[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <005901c36097$a239a1c0$7b5c1e41@valw2kpro01>
Date: Tue, 12 Aug 2003 01:04:46 -0500
From: "Arian J. Evans" <arian.evans@...foot.com>
To: "'akbara'" <tzu@...pstudios.com>, "'Gabe Arnold'" <f0x@...irrelsoup.net>
Cc: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>,
<arian.evans@...hnetsecurity.com>
Subject: RE: what to do
et al,
# has she tried booting into safe mode ?
# then removing the msblast or what not program ?
If everyone hasn't seen it by now, the problem is endless
rebooting; we've seen it with a number of clients...good
luck updating before the system goes down again...
It's part of the offset the exploit uses and which OSes/events
it overwrites the proper part of the stack to exploit, and
which events it just crashes the OS...(the vast majority
of crashes we are seeing are XP, though some 2k server...)
Bottom line: the endless shutdown cycle is part of the story
of the worm, given the OS and how the worm hits it.
But there is a solution:
# cannot use Windows update because when the RPC is shutdown,
# SYSTEM automatically initiates a shutdown of the computer as
# you are all aware of. What is the best solution to keep data files
# intact while removing this worm?
The endless shutdowns are a result of getting banged on repeatedly
by this worm. Options:
NT 4.0: hmmm...probably disable RPC service...
Windows 2000: |Network|Local Area Connection (or whatever you
have named this)|Properties|Advanced|Options|>TCP/IP Filtering>
|Properties|x-enable TCP/IP filtering|
>Permit only on UDP and ICMP. Do not define.
>Permit only on TCP and define 80 and 443 (http and https).
Continue on to windowsupdate.microsoft.com and update w/out
further issue. Later, if you feel comfortable (or have the need),
relax your filter settings.
Windows XP: turn on the included firewall, found under the similar
options to above for 2k (sorry--I don't have an XP machine handy
or I'd list the exact steps...)
Good luck, Cheers,
Arian J. Evans
ps// if bugtraq cross-post is inappropriate, apology to admins
for having to remove. There's been a lack of OS-native controls
mitigation discussed on this issue...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists