[THIN] Re: Internet Worm/Lovsan.A
- From: "Schneider, Chad M." <CMSchneider@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 13 Aug 2003 10:04:27 -0500
12 hour rebuild?
You definitely need to image your servers.
:)
-----Original Message-----
From: Adam.Baum@xxxxxxxxxxxxxx [mailto:Adam.Baum@xxxxxxxxxxxxxx]
Sent: Tuesday, August 12, 2003 7:14 AM
To: thin@xxxxxxxxxxxxx
This is also being called W32.blaster.worm We got hit with it and I just
spent the last 12hrs rebuilding an MF server.....
"Jim Kenzig
http://thethin.ne To:
<windows2000@xxxxxxxxxxxxx>, <thin@xxxxxxxxxxxxx>
t" cc:
<jimkenz@concentr Subject: [THIN] Internet
Worm/Lovsan.A
ic.net>
Sent by:
thin-bounce@freel
ists.org
08/12/2003 05:09
AM
Please respond to
thin
And more on this...
And if the last one wasn't enough.
JK
VIRUS WARNING The Central Command(r) Emergency Virus Response Team? (EVRT?)
has received virus infection reports for the new Internet Worm/Lovsan.A .
Due to increased customer inquires and infection reports the EVRT is issuing
a VIRUS WARNING.
You are receiving this news letter because you are a subscriber to the
Central Command Virus News mailing list.
[ EVRT? Virus Warning issued for Worm/Lovsan.A ]
Name: Worm/Lovsan.A
Alias: W32/Lovsan.A
Type: Internet Worm
Discovered: August 11, 2003
Platform: Windows NT/2000/XP
Size: 6.176KB
Worm/Lovsan.A is an Internet worm that exploits a known security
vulnerability in Microsoft's Windows Distributed Companent Object Model
(DCOM) Remote Procedure Call (RPC) interface. This security breach allows
someone with malicious intent to run code of their choice. TCP port directly
affected by this exploit include: 135.
If executed, Worm/Lovsan.A will download and run the file msblast.exe using
Tftp
The following are components of Worm/Lovsan.A:
- msblast.exe (the main component)
So that it gets run each time a user restart their computer the following
registry key gets added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Microsoft has issued a patch to protect against the exploit used by
Worm/Lovsan.A. This patch is available from Microsoft Security Bulletin
MS03-026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS03-026.asp
** This worm is still under analysis
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use
the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use
the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease, including
Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
