Attached Link: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

Patch early. patch often ladies and germs, those of you with Windows Me and below are not affected.

Just because this one doesn't affect WinMe & lower doesn't mean those users can sit back. Keep patched & use AV & firewall software at all times when online whatever version of windows you use.

From what I have been able to discover the hole uses old NT code, It also affects server 2003 as well. I would check the site to be sure.

Attached Link: http://www.renderosity.com/messages.ez?ForumID=12377&Form.ShowMessage=1378432

Someone has already taken advantage of this hole.:( http://story.news.yahoo.com/news?tmpl=story&cid=569&ncid=578&e=8&u=/nm/20030812/tc_nm/tech_windows_worm_dc It even attacked me on dial-up!

Although this is excellent news and is a benefit to Windows users, why is this message in the Poser Forum? What does it have to do with Poser?

This kind of info is important to all of us (Windows users), so an extra message in here is fine in my book.

I sure appreciate hearing about it! Thanks for the heads up. Marque

I checked and I have the patch installed. (823980) Got it with the automatic windows update. Please peoples, if you have XP don't disable the automatic updates. They'll save your behind.

Thanks Spit! I checked and I also have it from automatic update...wouldn't have known that though because I can never wade through all that bulletin jargon...I really don't know if I have XP 34 bit or 64??? where on earth would you find that out! Thank God for automatic updates! :) Irene

Both my machines are patched. I hate automatic update as it sometimes tries to add updates that I know would screw up my system, so I have it set to notify before downloading and installing. A worm became active yesterday that's playing havoc with networks all over the place through the internet. My friend who works at Comcast called me yesterday and alerted me to the problem, but with no specifics. Just said to make sure that I'm up-to-date on the updates. He's still at work (all nighter). Curious Labs website is down. Kuroyume

Does anyone know how this worm is delivered?

Attached Link: http://msnbc-cnet.com.com/2100-1002_3-5062477.html?part=msnbc-cnet&tag=alert&form=feed&subj=cnetnew

From C-Net news: "The worm attacks Windows computers via a flaw in a component of the operating system that allows other computers to ask Windows systems to perform an action or service. Microsoft warned about the flaw July 16. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources. MSBlast installs the TFTP server and runs the program to download the MSBlast code to the compromised server. But the way the worm causes a compromised computer to download the file is very inefficient, Maiffret said. Moreover, although MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check. Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. Because the scanning process is not completely random, the worm will likely cause a lot of excess traffic on the network. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted."

It turns out I was unfected and didn't even know it! I patched XP as soon as the trouble started yesterday, but it was apparently too late. I updated Norton again this morning, ran it again, and there it was. Norton couldn't delete it, I had to go to Symantec and download a special removal tool. Seems to have worked, though I'm going to run Norton AGAIN just to make 100% sure. But again, since I patched everything seemed fine, but it was there and I didn't even know it. It was there. And I'm on dial-up for god's sake! I've always been good about protecting my machine and keeping up with updates, but from now on I'm going to be positively anal.;)

DAMN! Looks like I caught the infernal thing! Odd thing is, if I leave my cable modem disconnected, the system will continue to run, but within 5 minutes of reconnecting the cable, I'll get the shutdown message. 60 seconds later, poof! What burns me is that I received my latest Norton files Thursday and my system ran its virus check the next day. Sincerely, Bill

stung me to damn thing, got it then the next day norton dloaded the latest files and told me i had it, bit late though, got the system cleaned and patched but i'm formatting anway.....kinda lost my confidence with norton now :o(..Steve, on the laptop

Attached Link: Windows XP Home and Professional Service Configurations by Black Viper

another big reason to disable file & print sharing, check out the link for a list of services to shutdown. Also go to https://grc.com/x/ne.dll?bh0bkyd2 (Shields up) to check if your firewall is really shielding you from hackers attention.

Symantec (http://www.symantec.com/) and Pandasoft (http://www.pandasoftware.com/download/utilities/) both have free cleaners out for those that are intersted.....

