[unisog] MSBlast and McAfee AV

Juvinall Peter Stanley psjuvina at exchange.cob.ilstu.edu
Tue Aug 12 16:16:08 GMT 2003

We have several infections here - as far as what I've seen if the system
is infected, it will give you the option to delete the file, but won't
clean it.  Fixblast.exe is available from Symantec and does quite well:


Some things I've noticed here:

 - The worm removes a lot of the ability to view different metrics on
the computer.  I couldn't go into add/remove programs while the worm was
on the machine to check the status of what hotfixes are on the machine

 - Many users are commenting that network drives are not available.
While not a sure fire indicator, if someone complains that they can't
see a file on a server, the worm could have gotten to their machine

Where we got stuck at was I made a concerted effort to get all
faculty/staff machines updated a couple of weeks go.  I pushed out
windows update via a GPO and thought that took care of it.  Many of the
machines had a lower service pack on them and the GPO does not update
the service pack, just relevant hotfixes.  The patch in question needs
at least SP2 on Windows 2000 in order to work, if it's not there it
won't install.  Some machines didn't have that and those were the ones
that got attacked.


Pete Juvinall
Systems Administrator
College of Business - Illinois State University
psjuvin at ilstu.edu

-----Original Message-----
From: Anderson Johnston [mailto:andy at umbc.edu] 
Sent: Tuesday, August 12, 2003 8:14 AM
To: unisog at sans.org
Subject: [unisog] MSBlast and McAfee AV

Anybody else using McAfee out there?  Update 4284 is supposed to detect
MSBlast and we can't seem to get it to do so.

						- andy

** Andy Johnston (andy at umbc.edu)          *            pager:
410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002)
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21
9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0
56 **

More information about the unisog mailing list