Announcement

**JohnnyBond** · 11 August 2003, 16:01

Originally posted by Nowhere
[...]And one reported (with some poor software firewall...) that just before shutdown someone connected to him in...not very usual way etc. (don't know exactly, svhost or something). This happened to him TWICE (and from the same host...)
Makes you think something's not right with...something in win

STFU - u are using the same software #$@@

Btw - my theory explains why infected ppl are not getting rebooted while offline

, and why not infected ppl are getting reboots.

Btw2 - and its svchost not svhost...

And theres a second way of protection, use services.msc ('run' tab) to switch off any services with RPC in it (exactly one).

**Kruzin** · 11 August 2003, 16:07

Had the same problem at work today.

http://forums.murc.ws/showthread.php?s=&threadid=43666

The hotfix from MS seems to have done the job. None of the systems have rebooted since running that patch...

**Nowhere** · 11 August 2003, 16:09

Originally posted by JohnnyBond
STFU - u are using the same software #$@@

...

Well, I've had it properly configured even when it wasn't yet much needed

And I was prepared when it became needed...

**JohnnyBond** · 11 August 2003, 16:17

Pure coincidence. You blocked everything you could. And svchost was the only thing i havent blocked, because its a system service. And its not poorly configured, its just not yet perfectly configured. My fault, I should have known that the RPC explot is as old as hell is, but the virus is quite new.

A smart fella wrote it - killing infected and not infected cpus

**dZeus** · 11 August 2003, 17:23

here's another link to the hotfix for Windows XP, since the worm seems to be trying to do a DDOS on windowsupdate.com

http://dzeus.student.utwente.nl/users/~dzeus/hotfix.zip

(ONLY download it in case you can't get it from MS, and ONLY for Windows XP)

**Jon P. Inghram** · 11 August 2003, 18:19

I feel all warm and fuzzy knowing that my Win98 SE system, even though it also has the DCOM/RPC stuff running, just laughs at the virus and ignores the evil voices it hears on port 135.

Update, it would be laughing if the evilness ever even got to the modem, just found out Cox here in Wichita is filtering inbound port 135 anyway.

**Nowhere** · 12 August 2003, 01:37

Originally posted by JohnnyBond
Pure coincidence. You blocked everything you could. And svchost was the only thing i havent blocked, because its a system service. And its not poorly configured, its just not yet perfectly configured. My fault, I should have known that the RPC explot is as old as hell is, but the virus is quite new.

A smart fella wrote it - killing infected and not infected cpus

Isn't this all about properly configuring firewall - leaving open only what's absolutely needed for software you're using? I did it, you didn't

btw, anybody knows what happened at that date in the past? It is obvious that this thing has been waiting for some time...and it's possible that there's some symbolic connection after all (but that's just a possibility and...I'm curious about it

)

**The PIT** · 12 August 2003, 04:24

Tut Tut all these people who don't patch or run updated virus checker software.
Now I'll go home and find my machines have got it.

We've been badly caught at work which shouldn't have happened.

**Lambo-Fan** · 12 August 2003, 04:36

I had exactly the same problem. First of all I searched the msblast.exe and deleted it. The next step was to remove the registry entries (that avoids the auto start of this file [if it appears again

]). Finally I installed the patch from MS.

To hell with this evil worm

!

**McRhea** · 12 August 2003, 08:45

Story in Yahoo News

Another story in Yahoo

In South Korea (news - web sites), one of the world's most wired nations, Blaster was having limited impact, officials said, as technicians took steps to block vital Internet ports that prevented the worm's widespread movement.

Heh

**Brian Ellis** · 12 August 2003, 09:03

My firewall has blocked this worm, addressed to port 135, over 130 times today

Norton AV has also updated their definitions.

**JohnnyBond** · 12 August 2003, 09:22

My block count: 341, last day... Poland was hit really hard with it

**Gurm** · 12 August 2003, 09:33

South Korea... one of the most wired nations in the world...

Wired... with EXPLOSIVES.

Gpar_

**The PIT** · 12 August 2003, 10:28

Windoze update may fail becuase the registry has been altered.

Someone at work applied the win2k patch to an NT4 server. Ooops remote access to the machine no longer works.

**The PIT** · 12 August 2003, 10:29

Originally posted by GuchiGuh
I just received around 13 phonecalls concerning this topic. My university servers have been hit as well!!

Only 13 how about 203 with a load more not booked in.

Announcement

HELP!!! BIG winXPO problem!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment