HPE Community
BackOffice Products
1822025 Members
3405 Online
109639 Solutions
New Discussion юеВ

Re: Blaster worm

 
Tim Stouder
New Member

тАО10-17-2003 12:40 AM

тАО10-17-2003 12:40 AM

Blaster worm

I have all of my machines patched and cleaned. Whenever we setup a new machine with xp (before being patched) it gets the blaster worm. We are behind a cisco pix with all of the ports blocked. Any help on how to find the worm?
0 Kudos
6 REPLIES 6
Norman_21
Honored Contributor

тАО10-17-2003 01:18 AM

тАО10-17-2003 01:18 AM

Re: Blaster worm

When you setup WinXP, make sure it's not connected to the internet. Download the BlasterWorm patch as well as the removal tool and burn them into a CD.
Patch the WinXPs before you connect them to the internet, then you can carry on doing your work! Here is the link, it should take you to the patch as well in M$ site, there is a tool which you can download and run to scan the network for any unpatched Win2k PC, please take your time to read about it in the M$ site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
"Attitudes are contagious, is yours worth catching"/ My first point was given by SEP on January 31, 2003
0 Kudos
Tim Stouder
New Member

тАО10-17-2003 01:22 AM

тАО10-17-2003 01:22 AM

Re: Blaster worm

The blaster is hiding somewhere in our network. All machines are patched. IS there a scanner to sniff the network to find the worm?
0 Kudos
Norman_21
Honored Contributor

тАО10-17-2003 01:39 AM

тАО10-17-2003 01:39 AM

Re: Blaster worm

My concern is to install a Server Anti-Virus and update the definition file and then roll out to all the clients, check the log file at the server side and it'll tell you which computer is infected, then go to that PC and remove the Virus, that's it!
The Anti-Virus is Norton Corp Edition 8.0 Server/Client software.
Make sure you enable the firewall if you have a stand alone PC.
Here is the BlasterWork FAQ from M$:
http://www.microsoft.com/security/incident/blast_faq.asp

http://www.microsoft.com/security/incident/blast.asp

if you found another way, please let us know what you did.
Good luck!
"Attitudes are contagious, is yours worth catching"/ My first point was given by SEP on January 31, 2003
0 Kudos
Ron Kinner
Honored Contributor

тАО10-17-2003 04:27 AM

тАО10-17-2003 04:27 AM

Re: Blaster worm

Microsoft provided a scanner to see if all PCs on a network were patched.

http://support.microsoft.com/default.aspx?scid=kb;en-us;827363

It's also very easy to spot one with a sniffer. There are several freeware/shareware sniffers around. www.snort.org offers a free intrusion detector program which doubles as a sniffer. It can be set up to detect suspicious activity and pin point the source.

Ron
0 Kudos
Ron Kinner
Honored Contributor

тАО10-17-2003 04:31 AM

тАО10-17-2003 04:31 AM

Re: Blaster worm

Another quick way to determine if there is a worm around is to run zone alarm from www.zonelabs.com. It will tell you everytime your PC gets pinged or hit with a 137 or 445 packet and the alarm tells you the source. Note that some versions of the worm fake the IP address so you may have to go by the MAC and trace it back through the switch network.

Ron
0 Kudos
Jon Finley
Honored Contributor

тАО10-17-2003 04:55 AM

тАО10-17-2003 04:55 AM

Re: Blaster worm

Add to Ron's ports with 707 (Natchi) and 4444.

Jon
"Do or do not. There is no try!" - Yoda
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.