The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
you downtime and abundant headache without your doing anything to
invite it. [I had such fun yesterday, all day] Hundreds of thousands
of systems are being infected right now, and they are out looking for
*you*!. If you run Windows2000/XP/NT, you want to download the listed
patch (KB823980) immediately, and I do mean immediately. If you use
Win2000, you need to be at least at Service Pack 2 to install this
patch.

Some of the early symptoms:

* If you see a process running called "msblast.exe", you have it.
* SVCHOST shuts down with errors
* Drag and drop stops working
* Add/Delete programs comes up blank with a "Cl&ose" button
* File Search will fail to launch
* Shift-Click in Internet Explorer (to launch in new window) does not
work
* Internet Explorer shows a blank version number (Help->About Internet
Explorer)
* Numerous programs (MS-Word/Excel, EZ-CDCreator, etc.), will not
launch
* Outlook Express will fail with (insufficient memory) if one tries to
send a new message

Here's hoping you have a worm-free day!

Luke

=====

From a notice posted by Jerry Bryant in microsoft.public.security -

SEVERITY: CRITICAL
DATE: August 11, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
Windows NT
4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this
alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026
should
prevent infection from this worm.

Customers that have previously applied the security patch MS03-026
before
today are protected and no further action is required.

IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine
gets
re-booted or has mblast.exe exists on customer's system.

TECHNICAL DETAILS: This worm scans a random IP range to look for
vulnerable
systems on TCP port 135. The worm attempts to exploit the DCOM RPC
vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes
the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customer may not notice any symptoms at
all. A
typical symptom is the system is rebooting every few minutes without
user
input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from
your
anti-virus vendor and scan your machine.

For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please
visit
the following links:

Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please
visit
this link: http://www.microsoft.com/technet/security/virus/via.asp

Please contact your Antivirus Vendor for additional details on this
virus.

PREVENTION: Turn on Internet Connection Firewall (Windows XP or
Windows
Server 2003) or use a third party firewall to block TCP ports 135,
139, 445
and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for
zombie bits
download and TCP 4444 for remote command shell. To enable the Internet
Connection Firewall in Windows:
http://support.microsoft.com/?id=283673

1. In Control Panel, double-click Networking and Internet Connections,
and
then click Network Connections.
2. Right-click the connection on which you would like to enable ICF,
and
then click Properties.
3. On the Advanced tab, click the box to select the option to Protect
my
computer or network.

This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in
Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
Install the
patch MS03-026 from Windows Update http://windowsupdate.microsoft.com

As always, please make sure to use the latest Anti-Virus detection
from your
Anti-Virus vendor to detect new viruses and their variants.

RECOVERY: Security best practices suggest that previously compromised
machine be wiped and rebuilt to eliminate any undiscovered exploits
that can
lead to a future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise.
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

For additional information on recovering from this attack please
contact
your preferred anti-virus vendor.

RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
As always please make sure to use the latest Anti-Virus detection from
your
Anti-Virus vendor to detect new viruses and their variants.

If you have any questions regarding this alert please contact your
Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US,
outside of
the US please contact your local Microsoft Subsidiary. Support for
virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsoft.public.security.virus.

And here's a MacInTouch-provided link to an article about this damned
worm:

<http://news.com.com/2100-1002-5062364.html?tag=macintouch>

This is a very nasty thing, people.

Luke Kaven <luke@smallsrecords.com> wrote:

> The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
> you downtime and abundant headache without your doing anything to
> invite it. [I had such fun yesterday, all day] Hundreds of thousands
> of systems are being infected right now, and they are out looking for
> *you*!. If you run Windows2000/XP/NT, you want to download the listed
> patch (KB823980) immediately, and I do mean immediately. If you use
> Win2000, you need to be at least at Service Pack 2 to install this
> patch.
>
> Some of the early symptoms:
>
> * If you see a process running called "msblast.exe", you have it.
> * SVCHOST shuts down with errors
> * Drag and drop stops working
> * Add/Delete programs comes up blank with a "Cl&ose" button
> * File Search will fail to launch
> * Shift-Click in Internet Explorer (to launch in new window) does not
> work
> * Internet Explorer shows a blank version number (Help->About Internet
> Explorer)
> * Numerous programs (MS-Word/Excel, EZ-CDCreator, etc.), will not
> launch
> * Outlook Express will fail with (insufficient memory) if one tries to
> send a new message
>
> Here's hoping you have a worm-free day!
>
> Luke
>
> =====
>
> From a notice posted by Jerry Bryant in microsoft.public.security -
>
> SEVERITY: CRITICAL
> DATE: August 11, 2003
> PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
> Windows NT
> 4.0, NT 4.0 Terminal Services Edition
>
> WHAT IS IT?
> The Microsoft Product Support Services Security Team is issuing this
> alert
> to inform customers about a new worm named W32.Blaster.Worm which is
> spreading in the wild. This virus is also known as: W32/Lovsan.worm
> (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
> Associates). Best practices, such as applying security patch MS03-026
> should
> prevent infection from this worm.
>
> Customers that have previously applied the security patch MS03-026
> before
> today are protected and no further action is required.
>
> IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine
> gets
> re-booted or has mblast.exe exists on customer's system.
>
> TECHNICAL DETAILS: This worm scans a random IP range to look for
> vulnerable
> systems on TCP port 135. The worm attempts to exploit the DCOM RPC
> vulnerability patched by MS03-026.
>
> Once the Exploit code is sent to a system, it downloads and executes
> the
> file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
> creates
> the registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
> "windows
> auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
>
> Symptoms of the virus: Some customer may not notice any symptoms at
> all. A
> typical symptom is the system is rebooting every few minutes without
> user
> input. Customers may also see:
> - Presence of unusual TFTP* files
> - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
>
> To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
> directory or download the latest anti-virus software signature from
> your
> anti-virus vendor and scan your machine.
>
> For additional details on this worm from anti-virus software vendors
> participating in the Microsoft Virus Information Alliance (VIA) please
> visit
> the following links:
>
> Network Associates:
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
>
> Trend Micro:
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
>
> Symantec:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
>
> Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
>
> For more information on Microsoft's Virus Information Alliance please
> visit
> this link: http://www.microsoft.com/technet/security/virus/via.asp
>
> Please contact your Antivirus Vendor for additional details on this
> virus.
>
> PREVENTION: Turn on Internet Connection Firewall (Windows XP or
> Windows
> Server 2003) or use a third party firewall to block TCP ports 135,
> 139, 445
> and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for
> zombie bits
> download and TCP 4444 for remote command shell. To enable the Internet
> Connection Firewall in Windows:
> http://support.microsoft.com/?id=283673
>
> 1. In Control Panel, double-click Networking and Internet Connections,
> and
> then click Network Connections.
> 2. Right-click the connection on which you would like to enable ICF,
> and
> then click Properties.
> 3. On the Advanced tab, click the box to select the option to Protect
> my
> computer or network.
>
> This worm utilizes a previously-announced vulnerability as part of its
> infection method. Because of this, customers must ensure that their
> computers are patched for the vulnerability that is identified in
> Microsoft
> Security Bulletin MS03-026.
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
> Install the
> patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
>
> As always, please make sure to use the latest Anti-Virus detection
> from your
> Anti-Virus vendor to detect new viruses and their variants.
>
> RECOVERY: Security best practices suggest that previously compromised
> machine be wiped and rebuilt to eliminate any undiscovered exploits
> that can
> lead to a future compromise. See Cert Advisory:
> Steps for Recovering from a UNIX or NT System Compromise.
> http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
>
> For additional information on recovering from this attack please
> contact
> your preferred anti-virus vendor.
>
> RELATED MICROSOFT SECURITY BULLETINS:
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
>
> RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
> This article will be available within 24 hours.
>
> RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
> As always please make sure to use the latest Anti-Virus detection from
> your
> Anti-Virus vendor to detect new viruses and their variants.
>
> If you have any questions regarding this alert please contact your
> Microsoft
> representative or 1-866-727-2338 (1-866-PCSafety) within the US,
> outside of
> the US please contact your local Microsoft Subsidiary. Support for
> virus
> related issues can also be obtained from the Microsoft Virus Support
> Newsgroup which can be located by clicking on the following link
> news://msnews.microsoft.com/microsoft.public.security.virus.

