CriticalDance Forum

There's a new kid on the Virus block - w.32 Blaster, which was discovered on 11th August.

Here is the background information:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

and here is the removal tool infprmation:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

I had this today and don't know how I picked it up. The symptom is a message box :

*****************

System Shutdown

blah blah Initiated by NT Authority\System

Message

Windows must restart because the RPC service terminated unexpectedly

*****************

This happens between a few seconds and 5 minutes of connecting to the Internet. There is also an MS patch to close off the attack route. In my tired and emotional state I did not run the MS patch initially and I think I was reinfected.

Anyway it seems to be OK now. The UK Dell phone line had a recorded message on this theme this morning so I suspect I was not alone.

Make sure you're up to date with your virus software - yesterday morning's release is out of date!

<small>[ 12 August 2003, 10:31 AM: Message edited by: Stuart Sweeney ]</small>

A Cable Modem/DSL Router (with built-in firewall) can prevent this virus. I suggest you get one, even if you have only 1 computer attached to your cable modem or DSL router.

Je viens de détruire manuellement ce virus. (j'aurais dû mettre le patch Windows il y a quelques semaines. Cela aurait évité de l'attraper.)

1) j'ai éxécuté le "Manual Removal Instructions" en 4 étapes :
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

2) puis, j'ai installé le Patch de Microsoft : (utile pour réparer la faille de Windows)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

<small>[ 13 August 2003, 03:09 PM: Message edited by: * jerome * ]</small>

Juste avant la réparation (j’ai fait une petite manipulation):

Avant qu'il me redémarre systématiquement mon ordinateur toutes les minutes, je suis allé dans les « services » de XP (panneau de configuration/outils d'administration) puis en sélectionnant le service "RPC". En modifiant, l'option « redémarrer » à la première défaillance, j’ai sélectionné l’option « ne rien faire ». J'ai empêché qu'il redémarre automatiquement mon ordinateur une nouvelle fois. J'ai pu alors détruire le virus en lisant les informations des sites ci-dessus et remettre le service « RPC » comme il était.

<small>[ 13 August 2003, 03:30 PM: Message edited by: * jerome * ]</small>

Windows users, here's a way to protect yourself:

1. Run Internet Explorer.

2. Click on "Tools" and then on "Windows Update".

3. When you get the "Welcome to Windows Update" screen, click on "Scan for updates".

4. Install any "critical" or "security" updates it recommends.

NOTE: KEEPING YOUR VERSION OF WINDOWS UPDATED, WHILE IMPORTANT, DOES NOT PRECLUDE THE NEED FOR VIRUS PROTECTION SOFTWARE SUCH AS THAT PRODUCED BY MACAFEE, SYMANTEC, OR GRISOFT.COM.

Thanks Salzberg. You know what bothers me the most about viruses. To design a computer virus must take a considerable amount of creative energy and talent, and i think it is such a shame that it is wasted on deliberately hurting people. How in the world do these peole justify themselves. What a lack of character.

Matthew, while I'm certainly no psychologist, I'm certainly Jung at heart and so I'm not at all a-Freud to offer my opinions....

I suspect that these folks feel powerless and underappreciated. This is their way of being in control.

There's one other thing you can do to protect yourself and limit the spread of viruses.

Many viruses (although not the worms we've heard of so much over the past few weeks) replicate themselves by emailing themselves to everyone in the user's Microsoft Outlook addressbook. The easy and obvious way to prevent this is...don't use Outlook or Outlook Express.

Also, I can assure you that the viruses are not originating from the criticaldance.com mail server. If you receive an infected file purportedly from someone at criticaldance.com, it is probably being sent instead from an infected Outlook or Outlook Express addressbook residing on a third party's PC.

It works like this: joeperson@mail.com has an address book that contains the following addresses: sallyfriend@yahoo.com and admin@criticaldance.com. The virus looks up the addresses and sends an email to sallyfriend@yahoo.com "signed" by admin@criticaldance.com or vice-versa. In the latter case, sallyfriend@yahoo.com may get a response from the criticaldance.com telling her she sent admin@criticaldance.com a virus even though she didn't even turn on her PC.

For example, a virus purportedly sent out by me turned out to have come from "NOKU (dt217-16.vemis.ee [212.47.217.16])" instead, which is not even in the same country as the criticaldance.com server.

The criticaldance.com server is protected from infiltration. Unfortunately, there are many others that are not.

<small>[ 24 August 2003, 05:42 PM: Message edited by: Azlan ]</small>

After some investigation, it looks the bulk of the viruses are coming from vemis.ee mail server (IP = 212.47.217.16). We are sending a message to the postmaster there. In the meantime, the criticaldance.com mail server will not accept any messages from vemis.ee or the IP 212.47.217.16.