Using NT/2k/XP/2k3? Now is a good time to patch.

[Destroy-Titus]

I have multi pcs, and I dont know what RPC is/does (well now I do :lol: ) I honestly do not care wether this worm destroys my pc or not, I have nothing here <_< all of this can be re-downloaded in 20 minutes, that worm would have to take down the internet in order for me to care B)

[Zedd]

In my opinion, NOTHING should by default be "on" in your OS when you install it, that communicate from the outside, especially one that accept input from the outside.

Agreed. There is no reason whatsoever that port 135 (netbios) should be world accessible by default. It boggles my mind why MS did that. :/

For the record, if you're using a firewall, blocking access to the following ports should keep ya safe:

* tcp/69 (used by the TFTP process)
* tcp/135 (used by RPC remote access)
* tcp/4444 (used by this worm to connect)

It's also recommended that you rename tftp.exe, which the worm uses to be downloaded.

Again, credit for the info to www.sophos.com.

http://sophos.com/support/disinfection/blastera.html

[kandrathe]

Ah, another willing victim. Just hope they don't choose your PC to be the local kiddie porn server. The bigger problems out on the NET these days are people such as yourself who don't care to secure their machines and so act as willing proxies to help spread spam and other garbage. You would be like those people who let their yard fill with weeds and becomes the source of weeds for the whole neighborhood.

[kandrathe]

A properly configured firewall offers no response at all to an attacker. It would appear as if no computer would hooked up to that IP address at all. If the PC('s) behind the firewall needed to offer services to the NET, then only those services would be visible from outside the firewall. When you have multiple devices that talk to one another on a LAN you need some type of protocol available for them to converse. Unfortunately, Microsoft has forever opted for a default configuration that is extremely open (assuming peer to peer, security free file and print sharing). If you shut off some of those services, some application and local services will also cease (like the ability to print). The upshot is that Microsoft's DCOM, RPC and most of their networking code is and has always been full of holes and they never fix it.

Then you have STUPID broadband ISP's like mine, who require that you use their machine name and be in workgroup "WORKGROUP" along with all 20,000 other subscribers. The day I got hooked up, I went to work and proceeded to hack into my home machine in less than two minutes. Then I did a port scan of pc's that were available for me to hack in that subnet. Over 2000. I picked up a firewall on the way home.

[kandrathe]

Ah, well. Not bitten by any worms yet, but why tempt fate? I'm doing the service pack dance tonight on all my boxes with MS OS's at home. What a royal pain! I just went out to Windows Update and found out I've got some 20 critical fixes to install, with about 4 single threaded. I can't wait until my 3 year old is a bit older, and he can take over the network admin duties. :D

I'm trying not to make him into a geek, but with parents like his he has little hope. Me a life long software engineer, and his mother a statistical demographer.

BTW, I got a grin today with the Nachi worm which goes out and attempts to apply MS service packs to repair the RPC based SANS worm exploit. Still evil, but a funny evil.

Edit: Excrement! 2.5 hours later and the W2K SP4 updater has left me BSOD after a half install with a reboot claiming my winsrv.dll is missing... All I can do is shake my head. Must now reinstall the OS and all the software on that box. If I could get most of this software for Linux I'd switch today.

[DeeBye]

BTW, I got a grin today with the Nachi worm which goes out and attempts to apply MS service packs to repair the RPC based SANS worm exploit. Still evil, but a funny evil.

Hehe, yeah :)

I had to laugh when I saw the NAI notice about this new worm.

From NAI:

This detection is for another virus that exploits the MS03-026 vulnerability.

The worm carries links to various patches for the MS03-026 vulnerability.

The worm attempts to download and install one of these patches on the victim machine.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

&nbsp;&nbsp; 1. Apply the MS03-026 patch.

Funny stuff, but I'm glad I patched my computer several weeks ago.

-DeeBye

[whyBish]

Hmmm....

I just went to a Microsoft TechEd in Auckland this week, and (now that I am an indoctrinated Microsoft zombie) it seems that there has been a large shift in focus at Microsoft towards security concerns. As they discussed the blaster worm they showed various things about their latest offerings that would have stopped this from happening, including (as mentioned multiple times in this thread) having things turned off by default...

Microsoft the omniscient? :P

[kandrathe]

Unfortunately, it might be too late for them. The growing tide of PO'd MS admins, MS developers, and IT management are starting to look at the alternatives. With products like StarOffice, some of the GUI Linux Shells like KDE, decent e-mail clients, you can really do away with MS, their exhorbitant prices and their licensing baggage.

See what the BSA and MS did to Ernie Ball...
Ernie Ball - Model For Open-Source Transition?

I've already ported my DB systems from MS on MS to Oracle on Linux this spring. The driver for me was that I intend on eventually porting my inhouse apps for client use over the internet. The only licensing option, other than named users was per processor. My systems use redundant arrays, so I was looking at ~$20,000 per processor x 2 (OS & DBMS). And in total I have 4 quads, or 16 processors for my system. We are a pretty successful small business, but ~ $640,000 just for system licenses is a little to hefty a price tag for our little company.

My recent fiasco at home migrating to W2K SP4 has left my primary home system more secure than its ever been(sic). It is unable to boot, and unable to repair, and unable to re-install without formatting the HD. I found a Linux tool, called Trinity, which you can download as an .ISO and burn to a CD. Then boot and recover any information you need from your corrupted system. After getting a BSOD 1/2 way thru the upgrade, my home system was in a state where the security hive was in an indeterminate state, there were no NT boot programs on the boot partition, and no one had the rights to change the boot partition.

Anyway, I'm going to continue to work on convincing some of the key user managers at my office, that it is time to begin the change. Really, how much is XP Office Professional? How much is StarOffice? What are the feature differences?

[Roland]

When you have OpenOffice (based off an open-source implementation of StarOffice) and SOT Office (based, IIRC, similarly off of OpenOffice)? Both are 100% free for anyone to use, and OpenOffice readily gets updated (SOT Office, which I have not yet used, gets updated seemingly once a year these days - i.e. 2002, 2003, etc.).

Why pay for something you can have for free, that's just as good? ;)

OpenOffice.org
SOT Office

[kandrathe]

You are right. I had forgotten about OpenOffice.