--
hank alrich * secret mountain
audio recording * music production * sound reinforcement
"If laughter is the best medicine let's take a double dose"

LeBaron & Alrich wrote:
>
> And here's a MacInTouch-provided link to an article about this damned
> worm:
>
> <http://news.com.com/2100-1002-5062364.html?tag=macintouch>
>
> This is a very nasty thing, people.
>
> Luke Kaven <luke@smallsrecords.com> wrote:
>
> > The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
> > you downtime and abundant headache without your doing anything to
> > invite it. [I had such fun yesterday, all day] Hundreds of thousands

It is indeed very active. My hardware firewall is currently logging
hundreds of attacks per day on port 135.

bobs

Bob Smith
BS Studios
we organize chaos
http://www.bsstudios.com

I had this same problem yesterday, the way i came around this is:

- Start > Run > regedit (on Windows XP Pro)
- Edit > Find... (search for msbalster)
- anything which has a value of msblaster, delete it

NOTE: Would be nice to backup your windows registry first by File >
Save as... in the Registry Editor.

I had 2 keys with the values containing "msblaster".

After you've done this, restart your computer and hopefully everything
should be sorted.

REASON: This worm is relatively new, and hence no (less)
support/anti-virus is available for it. This worm tries to start
itself on every restart through these registry values, so if u delete
these values the worm doesn't startsup.

A good thing to do would be download the windows updates from
microsoft's website.

HTH
Abhishek VERMA

I would advise against just hacking the registry - just have a look at
www.sarc.com - follow the link to the w32.blaster.worm. Symantec have a free
and very simple tool that fixes the damage and then takes you to the update
patch from Microsoft which fixes the v.vulnerability

Our uni was struck last night - it ground the servers to a halt with the
traffic and infected many of our 3000 computers.

Regards - Pat
www.patski.cjb.net


"Abhishek VERMA" <abhishek@studylink.com.au> wrote in message
news:82376f0f.0308122030.8585c82@posting.google.co m...
> I had this same problem yesterday, the way i came around this is:
>
> - Start > Run > regedit (on Windows XP Pro)
> - Edit > Find... (search for msbalster)
> - anything which has a value of msblaster, delete it
>
> NOTE: Would be nice to backup your windows registry first by File >
> Save as... in the Registry Editor.
>
> I had 2 keys with the values containing "msblaster".
>
> After you've done this, restart your computer and hopefully everything
> should be sorted.
>
> REASON: This worm is relatively new, and hence no (less)
> support/anti-virus is available for it. This worm tries to start
> itself on every restart through these registry values, so if u delete
> these values the worm doesn't startsup.
>
> A good thing to do would be download the windows updates from
> microsoft's website.
>
> HTH
> Abhishek VERMA

Symantec have a free cleaup utility, and apart from the MS patch it
might be worth using a personal firewall like ZoneAlarm. A friend of
mine had his modem-connected PC infected yesterday, so that's no
protection! He's a drummer though, so I guess it's not surprising.

Ian

abhishek@studylink.com.au (Abhishek VERMA) wrote in message <snip?
>
> REASON: This worm is relatively new, and hence no (less)
> support/anti-virus is available for it. This worm tries to start
> itself on every restart through these registry values, so if u delete
> these values the worm doesn't startsup.
>
> A good thing to do would be download the windows updates from
> microsoft's website.
>
> HTH
> Abhishek VERMA

I think my computer at home is infected, but I haven't heard symtoms
described like what it is doing. It keeps having a window pop up and
says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"

It then says "save all information as your computer will now be shutting
down". Then a 60 second timer starts counting down and the computer
shuts down. It automtically restarts only to have the window pop up
again and start all over.

Does anybody know if this is the worm?

Thanks -Rob


Luke Kaven wrote:

