[Dshield] Road Runner is looking out for it's customers for change

R Shady RShady at stny.rr.com
Wed Aug 13 23:01:41 GMT 2003

I haven't had any port scans for 135 since Road Runner
blocked ports 135-139.

Blaster Worm/Virus (W32.Blaster.Worm / W32/Lovsan.worm)
According to Symantec, a worm called the W32.Blaster.Worm, also known as 
W32/Lovsan.worm was discovered on 8/11/03. It will cause systems running 
Windows 2000 or Windows XP to crash, prevent Internet access and 
compromise the security settings by opening a hidden remote cmd.exe 
shell. This worm will attempt to download and run a file named 
"Msblast.exe." It will then block access to TCP port 4444 at the 
firewall level, and then block the following ports, if they do not use 
TCP Port 135, "DCOM RPC" or UDP Port 69, "TFTP." The worm will also 
attempt to perform a Denial of Service (DoS) on windowsupdate.com. This 
is an attempt to prevent you from applying a patch on your computer 
against the DCOM RPC vulnerability.

To prevent this worm from spreading, Road Runner has blocked ports 
135-139 and port 145, both inbound and outbound on each router. This 
will not only stop the spread of the virus on our network and protect 
you, but it will also disable the ability for you to use File and Print 
Sharing between computers outside of your home network (i.e. beyond your 
modem). It may also disable your ability to log into Exchange e-mail 
servers without using VPN or another secure connection method.

What You Can Do To Prevent Infection

To prevent infection from this worm, go to 
http://windowsupdate.microsoft.com and install the latest critical 
updates. For more information on the vulnerability that this worm 
exploits, and to find out which Symantec products can help alleviate 
risks from this vulnerability, go to 

If You Have Been Infected

You must stop the Trojan process by performing the following:

As soon as your computer boots up, press the Control, Alt, and
Delete buttons at the same time. This should open your Task Manager window.
Click the Processes tab.
Double-click the Image Name column header to alphabetically
sort the processes.
Scroll through the list and look for a file called msblast.exe.
Click to highlight the file and then click the End Process button at the 
bottom of the window.
Close the Task Manager window.
Open your browser and go to 

Follow the instructions for obtaining and running Symantec's 
W32.Blaster.Worm Removal Tool.
Then, after running the tool, go to http://windowsupdate.microsoft.com 
and update your Windows operating system with the latest patches to 
prevent you from being infected again.

More information about the list mailing list