RE: [Full-Disclosure] Re: new msblaster on the loose?

From: Robert Ahnemann (rahnemann_at_affinity-mortgage.com)
Date: 08/14/03

  • Next message: Stephen Clowater: "Fwd: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"
    To: "Jay Woody" <jay_woody@tnb.com>, <list@dshield.org>, <full-disclosure@lists.netsys.com>, <david.vincent@mightyoaks.com>, <incidents@securityfocus.com>
    Date: Thu, 14 Aug 2003 11:19:12 -0500
    
    

    If it exploits the same vulnerability, won't it be LESS effective since many people have been hit and thus patched their systems? Wouldn't an effective blaster variant find a different loophole?

    -----Original Message-----
    From: Jay Woody [mailto:jay_woody@tnb.com]
    Sent: Thursday, August 14, 2003 10:12 AM
    To: list@dshield.org; full-disclosure@lists.netsys.com; david.vincent@mightyoaks.com; incidents@securityfocus.com
    Subject: [Full-Disclosure] Re: new msblaster on the loose?

    Guys, not to be weird, but wtf does this mean?

    >> And it says that's likely to mean a repeat of the outbreak we've
    seen during
    >> this week. The new variety of Lovesan exploits the same
    vulnerability.
    >>
    >> Kaspersky says that the number of infected systems is around the
    300,000
    >> mark, and the new variety may double this number.
    >>
    >> "In the worst case, the world community can face a global Internet
    slow down
    >> and regional disruption... to the World Wide Web," said Eugene
    Kaspersky,
    >> head of the labs.

    If people got hit and they patched, then how will this be a repeat?
    How will the numbers DOUBLE?! "In the worst case . . . "? No, in the
    worst case, New Kids on the Block could start a reunion tour. Give me a
    break, the first one hit, surely a bunch of people patched (even some of
    the people that didn't beforehand are surely smart enough to realize the
    error of their way now right?!). So any future infection is bound to be
    less unless it has figured out a different way to exploit it (in which
    case it really isn't the same worm is it?) or figures out a way to scan
    IP addresses that the first one didn't. I don't see anything saying
    that this worm is any different than the first one in those cases, so
    sounds like FUD to me.

    JayW

    >>> David Vincent <david.vincent@mightyoaks.com> 08/13/03 12:23PM >>>
    anyone else seeing this?

    ---------------

    http://www.theinquirer.net/?article=11018

    New version of Blaster worm on the loose
    Already

    By INQUIRER staff: Wednesday 13 August 2003, 16:51
    KASPERSKY LABS claimed this afternoon that there's already a new
    version of
    the Blaster/Lovesan worm on the loose.

    And it says that's likely to mean a repeat of the outbreak we've seen
    during
    this week. The new variety of Lovesan exploits the same vulnerability.

    Kaspersky says that the number of infected systems is around the
    300,000
    mark, and the new variety may double this number.

    "In the worst case, the world community can face a global Internet slow
    down
    and regional disruption... to the World Wide Web," said Eugene
    Kaspersky,
    head of the labs.

    The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE,
    different
    code compression, and different signatures in the body of the worm.

    ---------------

    David Vincent CNA/MCSE
    Network Administrator

    www.mightyOaks.com
    david.vincent@mightyoaks.com

    MIGHTY OAKS WIRELESS SOLUTIONS INC.
    209-3347 Oak Street
    Victoria, B.C. Canada V8X 1R2
    Phone: 250.386.9398 Fax: 250.386.9399
    Pager: 250.380.4575 Cell: 250.884.3000

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Stephen Clowater: "Fwd: Re: [Full-Disclosure] Microsoft urging users to buy Harware Firewalls"

    Relevant Pages

    • Re: shutdowns on brand new computer
      ... Further, and also like Blaster, this worm could not affect any ... McAfee AVert Stinger Virus Removal Tool ... > NT Authority system ...
      (microsoft.public.windowsxp.setup_deployment)
    • shutdown
      ... Then immediately turn-on Windows XP's built-in Firewall: ... What You Should Know About the Blaster Worm and Its ... ***Install a good firewall. ...
      (microsoft.public.windowsxp.newusers)
    • Re: Bootup virus
      ... Sounds like Blaster, get STINGER to clean the system. ... Symantec Security Response - W32.Blaster.Worm ... W32.Blaster.Worm is a worm that exploit. ... | 0xNNNNNNNN and post that back or go to www.aumha.org and click on your | OS version and then find the section that deals with stop messages under | MICROSOFT KNOWLEDGE BASE. ...
      (microsoft.public.security.virus)
    • Re: RPC SHUTDOWN
      ... To stay on-line long enough to get the necessary updates, patches, ... What You Should Know About the Blaster Worm ... They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: New version of SirCam ===w32Goner
      ... This mass mailing worm attempts to send itself using ... The worm copies itself into the WINDOWS SYSTEM folder ... Restart Windows in Safe Mode (reboot your computer, ... Type GONE.SCR and hit ENTER ...
      (Incidents)