> The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
> you downtime and abundant headache without your doing anything to
> invite it. [I had such fun yesterday, all day] Hundreds of thousands
> of systems are being infected right now, and they are out looking for
> *you*!. If you run Windows2000/XP/NT, you want to download the listed
> patch (KB823980) immediately, and I do mean immediately. If you use
> Win2000, you need to be at least at Service Pack 2 to install this
> patch.
>
> Some of the early symptoms:
>
> * If you see a process running called "msblast.exe", you have it.
> * SVCHOST shuts down with errors
> * Drag and drop stops working
> * Add/Delete programs comes up blank with a "Cl&ose" button
> * File Search will fail to launch
> * Shift-Click in Internet Explorer (to launch in new window) does not
> work
> * Internet Explorer shows a blank version number (Help->About Internet
> Explorer)
> * Numerous programs (MS-Word/Excel, EZ-CDCreator, etc.), will not
> launch
> * Outlook Express will fail with (insufficient memory) if one tries to
> send a new message
>
> Here's hoping you have a worm-free day!
>
> Luke
>
> =====
>
> From a notice posted by Jerry Bryant in microsoft.public.security -
>
> SEVERITY: CRITICAL
> DATE: August 11, 2003
> PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
> Windows NT
> 4.0, NT 4.0 Terminal Services Edition
>
> WHAT IS IT?
> The Microsoft Product Support Services Security Team is issuing this
> alert
> to inform customers about a new worm named W32.Blaster.Worm which is
> spreading in the wild. This virus is also known as: W32/Lovsan.worm
> (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
> Associates). Best practices, such as applying security patch MS03-026
> should
> prevent infection from this worm.
>
> Customers that have previously applied the security patch MS03-026
> before
> today are protected and no further action is required.
>
> IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine
> gets
> re-booted or has mblast.exe exists on customer's system.
>
> TECHNICAL DETAILS: This worm scans a random IP range to look for
> vulnerable
> systems on TCP port 135. The worm attempts to exploit the DCOM RPC
> vulnerability patched by MS03-026.
>
> Once the Exploit code is sent to a system, it downloads and executes
> the
> file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
> creates
> the registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
> "windows
> auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
>
> Symptoms of the virus: Some customer may not notice any symptoms at
> all. A
> typical symptom is the system is rebooting every few minutes without
> user
> input. Customers may also see:
> - Presence of unusual TFTP* files
> - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
>
> To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
> directory or download the latest anti-virus software signature from
> your
> anti-virus vendor and scan your machine.
>
> For additional details on this worm from anti-virus software vendors
> participating in the Microsoft Virus Information Alliance (VIA) please
> visit
> the following links:
>
> Network Associates:
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
>
> Trend Micro:
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
>
> Symantec:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
>
> Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
>
> For more information on Microsoft's Virus Information Alliance please
> visit
> this link: http://www.microsoft.com/technet/security/virus/via.asp
>
> Please contact your Antivirus Vendor for additional details on this
> virus.
>
> PREVENTION: Turn on Internet Connection Firewall (Windows XP or
> Windows
> Server 2003) or use a third party firewall to block TCP ports 135,
> 139, 445
> and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for
> zombie bits
> download and TCP 4444 for remote command shell. To enable the Internet
> Connection Firewall in Windows:
> http://support.microsoft.com/?id=283673
>
> 1. In Control Panel, double-click Networking and Internet Connections,
> and
> then click Network Connections.
> 2. Right-click the connection on which you would like to enable ICF,
> and
> then click Properties.
> 3. On the Advanced tab, click the box to select the option to Protect
> my
> computer or network.
>
> This worm utilizes a previously-announced vulnerability as part of its
> infection method. Because of this, customers must ensure that their
> computers are patched for the vulnerability that is identified in
> Microsoft
> Security Bulletin MS03-026.
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
> Install the
> patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
>
> As always, please make sure to use the latest Anti-Virus detection
> from your
> Anti-Virus vendor to detect new viruses and their variants.
>
> RECOVERY: Security best practices suggest that previously compromised
> machine be wiped and rebuilt to eliminate any undiscovered exploits
> that can
> lead to a future compromise. See Cert Advisory:
> Steps for Recovering from a UNIX or NT System Compromise.
> http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
>
> For additional information on recovering from this attack please
> contact
> your preferred anti-virus vendor.
>
> RELATED MICROSOFT SECURITY BULLETINS:
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
>
> RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
> This article will be available within 24 hours.
>
> RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
> As always please make sure to use the latest Anti-Virus detection from
> your
> Anti-Virus vendor to detect new viruses and their variants.
>
> If you have any questions regarding this alert please contact your
> Microsoft
> representative or 1-866-727-2338 (1-866-PCSafety) within the US,
> outside of
> the US please contact your local Microsoft Subsidiary. Support for
> virus
> related issues can also be obtained from the Microsoft Virus Support
> Newsgroup which can be located by clicking on the following link
> news://msnews.microsoft.com/microsoft.public.security.virus.
>
>

I believe it is. Or a related one.

Log off. Check the Task Manager Processes window for msblast and kill the
process. Then find msblast.exe on your hard drive and delete it.

Then log on and install the Microsoft update. I did these things yesterday, and
that was the end of that.


> I think my computer at home is infected, but I haven't heard symtoms
> described like what it is doing. It keeps having a window pop up and
> says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"

> It then says "save all information as your computer will now be shutting
> down". Then a 60 second timer starts counting down and the computer
> shuts down. It automtically restarts only to have the window pop up
> again and start all over.

> Does anybody know if this is the worm?

Thank, I'll try that tonight.
-Rob

William Sommerwerck wrote:

> I believe it is. Or a related one.
>
> Log off. Check the Task Manager Processes window for msblast and kill the
> process. Then find msblast.exe on your hard drive and delete it.
>
> Then log on and install the Microsoft update. I did these things yesterday, and
> that was the end of that.
>
>
>
>>I think my computer at home is infected, but I haven't heard symtoms
>>described like what it is doing. It keeps having a window pop up and
>>says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"
>
>
>>It then says "save all information as your computer will now be shutting
>>down". Then a 60 second timer starts counting down and the computer
>>shuts down. It automtically restarts only to have the window pop up
>>again and start all over.
>
>
>>Does anybody know if this is the worm?
>
>

I'm running Windows 98 SE, which I don't believe is vulnerable to the
MSBlaster attack. However, I just did a search using regedit and an
msblaster line showed up in Windows/Microsoft/Explorer. Should I delete
this key? My computer is running normally. Also, I ran task manager and at
the top of the list is a line reading: "Re: Beware the MSblaster Worm, it
will get you." Now, I'm freaking...


"William Sommerwerck" <williams@nwlink.com> wrote in message
news:vjkgvd61dorj96@corp.supernews.com...
> I believe it is. Or a related one.
>
> Log off. Check the Task Manager Processes window for msblast and kill the
> process. Then find msblast.exe on your hard drive and delete it.
>
> Then log on and install the Microsoft update. I did these things
yesterday, and
> that was the end of that.
>
>
> > I think my computer at home is infected, but I haven't heard symtoms
> > described like what it is doing. It keeps having a window pop up and
> > says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"
>
> > It then says "save all information as your computer will now be shutting
> > down". Then a 60 second timer starts counting down and the computer
> > shuts down. It automtically restarts only to have the window pop up
> > again and start all over.
>
> > Does anybody know if this is the worm?
>

"GeeMima" <NOTggmedia@tyler.net> wrote in message
news:vjkhm7pj2pca40@corp.supernews.com...
> I'm running Windows 98 SE, which I don't believe is vulnerable to the
> MSBlaster attack. However, I just did a search using regedit and an
> msblaster line showed up in Windows/Microsoft/Explorer. Should I delete
> this key? My computer is running normally. Also, I ran task manager and
at
> the top of the list is a line reading: "Re: Beware the MSblaster Worm, it
> will get you." Now, I'm freaking...

Okay, forget the task manager listing. It showed up because this NG message
was open in the background. Freak off...


>
> "William Sommerwerck" <williams@nwlink.com> wrote in message
> news:vjkgvd61dorj96@corp.supernews.com...
> > I believe it is. Or a related one.
> >
> > Log off. Check the Task Manager Processes window for msblast and kill
the
> > process. Then find msblast.exe on your hard drive and delete it.
> >
> > Then log on and install the Microsoft update. I did these things
> yesterday, and
> > that was the end of that.
> >
> >
> > > I think my computer at home is infected, but I haven't heard symtoms
> > > described like what it is doing. It keeps having a window pop up and
> > > says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"
> >
> > > It then says "save all information as your computer will now be
shutting
> > > down". Then a 60 second timer starts counting down and the computer
> > > shuts down. It automtically restarts only to have the window pop up
> > > again and start all over.
> >
> > > Does anybody know if this is the worm?
> >
>
>

"Rob Adelman" <radelman@mn.rr.com> wrote in message
news:bhdfji$vvot0$1@ID-75267.news.uni-berlin.de
> I think my computer at home is infected, but I haven't heard symtoms
> described like what it is doing. It keeps having a window pop up and
> says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"
>
> It then says "save all information as your computer will now be
> shutting down". Then a 60 second timer starts counting down and the
> computer shuts down. It automtically restarts only to have the window
> pop up again and start all over.
>
> Does anybody know if this is the worm?

