[Dshield] Re: Possible variant of Blaster/Nachi/Welchia? (more)

Al Reust areust at comcast.net
Sat Sep 27 16:21:55 GMT 2003

Hello Alan

My First thing would let the boss know that I am shutting off Time Services 
for a short period of time within the network. Right now you have a small 
brush fire and the computers on the network should be able to keep track of 
their own time. So if you can turn that port completely Off, you then have 
a small number of machines to deal with. If you allow it to continue the 
you will have a forest fire.

Yes that goes against the grain about maintaining integrity of the network 
services. "They" use legitimate services against us. Then we have to adjust 
tactics to bring network services back to a normal state as quickly as 
possible. Containment!

You could also use the registry editor to connect to the affected machines 
and browse to HKEY_LOCAL_Machine \ Software \ Microsoft \  Windows \ Run
Remove the turd.
Depending on the W32 version, Check \ RunOnce, \ RunOnceEX Keys

Yes NT 4.0 and Win9.x uses a slightly different Key \ Windows NT  (if 
memory serves)

Then using the Resource Kit
shutdown \\badcomputer /R /T:10 /C

Then Monitor as the machine comes back up.

If you really wanted to be Brutal create a script in  your "netlogin" 
directory and add the key to the \RUN portion


cd \%SysteRoot%\system32
copy \\loginserver\netlogin\shutdown.exe
shutdown \\%Computername% /R T:45 "You have a computer that is causing 
Network Problems, Please contact the Help Desk and Identify you Name and 
Location. Someone will come to help correct the Problem." /C

So until that is removed from the registry it puts them in a 45 second loop.

Then back to education about Virus Signatures etc. Owners of the infected 
machine(s) should have special education.


Users are stupid - the higher the education level of the user, the more stupid.

At 06:07 AM 9/27/2003 -0400, you wrote:
>On Fri, 2003-09-26 at 14:08, Steven D. Smith wrote:
> > 
> >    Unlike W32.Sobig.E at mm, Sobig.F will not open the following ports to 
> listen for incoming UDP
> >    datagrams, as was previously 
> reported.
> >          995/udp 
> >          996/udp 
> >          997/udp 
> >          998/udp 
> >          999/udp 
> > 
> > 
> >    Network administrators should do the 
> following:
> >          Block outbound traffic on port 
> 8998/udp.
> >          Monitor NTP requests (port 123/udp), as these could be coming 
> from infected computers.
> >          (The frequency of such checks for an infected computer should 
> be once per hour.)
>I suppose I'm late getting in the game, but for those of us keeping
>score, is there a list somewhere of ports net admins should be blocking?
>I thought I had them covered, but people keep mentioning some higher UDP
>ports that I'm not so sure about, and I know that I don't know which
>ones have been compromised.
>While I'm at it, let me assume someone compromised a port that's been in
>use by something legit. I can't very well close that port without
>shutting off access to the legit service, so how can I protect the
>network in those instances?
>Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
>Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
>If you would like to discuss an opportunity with me, please e-mail.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list