C
Csaba2000
The patch posted by Microsoft may work for the Win 2K Pro SP 2 and higher, but it does not work for SP 1. The
sites below will get rid of the current infection, but my stand-alone Win 2K Pro SP 1 machine is being probed so
often that I only get about 10 minutes before SVCHOST.EXE gets zapped.
What I want to do is block the relevant ports.
[I don't want to install SP2 or higher. I've had an Apache server on the net for 3 years and this is the first time
that I've had any worm/virus trouble at all. I understand SP upgrade is the standard Microsoft answer. On the other
hand, the last time I called their tech support and got a pat answer of this nature, it wiped out Access. Once
bitten, twice shy. So, I'd like to not turn this into a religious discussion. I may wind up installing SP 2, then
SP 4 but I don't want to at this point.]
Here's my question: (1) What are the ports to block? (2) How do I block them?
(1) The following three sites all deal with this virus and give three different sets of ports to block. Who should
be believed?
http://www.sophos.com/support/disinfection/blastera.htm lists TCP 69, 135, and 4444
while http://www.visualante.org/msblast lists TCP/UDP 135, 139, 445
And Micrososft at http://groups.google.com/groups?oe=UTF-8&th=52a686f642fd465e&rnum=7
lists TCP ports: 135, 139, 445, 593, 4444 and UDP ports: 135, 137, 138, and 69
Which ones should a reasonable person choose? Perhaps someone could also comment on the significance of TCP vs. UDP
(I do a lot of web programming but I'm a novice in this area).
(2) How should I actually block these ports? I've done a lot of looking on the web, but don't see a lot of
information out there. I attempted to implement the recommendations at
http://www.experts-exchange.com/Security/Win_Security/Q_20437744.html which is to edit IPSec(urity). I have a fixed
IP DSL system with a 3Com fast Ethernet controller (which is what I modified IPSec for) and a WAN Network Driver
(which I left alone).
I went through Control Panel/Administrative Tools/Local Security Policy/IP Security Policies on Local Machine.
I selected Action/Create IP Security Policy => up comes a wizard
This next part was a bit confusing. If I remember right, on the first pass through, I selected the default security
mechanism with Kerberos authentication (I have a stand alone machine). Windows gives a warning, but that's what the
site above said so I went with it. Then I wind up with a default filter (which I assume takes the place of the all
pass they talk about in the site above). For the next pass, I wanted to edit the filters associated with this
current entry, so one at a time I put in all the ports. For the settings I put that the request could come from any
IP to this IP and from any port to the specific port I wanted to block. I used the Microsoft listed set of ports.
When all the ports were thus assembled, I selected that I wanted to require security (I'm not sure if that's what the
label was). Finally, I went to Control Panel/Network and Dial up Connections and right clicked for properties of the
Ethernet controller (since that's where the DNS and fixed IPs were listed). Through a series of
Options/Advanced/Properties tabs/buttons I eventually arrived at a listing for IP Security or TCP/IP filtering.
Microsoft has recommended the latter (which seems reasonable to me), but then it says you should apply the patch,
which I can't do. So by going to the IPSec route, I associated the Blaster Filter I had just created with the 3Com
fast Ethernet controller. Of course, whenever SvcHost.exe died, I'd have to reboot since Win2K wasn't happy with my
muckings about with a dead SvcHost.exe.
The upshot was that I have not noticed any difference. I am still able to access the websites that I host on my
server from external machines (that's good), and the worm is still successful in causing SvcHost.exe to die (that's
bad).
So, how can I acutally block the ports and what's the best way to validate the blocking (or what additional
information should I be providing)?
Thanks for any help,
Csaba Gabor from New York
sites below will get rid of the current infection, but my stand-alone Win 2K Pro SP 1 machine is being probed so
often that I only get about 10 minutes before SVCHOST.EXE gets zapped.
What I want to do is block the relevant ports.
[I don't want to install SP2 or higher. I've had an Apache server on the net for 3 years and this is the first time
that I've had any worm/virus trouble at all. I understand SP upgrade is the standard Microsoft answer. On the other
hand, the last time I called their tech support and got a pat answer of this nature, it wiped out Access. Once
bitten, twice shy. So, I'd like to not turn this into a religious discussion. I may wind up installing SP 2, then
SP 4 but I don't want to at this point.]
Here's my question: (1) What are the ports to block? (2) How do I block them?
(1) The following three sites all deal with this virus and give three different sets of ports to block. Who should
be believed?
http://www.sophos.com/support/disinfection/blastera.htm lists TCP 69, 135, and 4444
while http://www.visualante.org/msblast lists TCP/UDP 135, 139, 445
And Micrososft at http://groups.google.com/groups?oe=UTF-8&th=52a686f642fd465e&rnum=7
lists TCP ports: 135, 139, 445, 593, 4444 and UDP ports: 135, 137, 138, and 69
Which ones should a reasonable person choose? Perhaps someone could also comment on the significance of TCP vs. UDP
(I do a lot of web programming but I'm a novice in this area).
(2) How should I actually block these ports? I've done a lot of looking on the web, but don't see a lot of
information out there. I attempted to implement the recommendations at
http://www.experts-exchange.com/Security/Win_Security/Q_20437744.html which is to edit IPSec(urity). I have a fixed
IP DSL system with a 3Com fast Ethernet controller (which is what I modified IPSec for) and a WAN Network Driver
(which I left alone).
I went through Control Panel/Administrative Tools/Local Security Policy/IP Security Policies on Local Machine.
I selected Action/Create IP Security Policy => up comes a wizard
This next part was a bit confusing. If I remember right, on the first pass through, I selected the default security
mechanism with Kerberos authentication (I have a stand alone machine). Windows gives a warning, but that's what the
site above said so I went with it. Then I wind up with a default filter (which I assume takes the place of the all
pass they talk about in the site above). For the next pass, I wanted to edit the filters associated with this
current entry, so one at a time I put in all the ports. For the settings I put that the request could come from any
IP to this IP and from any port to the specific port I wanted to block. I used the Microsoft listed set of ports.
When all the ports were thus assembled, I selected that I wanted to require security (I'm not sure if that's what the
label was). Finally, I went to Control Panel/Network and Dial up Connections and right clicked for properties of the
Ethernet controller (since that's where the DNS and fixed IPs were listed). Through a series of
Options/Advanced/Properties tabs/buttons I eventually arrived at a listing for IP Security or TCP/IP filtering.
Microsoft has recommended the latter (which seems reasonable to me), but then it says you should apply the patch,
which I can't do. So by going to the IPSec route, I associated the Blaster Filter I had just created with the 3Com
fast Ethernet controller. Of course, whenever SvcHost.exe died, I'd have to reboot since Win2K wasn't happy with my
muckings about with a dead SvcHost.exe.
The upshot was that I have not noticed any difference. I am still able to access the websites that I host on my
server from external machines (that's good), and the worm is still successful in causing SvcHost.exe to die (that's
bad).
So, how can I acutally block the ports and what's the best way to validate the blocking (or what additional
information should I be providing)?
Thanks for any help,
Csaba Gabor from New York