[THIN] Re: Internet Worm/Lovsan.A
- From: "Mack, Rick" <RMack@xxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Wed, 27 Aug 2003 18:27:07 +1000
Hi Paul,
That'll work.
But one small correction. Don't use the .bat extension on your scripts.
.CMD batch files use the 32-bit command interpreter (cmd.exe). .BAT batch
files invoke the 16-bit command interpreter (command.com) so that an NTVDM
etc has to start up to run the batch file. Simply by changing the file
extension, you make execution of the script much more efficient.
Mind you, command.com is useful for a few things. Like when CMD.exe is
locked down by a GPO, but command.com and ntvdm.exe still work fine.
By changing to .CMD, it also gives you the luxury of disabling 16-bit apps
and closing that little loophole.
Regards,
Rick
Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704
-----Original Message-----
From: Paul DeHaan [mailto:wppad@xxxxxxxxx]
Sent: Wednesday, 27 August 2003 12:03 AM
To: John.Twilley@xxxxxxxxxxxxxxxxxxxxx; thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Internet Worm/Lovsan.A
Put the for loop in a batch file (add % for vars)
msblast.bat:
For /f %%i in ('net view') do pslist %%i
You should be able to redirect the batch when you run it: msblast.bat | find
/i "msblast"
I'd just redirect the bat file to a log.txt and once it is done, run a find
/ "msblast" log.txt
Regards,
Paul
>>> John.Twilley@xxxxxxxxxxxxxxxxxxxxx 08/26/03 07:39AM >>>
Wow. Very nice. Thank You!
I tried to "pipe it" to text... but it does nothing... Do you know the
correct syntax?
Does not work: For /f %i in ('net view') do pslist %i | find /i
"msblast" > c:\msblast
John
_____
From: Mack, Rick [mailto:RMack@xxxxxxxxxxxxxx]
Sent: Tuesday, August 12, 2003 7:34 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Internet Worm/Lovsan.A
Hi,
We had a few sites hit fairly badly, and of course many of the systems
weren't patched up to date.
However it luckily turned out to be fairly easy to control. So I thought it
might be worth letting you know what we did.
Pstools from sysinternals turned out to be a godsend.
I used:
For /f %i in ('net view') do pslist %i | find /i "msblast"
To find the infected systems,
Then did a generic network msblast kill with
For /f %i in ('net view') do pskill %i msblast.exe
That settled things down, and gave me time to delete the
windowsupdat=msblast.exe entry under
HKLM\software\microsoft\windows\currentversion\run with quick kix script
(was quicker than vbscript which I now have ;-)).
This kept things under control until we could update virus signatures and
take care of the RPC/DCOM security patching.
Regards,
Rick
Ulrich Mack
rmack@xxxxxxxxxxxxxx
Volante Systems
18 Heussler Terrace, Milton 4064
Queensland Australia
tel +61 7 32467704
-----Original Message-----
From: Adam.Baum@xxxxxxxxxxxxxx [mailto:Adam.Baum@xxxxxxxxxxxxxx
<mailto:Adam.Baum@xxxxxxxxxxxxxx> ]
Sent: Tuesday, 12 August 2003 10:14 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Internet Worm/Lovsan.A
This is also being called W32.blaster.worm
We got hit with it and I just spent the last 12hrs rebuilding an MF
server.....
"Jim Kenzig
http://thethin.ne <http://thethin.ne>
To:
<windows2000@xxxxxxxxxxxxx>, <thin@xxxxxxxxxxxxx>
t" cc:
<jimkenz@concentr Subject: [THIN]
Internet
Worm/Lovsan.A
ic.net>
Sent by:
thin-bounce@freel
ists.org
08/12/2003 05:09
AM
Please respond to
thin
And more on this...
And if the last one wasn't enough.
JK
VIRUS WARNING The Central Command(r) Emergency Virus Response Team?
(EVRT?)
has received virus infection reports for the new Internet Worm/Lovsan.A .
Due to increased customer inquires and infection reports the EVRT is issuing
a VIRUS WARNING.
You are receiving this news letter because you are a subscriber to the
Central Command Virus News mailing list.
[ EVRT? Virus Warning issued for Worm/Lovsan.A ]
Name: Worm/Lovsan.A
Alias: W32/Lovsan.A
Type: Internet Worm
Discovered: August 11, 2003
Platform: Windows NT/2000/XP
Size: 6.176KB
Worm/Lovsan.A is an Internet worm that exploits a known security
vulnerability in Microsoft's Windows Distributed Companent Object Model
(DCOM) Remote Procedure Call (RPC) interface. This security breach allows
someone with malicious intent to run code of their choice. TCP port directly
affected by this exploit include: 135.
If executed, Worm/Lovsan.A will download and run the file msblast.exe using
Tftp
The following are components of Worm/Lovsan.A:
- msblast.exe (the main component)
So that it gets run each time a user restart their computer the following
registry key gets added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
Microsoft has issued a patch to protect against the exploit used by
Worm/Lovsan.A. This patch is available from Microsoft Security Bulletin
MS03-026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/>
bulletin/MS03-026.asp
** This worm is still under analysis
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/ <http://www.respowerfuse.com/>
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm <http://thethin.net/links.cfm>
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm <http://thethin.net/citrixlist.cfm>
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/ <http://www.respowerfuse.com/>
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm <http://thethin.net/links.cfm>
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm <http://thethin.net/citrixlist.cfm>
----------------------------------------------------------------------------
----------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege. It is intended solely for the addressee. If
you receive this e-mail by mistake please promptly inform us by reply e-mail
and then delete the e-mail and destroy any printed copy. You must not
disclose or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus
free. It may be a private communication, and if so, does not represent the
views of Volante group Limited.
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
--------------------------------------------------------------------------------------------------------------------
The information contained in this e-mail is confidential and may be subject
to legal professional privilege. It is intended solely for the addressee.
If you receive this e-mail by mistake please promptly inform us by reply
e-mail and then delete the e-mail and destroy any printed copy. You must
not disclose or use in any way the information in the e-mail. There is no
warranty that this email or any attachment or message is error or virus free.
It may be a private
communication, and if so, does not represent the views of Volante group Limited.
Other related posts:
