[unisog] MSBlast and McAfee AV

Steven Lee sl8c at unix.mail.virginia.edu
Wed Aug 13 16:11:50 GMT 2003


The symptoms could mean the wrong Windows version exploit is being used
and/or the attack crashed the RPC service.  Apparently one exploit is
designed for XP and the other for 2000.  I've seen 2000 machines where
copy/paste and IE don't work and the computer gives RPC errors but there
are no strange applications listening on odd ports.

Steven Lee
IS Engineer
UVA Radiology

-----Original Message-----
From: Juvinall Peter Stanley [mailto:psjuvina at exchange.cob.ilstu.edu]
Sent: Tuesday, August 12, 2003 12:16 PM
To: unisog at sans.org
Subject: RE: [unisog] MSBlast and McAfee AV


We have several infections here - as far as what I've seen if the system
is infected, it will give you the option to delete the file, but won't
clean it.  Fixblast.exe is available from Symantec and does quite well:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm
.removal.tool.html

Some things I've noticed here:

 - The worm removes a lot of the ability to view different metrics on
the computer.  I couldn't go into add/remove programs while the worm was
on the machine to check the status of what hotfixes are on the machine

 - Many users are commenting that network drives are not available.
While not a sure fire indicator, if someone complains that they can't
see a file on a server, the worm could have gotten to their machine


Where we got stuck at was I made a concerted effort to get all
faculty/staff machines updated a couple of weeks go.  I pushed out
windows update via a GPO and thought that took care of it.  Many of the
machines had a lower service pack on them and the GPO does not update
the service pack, just relevant hotfixes.  The patch in question needs
at least SP2 on Windows 2000 in order to work, if it's not there it
won't install.  Some machines didn't have that and those were the ones
that got attacked.

--pete

Pete Juvinall
Systems Administrator
College of Business - Illinois State University psjuvin at ilstu.edu



-----Original Message-----
From: Anderson Johnston [mailto:andy at umbc.edu]
Sent: Tuesday, August 12, 2003 8:14 AM
To: unisog at sans.org
Subject: [unisog] MSBlast and McAfee AV


Anybody else using McAfee out there?  Update 4284 is supposed to detect
MSBlast and we can't seem to get it to do so.

						- andy

------------------------------------------------------------------------
------
** Andy Johnston (andy at umbc.edu)          *            pager:
410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002)
4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21
9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0
56 **
------------------------------------------------------------------------
------





More information about the unisog mailing list