For sure.

How did you catch it?

"Luke Kaven" <luke@smallsrecords.com> wrote in message
news:0s4ijv81vmjcigs7s0mrk4p0jkhqcc6j9p@4ax.com

> The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
> you downtime and abundant headache without your doing anything to
> invite it. [I had such fun yesterday, all day]

The short answer for disabling this virus are:

(0) remove any network or modem cables attached to the machine.
(1) Bring your machine up in "Safe Mode" by pressing F5 while re-booting.
The virus will give you ample opportunities to do this.
(2) Go to My Computer
(3) Open up your "C" drive
(4) Open up the "Windows" folder
(5) Open up the "System32" folder in the "Windows" folder
(6) Delete the MSBLAST.EXE file.

You can avoid reinfection the next time you go online by downloading and
applying the (now) well-known fix from MS. The obvious challenge is getting
the fix before you get re-infected.

I'd like to know how people are catching this virus as a matter of fact. I
hear about bum email attachments, but it appears that it can be caught by
simply being online without adequate protection.

Arny Krueger wrote:

>>Does anybody know if this is the worm?
>
>
> For sure.
>
> How did you catch it?

No idea. Thanks for the fix though, going to try that tonight.

-Rob

"Arny Krueger" <arnyk@hotpop.com> wrote:
>"Luke Kaven" <luke@smallsrecords.com> wrote
>> The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
>> you downtime and abundant headache without your doing anything to
>> invite it. [I had such fun yesterday, all day]
>
>The short answer for disabling this virus are:
>
>(0) remove any network or modem cables attached to the machine.
>(1) Bring your machine up in "Safe Mode" by pressing F5 while re-booting.
>The virus will give you ample opportunities to do this.
>(2) Go to My Computer
>(3) Open up your "C" drive
>(4) Open up the "Windows" folder
>(5) Open up the "System32" folder in the "Windows" folder
>(6) Delete the MSBLAST.EXE file.
>
>You can avoid reinfection the next time you go online by downloading and
>applying the (now) well-known fix from MS. The obvious challenge is getting
>the fix before you get re-infected.
>
>I'd like to know how people are catching this virus as a matter of fact. I
>hear about bum email attachments, but it appears that it can be caught by
>simply being online without adequate protection.

The virus scans IP addresses sequentially starting from a
pseudo-random address until it finds a machine with the vulnerability
(could be you!). Someone else can give a better explanation of the
process, but it seems the virus is able to connect to your Remote
Procedure Call (RPC) service from outside, though a standard port. It
plants a call on your machine that downloads the virus from the
source, runs it, and sets the registry to run it at each startup. I
think it is able to exploit a buffer overrun condition that was left
unchecked to bypass the normal authentication; how the hack works, I
don't know. So the short answer is that you don't have to do
anything. It comes to you through a standard network service
undetected, unless you have a firewall watching the ports in question.

By the way -- expect more clever and insidious versions of this virus
to come. By all means, download the OS patch immediately.

Luke

>> You can avoid reinfection the next time you go online by downloading
>> and applying the (now) well-known fix from MS. The obvious challenge
>> is getting the fix before you get re-infected.

This is the trick. I had to reboot several times before the download and
installation were performed without msblast sneaking in again. On the third try,
it got through just as the installation was successfully completing!

William Sommerwerck wrote:

> I believe it is. Or a related one.
>
> Log off. Check the Task Manager Processes window for msblast and kill the
> process. Then find msblast.exe on your hard drive and delete it.
>
> Then log on and install the Microsoft update. I did these things yesterday, and
> that was the end of that.


I did it, and here I am! Worked like a charm.

-Rob

Is it really that dangerous. I have just XP bundled firewall service,
and got nothing. I have all remote and sharing services dissabled (not
installed/ allowed). What's the deal?
Vladan
www.geocities.com/vla_dan_l
www.mp3.com/lesly , www.mp3.com/shook , www.mp3.com/lesly2
www.kunsttick.com/artists/vuskovic/indexdat.htm

On Wed, 13 Aug 2003 09:13:10 -0500, "GeeMima" <NOTggmedia@tyler.net>
wrote:

>I'm running Windows 98 SE, which I don't believe is vulnerable to the
>MSBlaster attack. However, I just did a search using regedit and an
>msblaster line showed up in Windows/Microsoft/Explorer. Should I delete
>this key? My computer is running normally. Also, I ran task manager and at
>the top of the list is a line reading: "Re: Beware the MSblaster Worm, it
>will get you." Now, I'm freaking...

Unless this was a joke, relax. What you see are references to reading
this thread.
Vladan
www.geocities.com/vla_dan_l
www.mp3.com/lesly , www.mp3.com/shook , www.mp3.com/lesly2
www.kunsttick.com/artists/vuskovic/indexdat.htm

Vladan wrote:
> Is it really that dangerous.

Umm, no.


> I have just XP bundled firewall service,
> and got nothing.

Not the case for me. I got worms and I wasn't even going fishin'

> I have all remote and sharing services dissabled (not
> installed/ allowed).

Me too.

>What's the deal?

Dunno, Glad the worm is gone though. Hope it doesn't come back.

In article <Dzx_a.302$l24.12713@nnrp1.ozemail.com.au> patsproule@ozemail.com.au writes:

> A lot of ppl are getting this by simply being online. My firewall is logging
> a scan on port 135 every 3 mins or so, and I am on dialup! Zone Alarm et al
> with port 135 blocked will stop it.

I'm using the free version of Zone Alarm, and if that allows blocking
of specific ports, I haven't found it. It might be a feature only of
the the paid version. But it blocks a lot of stuff, and I'm dialed up
all the time and haven't found the latest worm yet.

I looked at the MS patch, but it looks like it's at least a month old.
I guess they must have thought about this one before someone actually
wrote a worm to take advantage of the hole. I just installed Service
Pack 4 (Win2K) last week (dated later than the patch), and I trust
that has all the appropriate security updates for this one.



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

Luke Kaven wrote:
>
> The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
> you downtime and abundant headache without your doing anything to
> invite it.


Having a Mac can really be boring some days.


Don

Don Cooper <dcooper2880@comcast.net> wrote:

> Luke Kaven wrote:

> > The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
> > you downtime and abundant headache without your doing anything to
> > invite it.

> Having a Mac can really be boring some days.

Though making friends with humans on the dark side does beget a lot of
email from folks I've never met or heard of, or that maybe don't even
exist. But they still send me emails by the ton. Pretty exciting
throwing it all away. Everyday.

