They're heeeeee-eeeeeeere!
Aug. 12th, 2003 10:10 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
Wormity worm.
The LoveSAN/MSBlaster worm is actually rather a dull one. One vector, and pretty trundled together.
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
http://www.datafellows.com/v-descs/msblast.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://xforce.iss.net/xforce/alerts/id/150
http://vil.nai.com/vil/content/v_100547.htm
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=40369&sind=0
Just about on schedule, if you consider that the folks I work with said, "Get all servers patched by the 3rd, and all laptops by or around the 6th, and the desktops by the 11th."
Everyone saw this coming.
Still, it is spreading fairly far. Indeed, the news reports are not based on the real number of infections out there (would your employer run to CNN and yell, "Yeah, we wurz warned, but we dinna listen, and now we hozered!"? Didn't think so).
In reality, I've heard from large financial and insurance with just a couple dozen hozed laptops or remote user systems, while also hearing from a large manufacturing company of hundreds (and going rapidly up) of affected hosts. One company said it was just not a big deal; after all they "only" had 400 or so affected hosts.
One division of one company I know seemed to become suddenly, wildly infected (the network guru noticed when his virus protection software told him it had blocked the worm exe from running -- meaning he was vulnerable, and that close to being hozed). They started talking about cutting their corporate WAN connection to prevent infecting the rest of the company. Then they sheepishly admitted their patching might be a little behind... despite THREE WEEKS of warning... and two weeks of the corporate core performing upgrades on *20,000* hosts.
"Well it would have been disruptive to business." Yeah. Corporate core's 20,000 host upgrade was totally painless, you betcha!
Anyhow, they're living with their risk assessment results now.
The LoveSAN/MSBlaster worm is actually rather a dull one. One vector, and pretty trundled together.
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
http://www.datafellows.com/v-descs/msblast.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://xforce.iss.net/xforce/alerts/id/150
http://vil.nai.com/vil/content/v_100547.htm
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=40369&sind=0
Just about on schedule, if you consider that the folks I work with said, "Get all servers patched by the 3rd, and all laptops by or around the 6th, and the desktops by the 11th."
Everyone saw this coming.
Still, it is spreading fairly far. Indeed, the news reports are not based on the real number of infections out there (would your employer run to CNN and yell, "Yeah, we wurz warned, but we dinna listen, and now we hozered!"? Didn't think so).
In reality, I've heard from large financial and insurance with just a couple dozen hozed laptops or remote user systems, while also hearing from a large manufacturing company of hundreds (and going rapidly up) of affected hosts. One company said it was just not a big deal; after all they "only" had 400 or so affected hosts.
One division of one company I know seemed to become suddenly, wildly infected (the network guru noticed when his virus protection software told him it had blocked the worm exe from running -- meaning he was vulnerable, and that close to being hozed). They started talking about cutting their corporate WAN connection to prevent infecting the rest of the company. Then they sheepishly admitted their patching might be a little behind... despite THREE WEEKS of warning... and two weeks of the corporate core performing upgrades on *20,000* hosts.
"Well it would have been disruptive to business." Yeah. Corporate core's 20,000 host upgrade was totally painless, you betcha!
Anyhow, they're living with their risk assessment results now.
(no subject)
Date: 2003-08-13 01:20 pm (UTC)(no subject)
Date: 2003-08-13 08:33 pm (UTC)FixBlast is a little hyper-focused on the one worm and its variants. Most people don't know what they have, per se... so the best freebie is McAfee's Stinger. It's not as hyper-fast to add in variants as a one-off like the Symantec FixBlast, but I'd recommend it for most users who may not be sure what they've got on there.
http://vil.nai.com/vil/stinger/