My ADSL provider (Sweden's biggest phone co) got hit, hard. Almost all their servers went down, including customer services, so they couldn't even inform about it except thru media! All went down last night (17 hours ago). My router and HW firewall crashed, needed a factory reset. My SW firewall (PC-Cillin) recorded about 75 hits in a half hour when I connected using an old phone modem this morning... yuck. But I didn't get infected. It's worth having all that protection. The Blaster worm (this outbreak) hits XP and 2000 PCs thru ports 135 and 137. Close them down. And get the MS fix. Get it before the 16th. That is when all the world's infected PCs will hit the MS site (the whole point of the virus). Apparently each infected PC will poll the MS update site every 20 milliseconds, totally overloading it. It's going to be fun, (not). Hope MS is working on it! :] Fish

Well, the removal program from Symantec did the trick, Norton came up clean this time. It's targeted at XP and 2000, so I guess there's no way x2000 was going to escape unscathed, huh?;)

My company got hit yesterday with something like this.. it sucked, then the power went out and we all had to go home.

This may be a stupid question but, first off, I went to Shields Up! (thanks for that link - have certainly added it to my Favourites) and found I still have 3 ports open...what I would like to know is: 1. How do I close a Port? 2. If I close all ports, does this mean, automatic updates from both Norton and Windows can not get through? Thanks. :) Irene

Irish, you have XP. Enable the firewall. Control Panel Network Connections Right-click your internet connection Select Properties Click the 'Advanced' tab Put a checkmark next to "Internet Connection Firewall" This is done for each network separately, so if you have more than one (I have a dialup connection and cable) do it for both. This will put you in Stealth mode and you'll be happy the next time you visit Shields Up! :) No, it does NOT interfere with Norton or MS and autoupdates...those will still work fine.

I actually instaled the patch, but it appears to have killed the interdrive NFS stuff that allows me to mount the UNIX system onto my PC, rolling back with the restore stuff in XP doesn't help. I doubt it will affect you, but beware it loks like it closes part of the DCOM protocol that other apps may rely on. later jb

Irish having a firewall close those ports shouldn't stop Norton or Windows from updating, all the ports on my machine come up on shields up as stealth but I can still get the updates without any trouble. I did have problems with the XP firewall conflicting with Zonealarm but that's probably my fault so I shut it off. It seems like this new monster uses file&print sharing to start it's dirty work so unless you really need it disabling it is a very good idea.

praxis when I installed the patch in july I'm pretty sure there was a message attached saying it can't be uninstalled, but don't qoute me on that as I'm not 100% sure.

Forgot to add that XP's firewall only blocks incoming, not outgoing. That's sufficient as long as you protect yourself from virii and trojans with Norton or something and check with Adaware or the like.

Irish, you have XP. Enable the firewall. Control Panel Network Connections Right-click your internet connection Select Properties Click the 'Advanced' tab Put a checkmark next to "Internet Connection Firewall" This is done for each network separately, so if you have more than one (I have a dialup connection and cable) do it for both. This will put you in Stealth mode and you'll be happy the next time you visit Shields Up! :) No, it does NOT interfere with Norton or MS and autoupdates...those will still work fine.

That's weird. I wrote message 27 before 26! LOL

27 is also 22 so it is before :)

I think I hiccupped! Sorry about that. If XP's Firewall didn't interfere with Zone Alarm I'd be worried. Their functions overlap so stepping on each others toes would be normal I guess.

My mom's laptop got it, and she's on dial-up, only accesses the internet a few times a week. However, mom hasn't been the best about keeping her anti-virus updates. Her son has just written her a long e-mail advising of the wisdom of weekly A/V updates and firewall software. :-) As a far heavier 'net user, I think what may have helped this time is that I have both Windows and Norton set to automatically update. It's easy to forget to do so manually, and of course Norton and McAffee respond very quickly to reports of new threats. I suggest that my Renderosity compatriots set their A/V software to automatically update, especially if you're a download nut like me. I agree that this isn't fully on topic, and won't mind if the thread gets moved, but we in the Poser community are hugely reliant on the 'net for so much that it doesn't seem grossly off-topic.

I got this thing last week took forever for me to figure out how to get rid of it. I did find out that you really need to disable the port it attacks. Since i don't use that port anyway I did To see if that port is closed or hidden Grc read the article or scroll down to the bottom of the first table.

My laptop got hit twice and my son't PC got it several times, (both are on dialup) but now I've got all 4 of my computers patched and updated. My main PC was spared because my daughter updated everything yesterday before it hit.

