Question to the newsgroup

  • Thread starter Thread starter Old Man
  • Start date Start date
O

Old Man

Dear Ladies and Gentlemen,
My Norton Antivirus found W32.Blaster.Worm in a file named "TFTP652.exe" and
the file was isolated. I went to a reference page from Norton and found
instructions how to clean my system. I loaded down the FixBlast.EXE version
1.6.0.1 and run this file to check my system. No Blaster was found.
FixBlast.exe was checked with "chktrust" before.
Question: Is my system sure now? The Worm is stil on my system, but only
isolated by Norton Antivirus, isn't it?
As I run a small LAN with 6 Clients in my office it is very important for me
to know the facts.
Anyone can help?
Please reply to the newsgroup.
Thanks

Regards
Peter
Valid mail is Old.Man(a)gmx.net
 
look under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows auto update="???.exe" for the name of ???.exe
when you cant find this file anymore on your hd, you can be sure not to have
it anymore
bye
 
anuspraeter said:
look under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows auto update="???.exe" for the name of ???.exe
when you cant find this file anymore on your hd, you can be sure not to have
it anymore
bye
Click to expand...

Sorry to bother you again, but under my OS (W2K) I can't find this key
 
Old Man said:
Dear Ladies and Gentlemen,
My Norton Antivirus found W32.Blaster.Worm in a file named "TFTP652.exe" and
the file was isolated.
Click to expand...

I believe that this was an intervention on your behalf by your AV.
You evidently have the vulnerability that the worm uses (and this
should be addressed also ~ get the patch MS03-039 (iirc)). The
worm evidently wasn't able to execute (due to the active scanner's
intervention).
I went to a reference page from Norton and found
instructions how to clean my system. I loaded down the FixBlast.EXE version
1.6.0.1 and run this file to check my system. No Blaster was found.
Click to expand...

Not suprising considering the circumstances.
FixBlast.exe was checked with "chktrust" before.
Question: Is my system sure now?
Click to expand...

It still has a vulnerability for any other malware that decides to
use the exploit to run arbitrary code on your machine (a very
bad thing to leave unaddressed).
The Worm is stil on my system, but only isolated by Norton Antivirus, isn't it?
Click to expand...

That executable file should be deleted instead of just sitting
in quarantine (it causes no harm in quarantine, but you really
don't need to have it in there).
As I run a small LAN with 6 Clients in my office it is very important for me
to know the facts.
Click to expand...

Keeping you system up-to-snuff with current patches is much
more important than keeping your anti-virus ID files up-to-date.
The ID files will mostly only protect you from what it knows
about, and there are plenty of things that they don't know about.
Anyone can help?
Click to expand...

Read up on the DCOM RPC vulnerability that the worm
exploits, and the write-ups from the various AV vendors
websites about the worm executable itself. You should
begin to see the difference between the vulnerability's
exploit code (addressed by the patch) and the worms
executable ~ which the exploit code downloads from a
previous victim's machine ~ (and is addressed by the ID
for the worm being added to the definition files).
 
FromTheRafters said:
I believe that this was an intervention on your behalf by your AV.
You evidently have the vulnerability that the worm uses (and this
should be addressed also ~ get the patch MS03-039 (iirc)). The
worm evidently wasn't able to execute (due to the active scanner's
intervention).


Not suprising considering the circumstances.


It still has a vulnerability for any other malware that decides to
use the exploit to run arbitrary code on your machine (a very
bad thing to leave unaddressed).
isn't it?

That executable file should be deleted instead of just sitting
in quarantine (it causes no harm in quarantine, but you really
don't need to have it in there).


Keeping you system up-to-snuff with current patches is much
more important than keeping your anti-virus ID files up-to-date.
The ID files will mostly only protect you from what it knows
about, and there are plenty of things that they don't know about.


Read up on the DCOM RPC vulnerability that the worm
exploits, and the write-ups from the various AV vendors
websites about the worm executable itself. You should
begin to see the difference between the vulnerability's
exploit code (addressed by the patch) and the worms
executable ~ which the exploit code downloads from a
previous victim's machine ~ (and is addressed by the ID
for the worm being added to the definition files).
Click to expand...

Your post was very helpfull for me - thanks a lot...
 
Back
Top