Lovesan / Blaster - aktuelle Informationen

#16 Nunjalso......es gibt wohl bereits Modifikationen des Wurms.
http://www.kaspersky.com/de/news.html?id=955630
__________
Durchsuchen --> Aussuchen --> Untersuchen

#17 For the most recent news about Blaster, it is very important that you visit the Security page: http://go.microsoft.com/?linkid=220821. You will also find tips for helping Friends, family, and colleagues.

In This Newsletter:
- Who Is Affected
- Impact of Attack
- Actions to Take
- Technical Details
- Recovery
- Related Knowledge Base
- Related Microsoft Security Bulletins
- Tips for Helping Friends, Family, and Colleagues

At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). Several antivirus companies have responded and written tools to remove the Blaster worm.

Who Is Affected?
Users of the following products are affected:
- Microsoft® Windows NT® 4.0
- Microsoft Windows® 2000
- Microsoft Windows XP
- Microsoft Windows ServerT 2003

The worm was discovered August 11. Customers who had previously applied the security patch MS03-026 are protected.

To determine if the worm is present on your machine, see the technical details below.

Actions for Network Administrators
Managers of networked computers should read the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance: http://go.microsoft.com/?linkid=220822

Technical Details:
This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026: http://go.microsoft.com/?linkid=220823
Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system reboots every few minutes without user input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest antivirus software signature from your antivirus vendor and scan your machine.
For additional information on recovering from this attack, please contact your preferred antivirus vendor.

Recovery:
Many antivirus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor, follow the procedures outlined below.

For Windows XP
1. If your computer reboots repeatedly, please unplug your network cable from the wall.
2. First, enable Internet Connection Firewall (ICF) in Windows XP: http://go.microsoft.com/?linkid=220824
--In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".
--Right-click the connection on which you would like to enable ICF, and then click "Properties".
--On the Advanced tab, click the box to select the option to "Protect my computer or network".
3. Plug the network cable back into the wall to reconnect your computer to the Internet
4. Download the MS03-026 security patch from Microsoft and install it on your computer:

Windows XP (32 bit)
http://go.microsoft.com/?linkid=220825

Windows XP (64 bit)
http://go.microsoft.com/?linkid=220826

5.Install or update your antivirus signature software and scan your computer

6.Download and run the worm removal tool from your antivirus vendor.

For Windows 2000 systems, where Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://go.microsoft.com/?linkid=220827

1. Configure TCP/IP security on Windows 2000:
--Select "Network and Dial-up Connections" in Control Panel.
--Right-click the interface you use to access the Internet, and then click "Properties".
--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only" option.
--Click OK.

2. Download the MS03-026 security patch for Windows 2000 from Microsoft and install it on your computer from: http://go.microsoft.com/?linkid=220828

3. Install or update your antivirus signature software and scan your computer

4. Then, download and run the worm removal tool from your antivirus vendor.

For additional details on this worm from antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA), please visit the following links:

Network Associates:
http://go.microsoft.com/?linkid=220829

Trend Micro:
http://go.microsoft.com/?linkid=220830

Symantec:
http://go.microsoft.com/?linkid=220831

Computer Associates:
http://go.microsoft.com/?linkid=220832

For more information on Microsoft's Virus Information Alliance, please visit this link:
http://go.microsoft.com/?linkid=220833

Please contact your antivirus vendor for additional details on this virus.

Prevention:
1. Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third-party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138; also UDP 69 (TFTP)and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://go.microsoft.com/?linkid=220834
--In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".
--Right-click the connection on which you would like to enable ICF, and then click "Properties".
--On the Advanced tab, click the box to select the option to "Protect my computer or network".

This worm utilizes a previously announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://go.microsoft.com/?linkid=220835.

2. Install the patch MS03-026 from the Microsoft Download Center:
Windows NT 4 Server & Workstation
http://go.microsoft.com/?linkid=220836

Windows NT 4 Terminal Server Edition
http://go.microsoft.com/?linkid=220837

Windows 2000
http://go.microsoft.com/?linkid=220838

Windows XP (32 bit)
http://go.microsoft.com/?linkid=220839

Windows XP (64 bit)
http://go.microsoft.com/?linkid=220840

Windows 2003 (32 bit)
http://go.microsoft.com/?linkid=220841

Windows 2003 (64 bit)
http://go.microsoft.com/?linkid=220842

3. As always, please make sure to use the latest antivirus detection from your antivirus vendor to detect new viruses and their variants.

Related Knowledge Base Articles:
http://go.microsoft.com/?linkid=220843

Related Microsoft Security Bulletins:
http://go.microsoft.com/?linkid=220844
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#18 Hier sind auch noch mal ein paar Infos über den Wurm auf DEUTSCH, für die, die es nicht so mit dem Englisch haben... ;-)

http://www.bsi.de/av/vb/blaster.htm
__________
Wenn wir bedenken, dass wir alle verrückt sind, ist das Leben erklärt.
(Mark Twain)

#19 ey dieser patch geht bei mir i-wie ned -.- was soll ich machen?

