Win 2K Pro Service Pack 1 and Blaster

  • Thread starter Thread starter Csaba2000
  • Start date Start date
C

Csaba2000

The patch posted by Microsoft may work for the Win 2K Pro SP 2 and higher, but it does not work for SP 1. The
sites below will get rid of the current infection, but my stand-alone Win 2K Pro SP 1 machine is being probed so
often that I only get about 10 minutes before SVCHOST.EXE gets zapped.

What I want to do is block the relevant ports.

[I don't want to install SP2 or higher. I've had an Apache server on the net for 3 years and this is the first time
that I've had any worm/virus trouble at all. I understand SP upgrade is the standard Microsoft answer. On the other
hand, the last time I called their tech support and got a pat answer of this nature, it wiped out Access. Once
bitten, twice shy. So, I'd like to not turn this into a religious discussion. I may wind up installing SP 2, then
SP 4 but I don't want to at this point.]

Here's my question: (1) What are the ports to block? (2) How do I block them?

(1) The following three sites all deal with this virus and give three different sets of ports to block. Who should
be believed?
http://www.sophos.com/support/disinfection/blastera.htm lists TCP 69, 135, and 4444
while http://www.visualante.org/msblast lists TCP/UDP 135, 139, 445
And Micrososft at http://groups.google.com/groups?oe=UTF-8&th=52a686f642fd465e&rnum=7
lists TCP ports: 135, 139, 445, 593, 4444 and UDP ports: 135, 137, 138, and 69

Which ones should a reasonable person choose? Perhaps someone could also comment on the significance of TCP vs. UDP
(I do a lot of web programming but I'm a novice in this area).

(2) How should I actually block these ports? I've done a lot of looking on the web, but don't see a lot of
information out there. I attempted to implement the recommendations at
http://www.experts-exchange.com/Security/Win_Security/Q_20437744.html which is to edit IPSec(urity). I have a fixed
IP DSL system with a 3Com fast Ethernet controller (which is what I modified IPSec for) and a WAN Network Driver
(which I left alone).

I went through Control Panel/Administrative Tools/Local Security Policy/IP Security Policies on Local Machine.
I selected Action/Create IP Security Policy => up comes a wizard
This next part was a bit confusing. If I remember right, on the first pass through, I selected the default security
mechanism with Kerberos authentication (I have a stand alone machine). Windows gives a warning, but that's what the
site above said so I went with it. Then I wind up with a default filter (which I assume takes the place of the all
pass they talk about in the site above). For the next pass, I wanted to edit the filters associated with this
current entry, so one at a time I put in all the ports. For the settings I put that the request could come from any
IP to this IP and from any port to the specific port I wanted to block. I used the Microsoft listed set of ports.
When all the ports were thus assembled, I selected that I wanted to require security (I'm not sure if that's what the
label was). Finally, I went to Control Panel/Network and Dial up Connections and right clicked for properties of the
Ethernet controller (since that's where the DNS and fixed IPs were listed). Through a series of
Options/Advanced/Properties tabs/buttons I eventually arrived at a listing for IP Security or TCP/IP filtering.
Microsoft has recommended the latter (which seems reasonable to me), but then it says you should apply the patch,
which I can't do. So by going to the IPSec route, I associated the Blaster Filter I had just created with the 3Com
fast Ethernet controller. Of course, whenever SvcHost.exe died, I'd have to reboot since Win2K wasn't happy with my
muckings about with a dead SvcHost.exe.

The upshot was that I have not noticed any difference. I am still able to access the websites that I host on my
server from external machines (that's good), and the worm is still successful in causing SvcHost.exe to die (that's
bad).

So, how can I acutally block the ports and what's the best way to validate the blocking (or what additional
information should I be providing)?

Thanks for any help,
Csaba Gabor from New York
 
You can go for SP4 right away and should not wait for it. It will take you
more time to figure out how you could block ports and other things, in the
mean time you've installed W2K 6 times allready.
Download SP4, shut down 3rd party services and install it.
Right after that install the ms03-026 patch. You need it!