--
ha

mrivers@d-and-d.com (Mike Rivers) wrote:
[...]
>I looked at the MS patch, but it looks like it's at least a month old.
>I guess they must have thought about this one before someone actually
>wrote a worm to take advantage of the hole. I just installed Service
>Pack 4 (Win2K) last week (dated later than the patch), and I trust
>that has all the appropriate security updates for this one.

The devilish thing is that once Microsoft announced that they had a
critical security problem in Windows, the race was on. I should have
known that hackers, one of whom likely found the bug in the first
place, were setting to work the moment the challenge was laid down. I
should have taken the attitude that such a worm was coming sooner
rather than later and loaded the patch the minute it became available.

Luke

See everyone should own a mac.

in article sp6mjv8qn7c9rjk12d6ikgoejkrhddb7j3@4ax.com, Luke Kaven at
luke@smallsrecords.com wrote on 8/14/03 1:20 AM:

> mrivers@d-and-d.com (Mike Rivers) wrote:
> [...]
>> I looked at the MS patch, but it looks like it's at least a month old.
>> I guess they must have thought about this one before someone actually
>> wrote a worm to take advantage of the hole. I just installed Service
>> Pack 4 (Win2K) last week (dated later than the patch), and I trust
>> that has all the appropriate security updates for this one.
>
> The devilish thing is that once Microsoft announced that they had a
> critical security problem in Windows, the race was on. I should have
> known that hackers, one of whom likely found the bug in the first
> place, were setting to work the moment the challenge was laid down. I
> should have taken the attitude that such a worm was coming sooner
> rather than later and loaded the patch the minute it became available.
>
> Luke

Rick Thomas wrote:
>
>>> I looked at the MS patch, but it looks like it's at least a month old.
>>> I guess they must have thought about this one before someone actually
>>> wrote a worm to take advantage of the hole. I just installed Service
>>> Pack 4 (Win2K) last week (dated later than the patch), and I trust
>>> that has all the appropriate security updates for this one.
>>
>> The devilish thing is that once Microsoft announced that they had a
>> critical security problem in Windows, the race was on. I should have
>> known that hackers, one of whom likely found the bug in the first
>> place, were setting to work the moment the challenge was laid down. I
>> should have taken the attitude that such a worm was coming sooner
>> rather than later and loaded the patch the minute it became available.
>
>
> See everyone should own a mac.


Um, yeah but then who would be the easiest target group?

"Luke Kaven" wrote ...
> The devilish thing is that once Microsoft announced that they had a
> critical security problem in Windows, the race was on. I should have
> known that hackers, one of whom likely found the bug in the first
> place, were setting to work the moment the challenge was laid down. I
> should have taken the attitude that such a worm was coming sooner
> rather than later and loaded the patch the minute it became available.

Reports are that all the infected machines will be used to
launch a DOS (denial of service) attack on Microsoft's
patch servers by swamping them with bogus traffic.

"Rick Thomas" wrote ...
> See everyone should own a mac.

If they did then you would be the one complaining about the
unending infections. The juvenile delinquents go after whoever
has the biggest market share. At times like these you should
be glad Apple has such a tiny market share.

Richard Crowley <rcrowley7@xprt.net> wrote:

> Reports are that all the infected machines will be used to
> launch a DOS (denial of service) attack on Microsoft's
> patch servers by swamping them with bogus traffic.

Technical point: the traffic is real; the message is bogus. <g>

--
ha

In article <vjmadk45o4hn90@corp.supernews.com> rcrowley7@xprt.net writes:

> Reports are that all the infected machines will be used to
> launch a DOS (denial of service) attack on Microsoft's
> patch servers by swamping them with bogus traffic.

I read that same report, but the program really doesn't have to do
anything. Just creating panic is already loading the Microsoft Windows
Update web site about to capacity. This is one of the ways that a worm
or virus does its thing without doing permanent damage. The worm gets
it started, the people do the rest.



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

Mike Rivers wrote:

> I'm using the free version of Zone Alarm, and if that allows blocking
> of specific ports, I haven't found it. It might be a feature only of
> the the paid version. But it blocks a lot of stuff, and I'm dialed up
> all the time and haven't found the latest worm yet.

After I got rid of the worm, I must have changed something because I
started getting all those annoying popups again. So I also started the
free version of Zone Alarm and it seems to be working. It is up to about
40 blocked attempts. So maybe I will buy the paid version? I am
wondering if Zone Alarm or Norton or someone started the worm? Sure is
good for business..

In article <vjmagt8vk1q05a@corp.supernews.com>,
Richard Crowley <rcrowley7@xprt.net> wrote:
>"Rick Thomas" wrote ...
>> See everyone should own a mac.
>
>If they did then you would be the one complaining about the
>unending infections. The juvenile delinquents go after whoever
>has the biggest market share. At times like these you should
>be glad Apple has such a tiny market share.

This may be true, but most of the security issues with Microsoft products
were just plain stupid ones due to fundamentally poor design, and most of
the patches don't really fix any of the problems.

All of the Outlook-propagated e-mail viruses are due to some totally boneheaded
decisions on the part of Microsoft designers to tightly couple e-mail with
other applications and provide "content-rich" e-mail and automatic handling of
attachments. These are all "features" that may make things seem more
convenient to the user but have terrible security consequences.

Patches come out on a regular basis, but none of them fix the fact that
there is a fundamental design flaw. All you can do is deal with the latest
virus release; there is no attempt to actually prevent propagation in the
future.

This latest one is due to very bad design of their RPC protocol, something
so fundamentally bad that it would have got the designer a failing grade in
an undergraduate datacomm class. But because everything at Microsoft is so
locked up and everything is a black box that nobody can look inside, the
badness took a long time before hackers found it. And when they did find it,
they found it with a vengeance. I'd MUCH rather have a system that people
can look inside, see the problems, and get them fixed before the hackers do
rather than afterward.

There are a lot of operating systems out there. It's true that none of them
have anything like the market share that Microsoft does, but most of them
also don't have the kind of mindbogglingly obvious security holes that the
Microsoft products do.

There is NO excuse for this kind of bad design. There is NO excuse for
shipping products that are fundamentally insecure by default.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

Scott Dorsey <kludge@panix.com> wrote:

> Patches come out on a regular basis, but none of them fix the fact that
> there is a fundamental design flaw.

At least MS has proven that square wheels can roll if you push 'em hard
enough.

--
ha

Rob Adelman <radelman@mn.rr.com> wrote:
>Mike Rivers wrote:
>
>> I'm using the free version of Zone Alarm, and if that allows blocking
>> of specific ports, I haven't found it. It might be a feature only of
>> the the paid version. But it blocks a lot of stuff, and I'm dialed up
>> all the time and haven't found the latest worm yet.
>
>After I got rid of the worm, I must have changed something because I
>started getting all those annoying popups again. So I also started the
>free version of Zone Alarm and it seems to be working. It is up to about
>40 blocked attempts. So maybe I will buy the paid version? I am
>wondering if Zone Alarm or Norton or someone started the worm? Sure is
>good for business..