#20 Hallo

Tut mir leid das ich den Thread wieder raushole

aber ich kann mir einfach nicht mehr weiterhelfen. Ich schreib
diesen Text so schnell wie ein verrückter, da in 5 Minuten die
Fehlermeldung "generic host process" wieder auftaucht und meine
Internet wieder getrennt ist und ich erst nach einem Neustart
wieder Online bin. Ich habe alle Patches installiert, FIX-Blast Anti-Viren
Programm laufen lassen und und und. Es taucht immer wieder auf

Was kann ich da noch machen ?

Vielen dank im vorraus

#21 MB-Driver

wende den Windows Worms Doors Cleaner an
http://virus-protect.org/windsdoorcleaner.html

dann berichte - wenn sich das problem damit nicht loest, musst du ein Log vom HijackThis hier posten
http://virus-protect.org/hjtkurz.html

Zitat

Logfile of HijackThis v1.99.1
Scan saved at 20:02:34, on 01.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\RemoteControlService.exe
C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\Programme\ASUS\ASUS Live Update\ALU.exe
C:\Programme\ASUS\Wireless Console\wcourier.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
C:\Programme\Ulead Systems\Ulead InstaMedia 3.0\Monitor.exe
C:\Programme\Ulead Systems\Ulead InstaMedia 3.0\RMC.exe
C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Programme\ASUS\Asus ChkMail\ChkMail.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\GEMEIN~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\GEMEIN~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Outlook Express\msimn.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Dokumente und Einstellungen\Maki\Desktop\flt_tools\wwdc.exe
C:\Dokumente und Einstellungen\Maki\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Programme\Macrogaming\SweetIMBarForIE\toolbar.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programme\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Wireless Console] C:\Programme\ASUS\Wireless Console\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\ASUSTek\ASUSDVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Programme\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Matchlock Scheduling] C:\Programme\Ulead Systems\Ulead InstaMedia 3.0\Monitor.exe
O4 - HKLM\..\Run: [Ulead Remote Control Center] C:\Programme\Ulead Systems\Ulead InstaMedia 3.0\RMC.exe
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Free Download Manager] C:\Programme\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [PcSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: ASUS ChkMail.lnk = C:\Programme\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.com/de/download/NpFv415.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{90C2A07A-2A49-42CC-8980-9E573FFA5FF4}: NameServer = 213.191.74.19 213.191.92.87
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: IntelWireless - C:\Programme\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

__________
MfG Sabina

rund um die PC-Sicherheit

#22 Hallo

Das Windows Worms Doors Cleaner hat leider nicht geholfen. Auch
wenn das Programm geöffnet ist, taucht die Fehlermeldung auf

Im Anhang HijackThis Bericht

und hier noch einer

Logfile of HijackThis v1.99.1
Scan saved at 20:07:55, on 01.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\RemoteControlService.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\Maki\Desktop\HijackThis.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: ITE Remote Control Service (ITECIRService) - ITE Tech. Inc. - C:\WINDOWS\system32\RemoteControlService.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

#23 poste dieses log - und beschreibe wieviele Systeme du hier anlysieren laesst.
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#24 So, hab ich gemacht. Kann es sein das es alle meine Cookies gelöscht hat ?

#25 die cookies sind wohl noch alle drauf

Kopiere diese 6 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#26 Die hier ?

1.Log Verzeichnis von C:\WINDOWS\system32\
2.Log Verzeichnis von C:\DOKUME~1\Username\LOKALE~1\Temp\
3.Log Verzeichnis von C:\WINDOWS\
4.Log Verzeichnis von C:\WINDOWS\temp\
5.Log Verzeichnis von C:\WINDOWS\Downloaded Program Files
6.Log Verzeichnis von C:\

Was soll ich da machen ?

#27 nun, die datfindbat.zip ist auf der seite + alle Anleitungen, wie du die 6 logs abkopieren kannst
__________
MfG Sabina

rund um die PC-Sicherheit

#28 die 6 textdateien habe ich

Mehr blicke ich nicht durch, tut mir leid. Wenns nicht klappt
formatier ich die Festplatte neu

Vielen dank trotzdem !

#29 nun, poste die logs hier (per Anhang) oder suche drei monate von jedem raus und kopiere sie hier direkt
__________
MfG Sabina

rund um die PC-Sicherheit

#30 Hallo

In Anhang sind alle Textdateien

Verzeichnis von C:\
01.11.2006 13:32 43 autorun.inf
01.11.2006 13:32 37.888 setup.exe

Verzeichnis von C:\WINDOWS\system32

31.10.2006 12:51 1.158 wpa.dbl
31.10.2006 12:51 147.608 FNTCACHE.DAT
27.07.2006 10:08 383 temp0001.aok
27.07.2006 10:04 2.368 SVKP.sys