[Dshield] Road Runner is looking out for it's customers for c hange

Brenden Walker BKWalker at DRBSystems.com
Thu Aug 14 13:14:25 GMT 2003

Well, that would explain why I didn't see any hits on 135 during this storm.
But it wouldn't explain why I continue to get hits on 137 on a daily basis..
If they blocked 135-139 like they said, I wouldn't get these.

Odd indeed.

> -----Original Message-----
> From: R Shady [mailto:RShady at stny.rr.com] 
> Sent: Wednesday, August 13, 2003 7:02 PM
> To: Dshield
> Subject: [Dshield] Road Runner is looking out for it's 
> customers for change
> I haven't had any port scans for 135 since Road Runner
> blocked ports 135-139.
> Blaster Worm/Virus (W32.Blaster.Worm / W32/Lovsan.worm) 
> According to Symantec, a worm called the W32.Blaster.Worm, 
> also known as 
> W32/Lovsan.worm was discovered on 8/11/03. It will cause 
> systems running 
> Windows 2000 or Windows XP to crash, prevent Internet access and 
> compromise the security settings by opening a hidden remote cmd.exe 
> shell. This worm will attempt to download and run a file named 
> "Msblast.exe." It will then block access to TCP port 4444 at the 
> firewall level, and then block the following ports, if they 
> do not use 
> TCP Port 135, "DCOM RPC" or UDP Port 69, "TFTP." The worm will also 
> attempt to perform a Denial of Service (DoS) on 
> windowsupdate.com. This 
> is an attempt to prevent you from applying a patch on your computer 
> against the DCOM RPC vulnerability.
> To prevent this worm from spreading, Road Runner has blocked ports 
> 135-139 and port 145, both inbound and outbound on each router. This 
> will not only stop the spread of the virus on our network and protect 
> you, but it will also disable the ability for you to use File 
> and Print 
> Sharing between computers outside of your home network (i.e. 
> beyond your 
> modem). It may also disable your ability to log into Exchange e-mail 
> servers without using VPN or another secure connection method.
> What You Can Do To Prevent Infection
> To prevent infection from this worm, go to 
> http://windowsupdate.microsoft.com and install the latest critical 
> updates. For more information on the vulnerability that this worm 
> exploits, and to find out which Symantec products can help alleviate 
> risks from this vulnerability, go to 
> http://securityresponse.symantec.com/avcenter/security/Content

If You Have Been Infected

You must stop the Trojan process by performing the following:

As soon as your computer boots up, press the Control, Alt, and Delete
buttons at the same time. This should open your Task Manager window. Click
the Processes tab. Double-click the Image Name column header to
alphabetically sort the processes. Scroll through the list and look for a
file called msblast.exe. Click to highlight the file and then click the End
Process button at the 
bottom of the window.
Close the Task Manager window.
Open your browser and go to 

Follow the instructions for obtaining and running Symantec's 
W32.Blaster.Worm Removal Tool.
Then, after running the tool, go to http://windowsupdate.microsoft.com 
and update your Windows operating system with the latest patches to 
prevent you from being infected again.

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list