Go into Settings->Control Panel->Administrative Tools->Services

Look for the "Windows Messaging" service and see it is running. If it
is, right click on the entry for it, and bring up the Property sheet.
Hit Stop, and select "Disable". You won't be able to run some kinds
of instant messaging, but that will keep popups from coming in out of
the wild. If you run Spybot Search & Destroy periodically (and keep
up with the updates), you will be able to eradicate most annoying
trojans (Xupiter, Gator, all those things we hate).

Luke

Scott Dorsey wrote:

> There is NO excuse for this kind of bad design. There is NO excuse for
> shipping products that are fundamentally insecure by default.
> --scott
> --
> "C'est un Nagra. C'est suisse, et tres, tres precis."

Somehow this reminds me of Marvin, the incredibly depressed, paranoid android
where Bill Gates has given us an OS the size of a planet ...etc.
Yep, I think my Windows machines have a lot of insecurities: fear of crashing,
fear of invasion, blue screen of death, fear of other's applications, shutting down

without pushing the "start" button...

Thus far my firewall is holding.

Ron Capik <<< cynic in training >>>
--

Ron Capik wrote:


>
> Ron Capik <<< cynic in training >>>


Great line, Ron!

An odd response from someone named Capik (ie, Capek)...

Ron Capik wrote...

> Somehow this reminds me of Marvin, the incredibly depressed,
> paranoid android where Bill Gates has given us an OS the size
> of a planet ...etc. Yep, I think my Windows machines have a lot
> of insecurities: fear of crashing, fear of invasion, blue screen of
> death, fear of other's applications, shutting down without pushing
> the "start" button...

"Luke Kaven" <luke@smallsrecords.com> wrote in message news:jrjnjvghh2qi66r01tqgsgk4ltk5m8hj0j@4ax.com...
> Rob Adelman <radelman@mn.rr.com> wrote:
> >Mike Rivers wrote:
> >
> >> I'm using the free version of Zone Alarm, and if that allows blocking
> >> of specific ports, I haven't found it. It might be a feature only of
> >> the the paid version. But it blocks a lot of stuff, and I'm dialed up
> >> all the time and haven't found the latest worm yet.

Mike,

Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
version does allow highly tailored functions on a site by site basis if
needed. I think it's quite sufficient enough in it's 'free' state though.

> >After I got rid of the worm, I must have changed something because I
> >started getting all those annoying popups again. So I also started the
> >free version of Zone Alarm and it seems to be working. It is up to about
> >40 blocked attempts. So maybe I will buy the paid version? I am
> >wondering if Zone Alarm or Norton or someone started the worm? Sure is
> >good for business..

Rob,

I can get 40 blocked attempts per hour!! The guy that developed ZoneAlarm
is pretty reknowned for his work in identifying 'spyware' software, including
actions against Real Networks (Real player, Real jukebox, Real download,
etc.), PKZip and more - - I doubt he writes virii as a passtime. We could
share in the great cynic, conspiracist approach, however.

> Go into Settings->Control Panel->Administrative Tools->Services
>
> Look for the "Windows Messaging" service and see it is running. If it
> is, right click on the entry for it, and bring up the Property sheet.
> Hit Stop, and select "Disable". You won't be able to run some kinds
> of instant messaging, but that will keep popups from coming in out of
> the wild. If you run Spybot Search & Destroy periodically (and keep
> up with the updates), you will be able to eradicate most annoying
> trojans (Xupiter, Gator, all those things we hate).
>
> Luke

Did you figure out how you got this thing Luke? (I'd really like to hear
how the USPS stumbled onto it).

I like AdAware, but Spybot probably runs much the same way. Probably
both are harmless, non-invasive pieces of software... I know AAW is.

By practicing simple safe (albeit sometimes time consuming) surfing
and mail-reading practices, using a firewall and judiciously setting a few
preferences, I've never had a virus, and I have never used on-board
anti-virus software. The protection has almost always been there, you
just have to employ it. I think the careless, haphazard users get the
worms in most cases. (I can't put you in that category). I'm surprised
how many people are glued to the internet without a firewall and with no
knowledge of their on-board protection options. Keeping updated is such
a minor thing... some would make it sound like big trouble, but it's a no
brainer to do this. (...And *without* downloading the automatic update
notifier.. another POS to run in the background).

--
David Morgan (MAMS)
http://www.m-a-m-s.com
http://www.artisan-recordingstudio.com

William Sommerwerck wrote:

> An odd response from someone named Capik (ie, Capek)...
> < ..snip... >

Ah, but I've been to the filk side... ;-)

Ron Capik [aka: the NJ Editorial Minstrel ]
--

[chorus]
Re-boot 16 times, what do you get
Another error message or the blue screen of death
My registry's corrupted and the re-boot's slow
I got my bugs from the Microsoft store

[ "to the tune of 16 tons" ]

Ron Capik <r.capik@worldnet.att.net> wrote:

> Ron Capik [aka: the NJ Editorial Minstrel ]
> --

> [chorus]
> Re-boot 16 times, what do you get
> Another error message or the blue screen of death
> My registry's corrupted and the re-boot's slow
> I got my bugs from the Microsoft store

> [ "to the tune of 16 tons" ]

EggHd,

Sign this guy.

--
ha

in article vjmagt8vk1q05a@corp.supernews.com, Richard Crowley at
rcrowley7@xprt.net wrote on 8/14/03 2:20 AM:

> "Rick Thomas" wrote ...
>> See everyone should own a mac.
>
> If they did then you would be the one complaining about the
> unending infections. The juvenile delinquents go after whoever
> has the biggest market share. At times like these you should
> be glad Apple has such a tiny market share.
>
>
Ahh, viruses just dont work as well on mac os and amiga systems. There to
easy to spot and get rid of.

> >"Rick Thomas" wrote ...
> >> See everyone should own a mac.

> Richard Crowley wrote:
> >If they did then you would be the one complaining about the
> >unending infections. The juvenile delinquents go after whoever
> >has the biggest market share. At times like these you should
> >be glad Apple has such a tiny market share.

"Scott Dorsey" wrote ...
> This may be true, but most of the security issues with Microsoft
> products were just plain stupid ones due to fundamentally poor
> design, and most of the patches don't really fix any of the problems.

The vast majority of the security vulnerabilities seem to be poor (or
seeming non-existent) buffer/pointer management. Some have
suggested this is due to the way early Microsoft C compiler
manuals were edited. All their new-college-grad progrmmers used
the section showing how to do it, and never looked at the appendix
explaining buffer overrun safeguards and pointer preservation. An
apparent dearth of meaningful code review would appear to have
neatly finished the job. Now there are likely thousands and thousands
of vulnerable buffers ripe for the discovery by the next slime-ball
virus "author".

mrivers@d-and-d.com (Mike Rivers) wrote in news:znr1060812644k@trad:

> I looked at the MS patch, but it looks like it's at least a month old.
> I guess they must have thought about this one before someone actually
> wrote a worm to take advantage of the hole.

