StarDestroyer.Net BBS

There's no need to yell.

phongn wrote:

Rye wrote:Where the fuck does it come from originally? It comes back if you delete it. It's located in windows/system32 iirc, and has an accompanying .pn file. there's also a weird file called "wowpost.exe" in system. It didn't say it was made by microsoft so i deleted that too.

It's a worm that automatically replicates itself.

WOWPOST is an ASPI driver. If you experience things like CD burning or ripping applications failing, figure out a way to get it back in.

Nuts! I'll ask people on msn if they have it [/dumbass]

You also need to match publisher and version numbers, you can't just mix and match them.

phongn wrote:There's no need to yell.

Hehe, just thought it would add character to my post, maybe make it a bit more dramatic, eh?

Yeah, I just had to deal with that. Fuckers. Did you guys see the newspost on Penny Arcade? Funny shit.

Lol! Good shit they posted.

Well, the stuff I posted about earlier up in this thread worked for me, so my comp had a total downtime of maybe 15 minutes. I wonder if Something Awfull will feature a column related to this worm/virus thing.

Removal instructions of the W32.Blaster.Worm :
http://securityresponse.symantec.com/av ... assessment

Do what they say and you'll be fine.

I have Zone Alarm up and running. That should keep me covered, no?

http://securityresponse.symantec.com/av ... .worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Axis Kast wrote:I have Zone Alarm up and running. That should keep me covered, no?

READ THE DAMN THREAD!

lukexcom wrote:HERE is the SOURCE to ALL of our problems:
http://www.msnbc.com/news/951168.asp?0dm=B12PT

At least they used proper terminology. My local NBC station called it a "virus"

Axis Kast wrote:I have Zone Alarm up and running. That should keep me covered, no?

Axis, read the entire thread. You must have your machine patched and your firewall properly configured in order to block this attack.

MKSheppard wrote:The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

The first DDOS attack will not occur until the 16th, but it would be good to fix your box first.

Can anybody tell me how to use Zone Alarm to do what needs to be done?

I got hit by this the other day....my little brother fucked up the firewall while I was away and I came home to a slowly dying computer.....

Fortunately its all better now.....

BE aware that running the removal tool does not guarantee that you won't see this again.

For best practise removal:

1. Disconnect from internet - you won't get RPC errors when not connected.
2. Go to My Computer -> MAnage - Services - RPC - Recovery and set all three fields at the top to 'take no action'. This stops the reboots.
3. Turn off System Restore (if using XP)
4. Download and install security patch 823980
5. Run the removal tool.
6. Reverse steps 2 & 3.

Earlier today the infection rate was so high that a vulnerable system could be infected within 30 seconds of connecting to the internet

You shouldn't need to install System Restore, IIRC. It recognizes new patches as legitimate.

You disable it because if the computer has made a system checkpoint (or other restore point) whilst infected, it will considerately back up the virus for you as well.

Returning to that restore point will re-infect.

Disabling System Restore in Windows XP will delete all the restore points it's created, circumventing this problem.

Turning system restore off is good practise when dealing with any virus infection.

(All you need to do is go to System Properties -> System Restore, and click Turn off system restore for all drives)

Umm guys, I have Kerio running, and I automatically set it to block 135, 137, 138, and 139.

I forgot to apply the patch.

Result: Nothing. It couldn't hit me. And my ping to my favorite Quake servers isn't sky-high either. Thanks Kerio.

Where do I get the patch? And how do I configure Zone Alarm to defend my computer?

Alas, not many people here use ZoneAlarm, but Windows Networking should be blocked if you don't use it (I'm assuming you're at home and on a standalone computer).

The patch is available from Windows Update.

The patch is from Microsoft.

You can't configure port blocking on bog standard Zonealarm, you can only use the default configuration for what type of packet is allowed to communicate to what port. (which basically only incudes HTTP to port 80, and mail/news protocols to the respective ports)

This is overridden if the packet is part of an active communication session with a program that's secured as a server program on your system.

I got a bunch of critical updates last night. I should be all right then?

Axis Kast wrote:I got a bunch of critical updates last night. I should be all right then?

Until the next bug comes out into the open, supposedly.

What's the risk of infection by BLAST?