I didn't have the virus, but I do now have the updates. :)

wipes some of the sweat off of her brow I already had the patch, plus when I went to ShieldsUP!, I apparently don't exist on the internet. LMAO. So that's a very good thing. I have Norton 2003, plus AdAware, plus Sygate Personal Firewall (which is free and REALLY GOOD, I highly recommend it) plus the normal XP firewall up. I'd rather be paranoid than reformatting. hehe

"when I went to ShieldsUP!, I apparently don't exist on the internet. LMAO. So that's a very good thing." Me too. :)

Attached Link: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

http://slashdot.org/articles/03/08/12/1326237.shtml?tid=185&tid=190&tid=201 The one above is the link to the slashdot thread about the spreead of the virus as well as some usefull advice about how to get around some of the problems. The top link is for the removal tool. I say this baecasue allegedly the patch doesn't work for all people, so "watch your back" later jb

Attached Link: http://www.securityfocus.com/archive/75/332694/2003-08-09/2003-08-15/0

This is the "my patch didn't work" link later jb

apparently this virus is set to go off again on August 16th & it's been using Microsoft's update pages to spread itself

No c1rc, it's the other way round - it's programmed to hit the MS pages from all sides on the 16th. And every day after that. :] Fish

Yea..I got slamed with it yesterday. By chance I got the latest updates from Norton over the weekend...but it still wasn't detected.I found and deleted the msblast.exe,but as soon as I got online to get the patch...got it again(less than a min...with XP firewall on). So can't get the patch without getting online...and can't get online without getting the worm,and getting shutdown....talk about Catch22. Pulled out my old puter with Win98(uneffected by msblast)...got online..got the patch,now up and running.....but I'm still going to reformat,just to be safe. BTW..none of my friends that use AOL,got hurt by it for some reason. SWAMP

frakbats! I was hit by this.. and went through hoops trying to track down what on my system was going wrong... only just recovered from screwing up my network subsystem! LOL thanks for the heads up.. making sure I'm clear and updated now... Kai

I am SO not a technical person.... I was infected as well (currently I am not on my PC). I found the msblast.exe and deleted it, and also deleted it from the regestry. Still no go, so I downloaded the removal tool, and obviously it couldn't scan because the computer kept shutting down. So I opened it in safe mode. Now it could scan. At the end of the scan it said that this worm was not on my computer. Ok, I restart the computer, and guess what - I got the same error and "system will shut down in one minute" or however it's phrased. Any ideas what I can do, other than reformat the computer?....

security holes are built in so the government can check up on what your doing, it's part of the homeland security act.

you guys keep saying, "I got it", but HOW did you get it?

Did you get the patch, too? You have to install the patch whether you removed the virus or not, or else you just keep getting attacked (and infected). It's the attack that keeps causing your computer to restart, the patch should correct that. The worm itself doesn't seem to be doing anything yet that I could see, I didn't even realize I had it until Norton spotted it.

I just don't know how to get that patch and install it if my PC keeps shutting down. Where is the patch? The link in the first post of this thread? (like I said - I'm not much of a technical person) :)

The worm attacks any vulnerable systems. Supposedly, the restarting thing meant that the attack was unsuccessful (and it will keep attacking over and over and make your computer restart over and over, which is crippling computers worldwide). Apparently, that's not true, even if your computer restarts, the worm still may have gotten through, it did on mine.

Yep A_, the link in the first post has the download. As far as how to get it... My advice is to get someone to download the EXE for you and put it on disc so you can install it without accessing the internet. That's what I did, downloaded it on my old spare 98SE computer and put it on disc.

Dizzie, one gets it straight off the web. Other infected PCs, any PC anywhere, goes out and looks for unprotected PCs to hit. If you don't have a firewall or a good antivirus app, you're at risk - every time you get onto the web. It doesn't come via Outlook, the usual path these days, neither does it need for a file to be opened. It uses a security breach in Win2000 that was discovered last month to go straight into your Windows system. Then your PC becomes one of those trying to spread to everyone else.... anyone else. Hundreds of thousands of machines including a helluva lot of servers have been hit all over the world. Whole corporations... Example: X takes his/her laptop home over the weekend. Gets on the web, drops into Rosity etc. While surfing, the PC gets hit. It just behaves a bit oddly, but nothing special. On Manday he/she takes the laptop back to work, connects it to the intranet there and (now inside the company firewall!!!) instantly the virus infects every XP or Win2K PC on the corporate intranet. Boom.... :] Fish

"Gets on the web, drops into Rosity etc." Funny you should mention that, since this is where I was when I first got hit.:/