Tat's pretty normal. When the first worm exploiting a specific bug comes
out, that bug has usually been known for months and the bugfix has been
available fot at least a month.

> I just installed Service
> Pack 4 (Win2K) last week (dated later than the patch), and I trust
> that has all the appropriate security updates for this one.

Don't. The service packs do not allways contain all patches. Actually, I've
once installed a service pack for Win2K that *removed* one of the security
patches we had installed. Couple of hours after we had installed the
service pack we had to take down the machine to remove a nasty worm. A worm
wich we thought couldn't get in there as we had installed the security
patch fixing the bug that worm exploited. :-/

Regards
/Jonas

On Fri, 15 Aug 2003 15:35:36 GMT, Jonas Eckerman wrote:

>> I just installed Service
>> Pack 4 (Win2K) last week (dated later than the patch), and I trust
>> that has all the appropriate security updates for this one.
>
>Don't. The service packs do not allways contain all patches. Actually, I've
>once installed a service pack for Win2K that *removed* one of the security
>patches we had installed. Couple of hours after we had installed the
>service pack we had to take down the machine to remove a nasty worm. A worm
>wich we thought couldn't get in there as we had installed the security
>patch fixing the bug that worm exploited. :-/

Anyone know the patch number for XP?

Thanks.

There's a version for 32-bit and a version for 64-bit XP. There's a hyperlink
to the downloads page right on the microsoft home page.


George W. <geowirth@comcast.net> writes:

>Anyone know the patch number for XP?
>Thanks.

You don't need the number. Just go to www.windows.com and look on the right side
of the page.

> Anyone know the patch number for XP?

In article <Xns93D8B2F75FE57wastheworldcreatedby@127.0.0.1> jonas@truls.org writes:

> The service packs do not allways contain all patches. Actually, I've
> once installed a service pack for Win2K that *removed* one of the security
> patches we had installed.

Nothing like a little configuration management, is there?


--
I'm really Mike Rivers - (mrivers@d-and-d.com)

Today in the office, the worm was propagating. Even though the "computer
guy" assured us it wouldn't get us. He has firewalls and routers and
security stuff and told us it wouldn't get in. But hey, it didn't get
me, I have windows 98 on my work computer he,he..
So the lady in the front area was sitting there with her computer
shutting down and starting up and I told her to check the task manager,
shut off msblast, then search for the file and delete. I was the Hero!
heheh

Computer guy was downstairs and I told him Pat's computer was infected
but we fixed it and he was all " oh no, I gotta get up there and do this
that and the other thing...

William Sommerwerck wrote:
> I believe it is. Or a related one.
>
> Log off. Check the Task Manager Processes window for msblast and kill the
> process. Then find msblast.exe on your hard drive and delete it.
>
> Then log on and install the Microsoft update. I did these things yesterday, and
> that was the end of that.
>

I took Luke's advise and went into administration tools and shut off a
few things including alert. Pop ups are gone, free zone alarm,
uninstalled, everything back to normal. I suppose there are hundreds of
attempts going into my computer right now. Does it really matter?


David Morgan (MAMS) wrote:
> "Luke Kaven" <luke@smallsrecords.com> wrote in message news:jrjnjvghh2qi66r01tqgsgk4ltk5m8hj0j@4ax.com...
>
>>Rob Adelman <radelman@mn.rr.com> wrote:
>>
>>>Mike Rivers wrote:
>>>
>>>
>>>>I'm using the free version of Zone Alarm, and if that allows blocking
>>>>of specific ports, I haven't found it. It might be a feature only of
>>>>the the paid version. But it blocks a lot of stuff, and I'm dialed up
>>>>all the time and haven't found the latest worm yet.
>
>
> Mike,
>
> Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
> version does allow highly tailored functions on a site by site basis if
> needed. I think it's quite sufficient enough in it's 'free' state though.

>
> Rob,
>
> I can get 40 blocked attempts per hour!! The guy that developed ZoneAlarm
> is pretty reknowned for his work in identifying 'spyware' software, including
> actions against Real Networks (Real player, Real jukebox, Real download,
> etc.), PKZip and more - - I doubt he writes virii as a passtime. We could
> share in the great cynic, conspiracist approach, however.
>
>
>>Go into Settings->Control Panel->Administrative Tools->Services
>>
>>Look for the "Windows Messaging" service and see it is running. If it
>>is, right click on the entry for it, and bring up the Property sheet.
>>Hit Stop, and select "Disable". You won't be able to run some kinds
>>of instant messaging, but that will keep popups from coming in out of
>>the wild. If you run Spybot Search & Destroy periodically (and keep
>>up with the updates), you will be able to eradicate most annoying
>>trojans (Xupiter, Gator, all those things we hate).
>>
>>Luke
>
>
> Did you figure out how you got this thing Luke? (I'd really like to hear
> how the USPS stumbled onto it).
>
> I like AdAware, but Spybot probably runs much the same way. Probably
> both are harmless, non-invasive pieces of software... I know AAW is.
>
> By practicing simple safe (albeit sometimes time consuming) surfing
> and mail-reading practices, using a firewall and judiciously setting a few
> preferences, I've never had a virus, and I have never used on-board
> anti-virus software. The protection has almost always been there, you
> just have to employ it. I think the careless, haphazard users get the
> worms in most cases. (I can't put you in that category). I'm surprised
> how many people are glued to the internet without a firewall and with no
> knowledge of their on-board protection options. Keeping updated is such
> a minor thing... some would make it sound like big trouble, but it's a no
> brainer to do this. (...And *without* downloading the automatic update
> notifier.. another POS to run in the background).
>

>> Ahh, viruses just dont work as well on mac os and amiga systems. There to
>> easy to spot and get rid of.
>
>That's funny! The Amiga was the most virus-ridden computer of it's time.
>Actually, the whole virus scene was started with the Amiga. Sure, there
>were a few PC virii and other stuff before the avalanche of Amiga virii,
>but the Amiga was the first computer to get new virii written for it
>regularly.

The Atari ST had its share too. Particularly when cracked copies of
sequencer programs became widely distributed.

Richard Crowley <rcrowley7@xprt.net> wrote:
>The vast majority of the security vulnerabilities seem to be poor (or
>seeming non-existent) buffer/pointer management. Some have
>suggested this is due to the way early Microsoft C compiler
>manuals were edited. All their new-college-grad progrmmers used
>the section showing how to do it, and never looked at the appendix
>explaining buffer overrun safeguards and pointer preservation. An
>apparent dearth of meaningful code review would appear to have
>neatly finished the job. Now there are likely thousands and thousands
>of vulnerable buffers ripe for the discovery by the next slime-ball
>virus "author".

No, not at all. The buffer overrun issues are only a tiny fraction of
a more fundamental problem of just plain not designing with security in
mind.

The buffer overrun problems are only the most visible ones because they
are the ones that are being fixed.

