Microsoft prepares to be Blasted

All replies

• 

  

  0

  Sign in to vote

  Nice info, i think you should become a part of the newspanel for MS
  

  Friday, June 1, 2007 7:08 PM
• 

  

  0

  Sign in to vote

  Very nice info
   
  Can you give us the link where we can get the full story related to this
  

  Friday, June 1, 2007 7:48 PM
• 

  

  0

  Sign in to vote

  Thanks for the info m8..

  Which countries are affected by the MSBlast worm infection???

  Saturday, June 2, 2007 4:01 PM
• 

  

  0

  Sign in to vote

  not a big threat dudeeeeeeeeeee

  Monday, June 4, 2007 12:42 PM
• 

  

  0

  Sign in to vote

  is MS sure that this will stop the viruses
  

  Tuesday, June 5, 2007 4:18 AM
• 

  

  0

  Sign in to vote

  I dont think it gonna be a BIG threat for MS. They can handle such situations easily.
  

  Tuesday, June 5, 2007 10:05 PM
• 

  

  0

  Sign in to vote

  Yes man, MS  his used to handle these situation. Thats all they keep doing, once they solve a bug, another one arises, and they get back to work on it hahha, then it get uncontrollable, a new ServicePack is released
  
  They have good experience with these stuffs.
  

  Wednesday, June 6, 2007 1:58 PM
• 

  

  0

  Sign in to vote

  Can you people ellaborate about the affection of MS-worm with the computer which effects the problem to the users.

   

  regards,

  Thursday, June 7, 2007 2:31 PM
• 

  

  0

  Sign in to vote

  The MSBLAST.A worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity.  Depending on the system date it will start a Denial of Service attack against windowsupdate.com, this makes it difficult to download the needed patches and allow the worm to infect as many machines as it can before being disabled. However, as of August 15th, Microsoft decided to kill the windowsupdate.com domain to lessen the impact from this denial of service attack. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of memory errors, changes to Control Panel, inability to use functions in browser, and many more oddities.

  Thursday, June 7, 2007 4:29 PM
• 

  

  0

  Sign in to vote

  In just 24 hours, "MSBlast" exploded onto some 120,000 computers around the world, in spite of what some experts say was a less-than-spectacular programming job. A big part of the problem was that inattentive home users, and overbooked IT staffs, hadn't been able to put a patch in place, even though Microsoft had made it available in July. The Web will be watching over the weekend to see if Microsoft can dodge a denial-of-service attack expected to be launched by the worm.

  Thursday, June 7, 2007 4:29 PM
• 

  

  0

  Sign in to vote

  How Does MSBLAST Infect My Computer?
  
     1. The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
     2. Adds the value:
  
        ”windows auto update" = MSBLAST.EXE (variant A)
        ”windows auto update" = PENIS32.EXE (variant B)
        ”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
        "Nonton Antivirus=mspatch.exe" (variant E)
        "Windows Automation" = "mslaugh.exe" (variant F)
        "www.hidro.4t.com"="enbiei.exe" (variant G)
  
        to the registry key:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        so that the worm runs when you start Windows.
     3. Calculates the IP address, based on the following algorithm, 40% of the time:
  
        Host IP: A.B.C.D
        sets D equal to 0.
        if C > 20, will subtract a random value less than 20.
        Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
        This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.
  
     4. Calculates the IP address, based on many random numbers, 60% of the time:
  
        A.B.C.D
        set D equal to 0.
        sets A, B, and C to random values between 0 and 255.
  
     5. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:
  
        Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.
  
        NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.
  
     6. Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.
     7. Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.
  
     8. If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."
  
        With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
  
  The worm contains the following text, which is never displayed:
  
  I just want to say LOVE YOU SAN!!
  billy gates why do you make this possible ? Stop making money and fix your software!!
  
  Windows 2000 Machines
  
  On Windows 2000 machines, I have seen the Control Panel icons switch to the left pane, functions like FIND in the browser stop working, and many other oddities.

  Thursday, June 7, 2007 4:30 PM
• 

  

  0

  Sign in to vote

  Thanks for the info Harshil.

  Thursday, June 7, 2007 8:10 PM
• 

  

  0

  Sign in to vote

  Please dont mention it Adnan Its my duty to help others now
  

  Saturday, June 9, 2007 4:07 PM
• 

  

  0

  Sign in to vote

  nice info!!
  

  Tuesday, June 12, 2007 10:50 AM