Marina

Csaba2000 said:
The patch posted by Microsoft may work for the Win 2K Pro SP 2 and
higher, but it does not work for SP 1. The
sites below will get rid of the current infection, but my stand-alone Win
2K Pro SP 1 machine is being probed so
often that I only get about 10 minutes before SVCHOST.EXE gets zapped.

What I want to do is block the relevant ports.

[I don't want to install SP2 or higher. I've had an Apache server on the
net for 3 years and this is the first time
that I've had any worm/virus trouble at all. I understand SP upgrade is
the standard Microsoft answer. On the other
hand, the last time I called their tech support and got a pat answer of
this nature, it wiped out Access. Once
bitten, twice shy. So, I'd like to not turn this into a religious
discussion. I may wind up installing SP 2, then
SP 4 but I don't want to at this point.]

Here's my question: (1) What are the ports to block? (2) How do I block them?

(1) The following three sites all deal with this virus and give three
different sets of ports to block. Who should
be believed?
http://www.sophos.com/support/disinfection/blastera.htm lists TCP 69, 135, and 4444
while http://www.visualante.org/msblast lists TCP/UDP 135, 139, 445
And Micrososft at http://groups.google.com/groups?oe=UTF-8&th=52a686f642fd465e&rnum=7
lists TCP ports: 135, 139, 445, 593, 4444 and UDP ports: 135, 137, 138, and 69

Which ones should a reasonable person choose? Perhaps someone could also
comment on the significance of TCP vs. UDP
(I do a lot of web programming but I'm a novice in this area).

(2) How should I actually block these ports? I've done a lot of looking
on the web, but don't see a lot of
information out there. I attempted to implement the recommendations at
http://www.experts-exchange.com/Security/Win_Security/Q_20437744.html
which is to edit IPSec(urity). I have a fixed
IP DSL system with a 3Com fast Ethernet controller (which is what I
modified IPSec for) and a WAN Network Driver
(which I left alone).

I went through Control Panel/Administrative Tools/Local Security Policy/IP
Security Policies on Local Machine.
I selected Action/Create IP Security Policy => up comes a wizard
This next part was a bit confusing. If I remember right, on the first
pass through, I selected the default security
mechanism with Kerberos authentication (I have a stand alone machine).
Windows gives a warning, but that's what the
site above said so I went with it. Then I wind up with a default filter
(which I assume takes the place of the all
pass they talk about in the site above). For the next pass, I wanted to
edit the filters associated with this
current entry, so one at a time I put in all the ports. For the settings
I put that the request could come from any
IP to this IP and from any port to the specific port I wanted to block. I
used the Microsoft listed set of ports.
When all the ports were thus assembled, I selected that I wanted to
require security (I'm not sure if that's what the
label was). Finally, I went to Control Panel/Network and Dial up
Connections and right clicked for properties of the
Ethernet controller (since that's where the DNS and fixed IPs were listed). Through a series of
Options/Advanced/Properties tabs/buttons I eventually arrived at a listing
for IP Security or TCP/IP filtering.
Microsoft has recommended the latter (which seems reasonable to me), but
then it says you should apply the patch,
which I can't do. So by going to the IPSec route, I associated the
Blaster Filter I had just created with the 3Com
fast Ethernet controller. Of course, whenever SvcHost.exe died, I'd have
to reboot since Win2K wasn't happy with my
muckings about with a dead SvcHost.exe.

The upshot was that I have not noticed any difference. I am still able to
access the websites that I host on my
server from external machines (that's good), and the worm is still
successful in causing SvcHost.exe to die (that's
bad).

So, how can I acutally block the ports and what's the best way to validate
the blocking (or what additional
 
The methodology described in my original post seems to be working (no problems over 12 hours). Yesterday, I prepared
a very detailed post on exactly what I did to manually block the ports on my Win 2K Pro Service Pack 1 machine (build
2195). 5 minutes before I was ready to send, the blackout zapped my machine so this is the abbreviated version. You
have no idea how much you rely on electricity till it's gone. No TV, no cell phone, no Air Con, no fridge, no
Subways, no access to my address database or email, no movies, no access with electronic room keys, and the list goes
on.

I blocked the union of all the ports mentioned below and that seems to do the trick. Probably overkill, but I'd
rather not spend more time on emperical determination at this point.

