What a morning….so far I’ve had 116 notifications that we’ve received the sobig virus into our mail servers. These are running NAV and delete the attachment and were previously configured to send an email (for historical purposes of the quantity of virus’s) and a Windows Net Send Message to my desktop to notify me of the problem. However, with the amount of notifications and also notifications when the manual scan failed to open certain attachments in emails, I was unable to work as I had to keep clicking ok. Therefore I had to turn the notifications off – must remember to turn them back on again.
There would be major resistance in the company to blocking attachments at the mail server so unfortunately that option is a nogo.
At the same time I’ve had to arrange scans on three remote pc’s that managed to get the Blaster or Welchia worms on their machines as they got infected between us updating at 4am with no patch updates, and the 11.30 manual update we initiated!
One of the laptops (from a remote site) has no firewall, runs w2k and no service packs or fixes. I’ve spent the last couple of hours installing sp4,rebooting and installing all the various hotfixes, ie6 and the multiple reboots needed to do them all. WHAT A MORNING!

Thanks toSOBig was very fast spreading and by 12pm we had at least 8 copies in our mailboxes and our antivirus software was updated at 4am in the morning and nothing was found when the emails came through. Thankfully (that I am aware of) the users didn’t open the emails – I guess I’ll find out when I am in the office tomorrow.

I’ve also had symantec’s console have its password changed in the past and Kevin’s details the changes. All you do is change HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ConsolePassword to 1084A085DC6BD2D755D4D6A7726 and then use the password symantec
(I’ve repeated it here so I have a local archive in case Kev’s page ever disappears.)

Microsoft have a pretty good page about the blast worm and links to all the various utilities and various anti-virus software packages that deals with this. They don’t mention AVG software though which considering is free and therefore widely used I’m suprised it wasn’t covered.

Microsoft have a pretty good page about the blast worm and links to all the various utilities and various anti-virus software packages that deals with this. They don’t mention AVG software though which considering is free and therefore widely used I’m suprised it wasn’t covered.

From the email that I received from eeye:-
A worm began spreading on the Internet early Monday morning that exploits a recent vulnerability in Microsoft Operating Systems. The worm, dubbed Blaster, takes advantage of a known vulnerability in Microsoft RPC DCOM that affects all current versions of Windows NT, Windows 2000, Windows XP, and Windows Server 2003.
The worm begins by targeting Microsoft systems that have not been properly patched for the known RPC DCOM vulnerability. Once the worm detects an unpatched system, it will attempt to download and run a file called msblast.exe. If successful in infecting a system, the worm will propagate itself, modify Windows registry settings, and initiate a SYN flood denial-of-service attack on windowsupdate.com.
The worm payload does not contain any additional malicious content; however, because of the nature of the worm and the speed at which it attempts to impact systems, it can potentially create a denial-of-service attack against windowsupdate.com.
For further information and a technical description of the Blaster worm please visit:
eeye. They also have a free tool you can download (reg required) to see which machines are vulnerable…but then again you should have done that a long time ago, especially with running Windows Update! Their full suite of programs will also tell you if you are unlucky to have it running around your network.