ton of infected hosts the state tables could become overwhelmed. However, a properly configured router (using uRPF) or redirecting windowsupdate.com can potentially resolve this issue.
If you need to buy time with the countdown clock, you might like to try this:
Click Start
Click Run
Type in cmd
Click OK
In the box that appears type shutdown -a
that should stop the countdown allowing you more time to get the patch.
I need help. I am running XP Pro.
Background: I scanned the system using McAfee and came up empty. I have also installed Zone Alarm. Windows Update automatically brought up the security patch for the RPC vulnerability and I installed it on 8/13. It shows up in my “Installation History” as Security Update for Windows XP (823980).
Now, today Windows Update brings up another patch for what seems to be the same vulnerability. It is titled “MS03-026: Security Update for Windows XP (823980)”. In addition, Windows Update has also brought up an update to XP Service Pack 1 and an update titled “816093: Security Update Microsoft Virtual Machine (Microsoft VM)”. In total, 3 new updates.
I recalled having installed SP-1 when it first came out. I looked at “Installation History” and it has the SP-1 installation as Failed. I right-click on “My Computer” and view “Properties”. I don’t see SP-1 listed under “System”. I am a little worried. I had read on the Microsoft webpage that the patch for RPC vulnerability was meant to be installed on XP with SP-1. I guess that maybe since SP-1 actually wasn’t installed, the patch installation didn’t go through and hence Windows Update is alerting me.
(a lot of programs in the Control Panel are named “Windows XP Hotfix (SP1)” — so I am really confused about the installation status of SP-1 on my m/c)
Now, I decide to install SP-1 and then the key security patch along with the Virtual Machine security update. But, the installation is not working. The download appears to start and quickly ends with a window which says : Update Failed - Go back to “Review and Install” etc. I also try and install the critical security update separately. Same error repeats. I check the Update log and it has entries such as:
“Library download error. Will retry. (Error 0x80072EFD)”
and
“Downloading file http://download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/WindowsXP-KB823980-x86-ENU_1d296adab6699e66210e5a350236381.exe, skipping remaining files for this Item (Error 0x80072EFD)”
etc etc
What IS going on? Can anyone help? How do I successfully install SP-1 and the critical security patch? In the meantime, can I do anything to keep myself safe over and above enabling the firewall option bundled with XP and installing Zone Alarm and McAfee?
Thanks a bunch.
Any thoughts on my situation?
Keep trying. The Windows XP servers have been hit hard this last weekend. I have run into similar errors trying to run updates and tons of failed updates this weekend. They are just that busy. Plus, I don’t think the D.O.S. attacks helped the situation much.
Worst Cast/Best Case Senarios
**Worst Case: **
If your windows updates failed at some point you may be completely out of luck. Backup your data. From my limited scope… SP-1 was an all or nothing patch. The 5+ hours you may spend trying to remove traces of SP-1 and reinstalling it are not worth the 1.5 hours for backup and reload.
If it is listed in “Installation History” but not in “System Properties” it is not a good sign. Check msinfo32, Click on Start/Run. Type in “msinfo32” and click “OK”. Highlight “System Summary”. You should have “Version” listed here. If SP-1 is not listed there than it is not installed or not installed “completely”.
If you had run/installed your updates and THEN ran system restore to a prior date (before updates) you may have caused this.
There is a fix for this somewhere deep in Microsofts Knowledge base. I looked for it but couldn’t seem to find it. I do have a link for it at work and will check.
Best Case Senario:
You win the lottery and throw a huge Dopefest for all members. You fly every board member to a lush resort on a tropical island for the largest Doper Orgy to date.
Or… you try to install the patches again and they all install. If you have ZoneAlarm installed and configured you should be safe.
I vote that you go buy a lotto ticket.
Thanks for responding absoul.
I checked the System Summary. It lists OS Version as “5.1.2600 Build 2600”. I assume then that SP-1 installation isn’t complete? Actually, the “Installation History” also lists the SP-1 update as “Failed”.
My question then is: Can I try installing SP-1 again from scratch? Any potential problems by doing this? Precautions? As I wrote, the Express Installation through the web isn’t working as I keep getting an update error message. So, is it OK to try the network installation? I have the SP-1 file downloaded to my disk.
Thanks in advance!
Yeah, with SP-1 installed it should read: “5.1.2600 Service Pack 1 Build 2600”. Since it was listed as “failed” you may already have problems… but I wouldn’t worry about it. It depends on if it failed on its download or its install. Most likely failed on its download.
Go ahead and install the update from the disk. You shouldnt have any problems. That should prove the “MS Updates is too busy” theory.
If you have critical work on your system, make sure you back up those files. You never know.