[Dshield] Road Runner is looking out for it's customers for c hange

Craig Shaw CraigS at caamb.mb.ca
Thu Aug 14 16:37:11 GMT 2003


I did.

Craig Shaw
Systems Administrator
CAA Manitoba
(204) 262-6035
craigs at caamanitoba.com


-----Original Message-----
From: Peter Stendahl-Juvonen [mailto:peter.stendahl-juvonen at welho.com] 
Sent: 14-Aug-03 10:38
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Road Runner is looking out for it's customers for c
hange


Brenden, Craig, et al.

Take it Craig meant to type (?):

|| 
|| Maybe it was "135,139" not "135-139" :)
|| 

instead of.

|| 
|| Maybe it was "137,139" not "137-139" :)
|| 


Guess ports should read in the original context as follows:

||| 
||| To prevent this worm from spreading, Road Runner has blocked ports
||| 135, 139 and port 445, both inbound and outbound on each router.
This

instead of ref (further below):

||| 
||| To prevent this worm from spreading, Road Runner has blocked ports
||| 135-139 and port 145, both inbound and outbound on each router. This

Typo, typo, hurry, hurry...


-Pete

      "It's not what you look at that matters, it's what you see."
        Henry David Thoreau (1817 - 1862) US essayist, poet.


list-bounces at dshield.org <mailto:list-bounces at dshield.org> wrote on
Thursday, August 14, 2003 5:51 PM: on behalf of: Brenden Walker
[BKWalker at drbsystems.com]


| Must have been, I'm still getting my usual small flurry of port 137
| hits... 
| 
| 
|| -----Original Message-----
|| From: Craig Shaw [mailto:CraigS at caamb.mb.ca]
|| Sent: Thursday, August 14, 2003 10:11 AM
|| To: 'General DShield Discussion List'
|| Subject: RE: [Dshield] Road Runner is looking out for it's customers
|| for c hange 
|| 
|| 
|| Maybe it was "137,139" not "137-139" :)
|| 
|| Craig Shaw
|| Systems Administrator
|| CAA Manitoba
|| (204) 262-6035
|| craigs at caamanitoba.com
|| 
|| 
|| -----Original Message-----
|| From: Brenden Walker [mailto:BKWalker at DRBSystems.com] Sent:
|| 14-Aug-03 08:14 To: 'General DShield Discussion List'
|| Subject: RE: [Dshield] Road Runner is looking out for it's customers
|| for c hange 
|| 
|| Well, that would explain why I didn't see any hits on 135
|| during this storm. But it wouldn't explain why I continue to
|| get hits on 137 on a daily basis.. If they blocked 135-139
|| like they said, I wouldn't get these.
|| 
|| Odd indeed.
|| 
||| -----Original Message-----
||| From: R Shady [mailto:RShady at stny.rr.com]
||| Sent: Wednesday, August 13, 2003 7:02 PM
||| To: Dshield
||| Subject: [Dshield] Road Runner is looking out for it's customers
||| for change 
||| 
||| 
||| I haven't had any port scans for 135 since Road Runner blocked
||| ports 135-139. 
||| 
||| Blaster Worm/Virus (W32.Blaster.Worm / W32/Lovsan.worm)
||| According to Symantec, a worm called the W32.Blaster.Worm, also
||| known as W32/Lovsan.worm was discovered on 8/11/03. It will cause
||| systems running Windows 2000 or Windows XP to crash, prevent
||| Internet access and compromise the security settings by opening a
||| hidden remote cmd.exe shell. This worm will attempt to download and
||| run a file named "Msblast.exe." It will then block access to TCP
||| port 4444 at the firewall level, and then block the following
||| ports, if they do not use TCP Port 135, "DCOM RPC" or UDP Port 69,
||| "TFTP." The worm will also attempt to perform a Denial of Service
||| (DoS) on windowsupdate.com. This
||| is an attempt to prevent you from applying a patch on your computer
||| against the DCOM RPC vulnerability.
||| 
||| To prevent this worm from spreading, Road Runner has blocked ports
||| 135-139 and port 145, both inbound and outbound on each router. This
||| will not only stop the spread of the virus on our network and
||| protect you, but it will also disable the ability for you to use
||| File and Print Sharing between computers outside of your home
||| network (i.e. beyond your modem). It may also disable your ability
||| to log into Exchange e-mail servers without using VPN or another
||| secure connection method. 
||| 
||| 
||| What You Can Do To Prevent Infection
||| 
||| To prevent infection from this worm, go to
||| http://windowsupdate.microsoft.com and install the latest critical
||| updates. For more information on the vulnerability that this worm
||| exploits, and to find out which Symantec products can help alleviate
||| risks from this vulnerability, go to
||| http://securityresponse.symantec.com/avcenter/security/Content
||| /8205.html. 
|| 
|| 
|| If You Have Been Infected
|| 
|| You must stop the Trojan process by performing the following:
|| 
|| As soon as your computer boots up, press the Control, Alt, and Delete
|| buttons at the same time. This should open your Task Manager window.
|| Click the Processes tab. Double-click the Image Name column header to
|| alphabetically sort the processes. Scroll through the list and look
|| for a file called msblast.exe. Click to highlight the file and then
|| click the End Process button at the
|| bottom of the window.
|| Close the Task Manager window.
|| Open your browser and go to
|| http://securityresponse.symantec.com/avcenter/venc/data/w32.bl
| aster.worm.rem
| oval.tool.html.
| 
| Follow the instructions for obtaining and running Symantec's
| W32.Blaster.Worm Removal Tool.
| Then, after running the tool, go to http://windowsupdate.microsoft.com
| and update your Windows operating system with the latest patches to
| prevent you from being infected again.
| 
| 
| 
| 
| _______________________________________________

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list