Good luck,
Csaba Gabor from New York

Marina Roos said:
You can go for SP4 right away and should not wait for it. It will take you
more time to figure out how you could block ports and other things, in the
mean time you've installed W2K 6 times allready.
Download SP4, shut down 3rd party services and install it.
Right after that install the ms03-026 patch. You need it!

Marina

Csaba2000 said:
The patch posted by Microsoft may work for the Win 2K Pro SP 2 and
higher, but it does not work for SP 1. The
sites below will get rid of the current infection, but my stand-alone Win
2K Pro SP 1 machine is being probed so
often that I only get about 10 minutes before SVCHOST.EXE gets zapped.

What I want to do is block the relevant ports.

[I don't want to install SP2 or higher. I've had an Apache server on the
net for 3 years and this is the first time
that I've had any worm/virus trouble at all. I understand SP upgrade is
the standard Microsoft answer. On the other
hand, the last time I called their tech support and got a pat answer of
this nature, it wiped out Access. Once
bitten, twice shy. So, I'd like to not turn this into a religious
discussion. I may wind up installing SP 2, then
SP 4 but I don't want to at this point.]

Here's my question: (1) What are the ports to block? (2) How do I block them?

(1) The following three sites all deal with this virus and give three
different sets of ports to block. Who should
be believed?
http://www.sophos.com/support/disinfection/blastera.htm lists TCP 69, 135, and 4444
while http://www.visualante.org/msblast lists TCP/UDP 135, 139, 445
And Micrososft at http://groups.google.com/groups?oe=UTF-8&th=52a686f642fd465e&rnum=7
lists TCP ports: 135, 139, 445, 593, 4444 and UDP ports: 135, 137, 138, and 69

Which ones should a reasonable person choose? Perhaps someone could also
comment on the significance of TCP vs. UDP
(I do a lot of web programming but I'm a novice in this area).

(2) How should I actually block these ports? I've done a lot of looking
on the web, but don't see a lot of
information out there. I attempted to implement the recommendations at
http://www.experts-exchange.com/Security/Win_Security/Q_20437744.html
which is to edit IPSec(urity). I have a fixed
IP DSL system with a 3Com fast Ethernet controller (which is what I
modified IPSec for) and a WAN Network Driver
(which I left alone).

I went through Control Panel/Administrative Tools/Local Security Policy/IP
Security Policies on Local Machine.
I selected Action/Create IP Security Policy => up comes a wizard
This next part was a bit confusing. If I remember right, on the first
pass through, I selected the default security
mechanism with Kerberos authentication (I have a stand alone machine).
Windows gives a warning, but that's what the
site above said so I went with it. Then I wind up with a default filter
(which I assume takes the place of the all
pass they talk about in the site above). For the next pass, I wanted to
edit the filters associated with this
current entry, so one at a time I put in all the ports. For the settings
I put that the request could come from any
IP to this IP and from any port to the specific port I wanted to block. I
used the Microsoft listed set of ports.
When all the ports were thus assembled, I selected that I wanted to
require security (I'm not sure if that's what the
label was). Finally, I went to Control Panel/Network and Dial up
Connections and right clicked for properties of the
Ethernet controller (since that's where the DNS and fixed IPs were listed). Through a series of
Options/Advanced/Properties tabs/buttons I eventually arrived at a listing
for IP Security or TCP/IP filtering.
Microsoft has recommended the latter (which seems reasonable to me), but
then it says you should apply the patch,
which I can't do. So by going to the IPSec route, I associated the
Blaster Filter I had just created with the 3Com
fast Ethernet controller. Of course, whenever SvcHost.exe died, I'd have
to reboot since Win2K wasn't happy with my
muckings about with a dead SvcHost.exe.

The upshot was that I have not noticed any difference. I am still able to
access the websites that I host on my
server from external machines (that's good), and the worm is still
successful in causing SvcHost.exe to die (that's
bad).

So, how can I acutally block the ports and what's the best way to validate
the blocking (or what additional
information should I be providing)?

Thanks for any help,
Csaba Gabor from New York
 
Back
Top