Re: Can't figure out what this is

Re: Can't figure out what this is: Posted by Ali on August 12th, 2003; On Mon, 11 Aug 2003 19:27:56 GMT, "Sheldon" <sheldon@REMOVEsopris.net>
wrote:

has some poop on it. It's been giving me fits. It hooks into a TCP
flaw in Wuwh-wuh Windows apparently...it seems to have many other fun
surprises as well.

W32.Blaster.Worm is a worm that will exploit the DCOM RPC
vulnerability using TCP port 135. It will attempt to download and run
a file, msblast.exe.; Posted by Sheldon on August 12th, 2003; Can't find anything on it at sarc.com.

Sheldon
sheldon@sopris.net

"Ali" <spamnyet_ananda_hotai@hotmail.com> wrote in message
news:cebgjv0ofvnpnh782b5np7kk49c38r4dsu@4ax.com...; Posted by FromTheRafters on August 12th, 2003; "Ali" <spamnyet_ananda_hotai@hotmail.com> wrote in message news:cebgjv0ofvnpnh782b5np7kk49c38r4dsu@4ax.com...
But it isn't a mailer, it's a lame network downloader worm, or at
least it seems to be only that.; Posted by Sheldon on August 12th, 2003; I'm not sure this was a blaster virus either. We can hang online as much as
we want, and the computer is not shutting down.

Sheldon
sheldon@sopris.net

"FromTheRafters" <!0000@nomad.fake> wrote in message
news:vjgnonnj05s461@corp.supernews.com...; Posted by FromTheRafters on August 12th, 2003; "Sheldon" <sheldon@REMOVEsopris.net> wrote in message news:FMb_a.129932$YN5.87296@sccrnsc01...
As somebody@compusmart.ab.ca said:

The PC infected with the Cailont (Nolor virus). Disables AV among
other things.

This looks like the one. Here is a link:

http://securityresponse.symantec.com....nolor@mm.html; Posted by Sheldon on August 14th, 2003; "FromTheRafters" <!0000@nomad.fake> wrote in message
news:vjilorhqtj7u29@corp.supernews.com...
I agree with your findings, but for whatever reason I was finally able to
get the AV updated and ran a full scan. No signs of the nolor virus in the
scan or in the registry. We did find a Klez virus in a zipped file, but I
don't think she's savvy enough to open a zipped file, and the Klez removal
tool finds no signs of the Klez. I did remove that notepad file sitting in
the Startup folder in the Start menu. Maybe that was the problem, but that
actually arrived after I got there the first time.

I installed the latest security patch and just told her to keep me posted
for more returned e-mails. Not sure what to do at this point.

Any ideas? And thanks for all the help.

Sheldon
sheldon@sopris.net; Posted by FromTheRafters on August 15th, 2003; "Sheldon" <sheldon@REMOVEsopris.net> wrote in message news:5AS_a.108932$It4.48786@rwcrnsc51.ops.asp.att. net...
Can you now complete an online scan?; Posted by Sheldon on August 15th, 2003; "FromTheRafters" <!0000@nomad.fake> wrote in message
news:vjob4kplj9ts1c@corp.supernews.com...
You know, once I got NAV working I never tried that again. Not sure, but I
think I had to log in as the Administrator to run the NAV update I
downloaded. Also had trouble running the patch and the Blaster fix tool
till I logged in as the Administrator. That may have been the problem, and
while the computer seems to take a long time to boot, it appears to be
working fine. The only complaint from the user were those returned messages
indicating a virus on her computer.; Posted by FromTheRafters on August 15th, 2003; "Sheldon" <sheldon@REMOVEsopris.net> wrote in message news:65Y_a.112269$cF.31851@rwcrnsc53...

Are you saying that the only *symptom* of infection is the returned mail?
That could just be a symptom of someone elses infection. This worm can
either spoof the from address, use the current victims address, or use an
address it found on the current victims computer. The lack of the other
symptoms may mean it never was an affected computer.; Posted by Sheldon on August 15th, 2003; "FromTheRafters" <!0000@nomad.fake> wrote in message
news:vjolqg9j1e2fb5@corp.supernews.com...
notepad message that kept popping up, and I'm also glad we got the AV
updated and quarantined that Klez virus before it opened. When I originally
got to the computer I could not update NAV, and the computer was showing
signs of a Klez virus.; Posted by FromTheRafters on August 15th, 2003; "Sheldon" <sheldon@REMOVEsopris.net> wrote in message news:qM5%a.119628$Oz4.24845@rwcrnsc54...
No, it sure doesn't, but I figured that might be an unrelated
problem.

Well, an updated AV ~ some malware removed ~ your patient
should be okay now. Some of those online scanner are pretty
senitive I've heard, so it won't hurt to see what they have to say.; Posted by Sheldon on August 17th, 2003; "FromTheRafters" <!0000@nomad.fake> wrote in message
news:vjqpbg65lv9j67@corp.supernews.com...
I agree with you regarding the online scanners. I always run them when I'm
on a computer with a high-speed connection, but tend to back off a bit if
they are on dial-up. Depends on my schedule, and how much time I've got
into the job already. An up-to-date AV program, that's working properly,
should nail anything "big."

Thanks again for all the help.

Sheldon

Similar Posts

Can't figure out what to do... (Help and Support) by phillymac39
Please Help me figure out this (Security & Administration) by shoni
Figure this one? (Computer Hardware) by ABC
can't figure this one out... (Computers & Technology) by mike
Can't figure this out (Computers & Technology) by WCH