doc_strange: (Agamotto got nothing on this.)
[personal profile] doc_strange
Wormity worm.
The LoveSAN/MSBlaster worm is actually rather a dull one. One vector, and pretty trundled together.

https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
http://www.datafellows.com/v-descs/msblast.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://xforce.iss.net/xforce/alerts/id/150
http://vil.nai.com/vil/content/v_100547.htm
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=40369&sind=0

Just about on schedule, if you consider that the folks I work with said, "Get all servers patched by the 3rd, and all laptops by or around the 6th, and the desktops by the 11th."

Everyone saw this coming.

Still, it is spreading fairly far. Indeed, the news reports are not based on the real number of infections out there (would your employer run to CNN and yell, "Yeah, we wurz warned, but we dinna listen, and now we hozered!"? Didn't think so).

In reality, I've heard from large financial and insurance with just a couple dozen hozed laptops or remote user systems, while also hearing from a large manufacturing company of hundreds (and going rapidly up) of affected hosts. One company said it was just not a big deal; after all they "only" had 400 or so affected hosts.

One division of one company I know seemed to become suddenly, wildly infected (the network guru noticed when his virus protection software told him it had blocked the worm exe from running -- meaning he was vulnerable, and that close to being hozed). They started talking about cutting their corporate WAN connection to prevent infecting the rest of the company. Then they sheepishly admitted their patching might be a little behind... despite THREE WEEKS of warning... and two weeks of the corporate core performing upgrades on *20,000* hosts.

"Well it would have been disruptive to business." Yeah. Corporate core's 20,000 host upgrade was totally painless, you betcha!

Anyhow, they're living with their risk assessment results now.

(no subject)

Date: 2003-08-13 01:20 pm (UTC)
liana: Teaberry plant in snow (Default)
From: [personal profile] liana
So what is your opinion on Symantec's FixBlast worm removal tool?

(no subject)

Date: 2003-08-13 08:33 pm (UTC)
From: [identity profile] docstrange.livejournal.com
Hmm! I haven't used it, but I'd be pretty confident it works (this worm is pretty easy to clear off).

FixBlast is a little hyper-focused on the one worm and its variants. Most people don't know what they have, per se... so the best freebie is McAfee's Stinger. It's not as hyper-fast to add in variants as a one-off like the Symantec FixBlast, but I'd recommend it for most users who may not be sure what they've got on there.

http://vil.nai.com/vil/stinger/

Profile

doc_strange: (Default)doc_strange

April 2025

S M T W T F S
  12345
67891011 12
13141516171819
20212223242526
27282930   

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 9th, 2025 05:55 am
Powered by Dreamwidth Studios