But remember, Microsoft didn't implement real memory protection until Windows
95... and this was, what, almost thirty years after the industry had embraced
the concept?

The i386 architecture has all kinds of nifty security features built into it,
including real rings. Seen anybody use the ring stuff? Didn't think so.

It is very clear that whoever designed the "convenient" way that Outlook
handles attachments never even thought about the ways it could be abused.
THAT is the real problem. People who do systems design, and then write
actual code, without any clue as to how it can be misused and what could
go wrong with it. It doesn't take much, it just takes the right attitude.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."

I have it and it keeps shutting down my computer before I can f


"David Morgan (MAMS)" <mams@NOSPAm-a-m-s.com> wrote in message
news:3xu%a.3140$_P1.3086@nwrddc01.gnilink.net...
> I suppose not. But you still become a statistic if your computer can be
seen.
> And if a port is open, you can be hacked. I suppose it's just a personal
> preference to run my surfing toy in total 'stealth' mode.
>
> If you want to analyze your vulnerability to attack, do a free scan found
> at the Symantec site... You may want to close the doors anyway.
>
> http://security1.norton.com/us/intro.asp?venid=sym&langid=us
>
> --
> David Morgan (MAMS)
> http://www.m-a-m-s.com
> http://www.artisan-recordingstudio.com
>
>
> "Rob Adelman" <radelman@mn.rr.com> wrote in message
news:IOh%a.93470$o27.2119557@twister.rdc-kc.rr.com...
> > I took Luke's advise and went into administration tools and shut off a
> > few things including alert. Pop ups are gone, free zone alarm,
> > uninstalled, everything back to normal. I suppose there are hundreds of
> > attempts going into my computer right now. Does it really matter?
> >
> > > Rob,
> > >
> > > I can get 40 blocked attempts per hour!! The guy that developed
ZoneAlarm
> > > is pretty reknowned for his work in identifying 'spyware' software,
including
> > > actions against Real Networks (Real player, Real jukebox, Real
download,
> > > etc.), PKZip and more - - I doubt he writes virii as a passtime. We
could
> > > share in the great cynic, conspiracist approach, however.
>
>

Hank wrote:

> At least MS has proven that square wheels can roll if you push 'em hard
> enough.


Yes, and that 90 % of computer users don't mind doing the pushing.


Chris

"David Morgan \(MAMS\)" <mams@NOSPAm-a-m-s.com> wrote:
[...]
>Did you figure out how you got this thing Luke? (I'd really like to hear
>how the USPS stumbled onto it).

I don't exactly know, but I have been seeing some of these behaviors
for a few weeks. Last Monday, though, the system would become
unstable immediately after booting up, and that was a first. I have
the feeling that prototypes of this "malware" have been out there for
some time before Microsoft acknowledged the problem. I experienced a
few of the symptoms infrequently before. There are a few reports in
the Microsoft public newsgroups of some of the symptoms I experienced
dating back a year or more, in various combinations. The remedy
recommended at the time was either to repair the registry, or to do an
"upgrade" install, to ensure the system files and registry were all
clean. As of Monday, though, these remedies did not work, and in
retrospect, I realized that this was due to the fact that I was
getting continually re-infected. [I did four re-installs of Win2000
on Monday, but none fixed the problem for very long.]

>I like AdAware, but Spybot probably runs much the same way. Probably
>both are harmless, non-invasive pieces of software... I know AAW is.

I seemed to get better results with Spybot, and they keep up with new
developments pretty well.

>By practicing simple safe (albeit sometimes time consuming) surfing
>and mail-reading practices, using a firewall and judiciously setting a few
>preferences, I've never had a virus, and I have never used on-board
>anti-virus software. The protection has almost always been there, you
>just have to employ it. I think the careless, haphazard users get the
>worms in most cases. (I can't put you in that category). I'm surprised
>how many people are glued to the internet without a firewall and with no
>knowledge of their on-board protection options. Keeping updated is such
>a minor thing... some would make it sound like big trouble, but it's a no
>brainer to do this. (...And *without* downloading the automatic update
>notifier.. another POS to run in the background).

I've picked up things from some funny places, especially things like
Xupiter and Gator. One place I picked up Xupiter was from a
repository of song lyrics. Another way that I seem to pick up a lot
of things is by visiting unregistered domains that are reserved for
some reason (possibly because they are similar enough to commonly used
domains, and so they are used for no other reason than to catch a lot
of traffic, at least for the time being.)

Luke

In article <KnS_a.10970$v9.3476@nwrddc01.gnilink.net> mams@NOSPAm-a-m-s.com writes:

> Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
> version does allow highly tailored functions on a site by site basis if
> needed. I think it's quite sufficient enough in it's 'free' state though.

A friend of mine who studies all of the virus and spam newsgroups just
told me that the blaster worm goes right thought Zone Alarm. Maybe
this is true in the free version where you can't configure which ports
are blocks and which ones are not (I have the "what it's doing"
display turned off and just look at the log now and then out of
curiousity) but I would think that if you close Port 135, which is
apparently where it comes in, that would do it.



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

The free version of Zone Alarm stopped me getting the virus. Indeed it has
blocked over 50 scans of port 135 on this machine this-morning. This is with
the standard as installed configuration.

Pat.

"Mike Rivers" <mrivers@d-and-d.com> wrote in message
news:znr1061244780k@trad...
>
> In article <KnS_a.10970$v9.3476@nwrddc01.gnilink.net>
mams@NOSPAm-a-m-s.com writes:
>
> > Zone Alarm is a pretty cool tool to be so innocuous to load. The Pro
> > version does allow highly tailored functions on a site by site basis if
> > needed. I think it's quite sufficient enough in it's 'free' state
though.
>
> A friend of mine who studies all of the virus and spam newsgroups just
> told me that the blaster worm goes right thought Zone Alarm. Maybe
> this is true in the free version where you can't configure which ports
> are blocks and which ones are not (I have the "what it's doing"
> display turned off and just look at the log now and then out of
> curiousity) but I would think that if you close Port 135, which is
> apparently where it comes in, that would do it.
>
>
>
> --
> I'm really Mike Rivers - (mrivers@d-and-d.com)

Pat Sproule wrote:

> The free version of Zone Alarm stopped me getting the virus. Indeed it has
> blocked over 50 scans of port 135 on this machine this-morning. This is with
> the standard as installed configuration.
>
> Pat.
>

What is your operating system?

In article <lIg0b.60$mk2.2015@nnrp1.ozemail.com.au> patsproule@ozemail.com.au writes:

> The free version of Zone Alarm stopped me getting the virus. Indeed it has
> blocked over 50 scans of port 135 on this machine this-morning. This is with
> the standard as installed configuration.

Is there a straightforward way to tell what port was blocked? Maybe
I'm just not looking at the right screen. When I highlight an event
and click on "More Info" it sends me to the Zone Alarm web site, and
that shows the port number where the inquiry came in. Most of the time
it's Port 80. I've never seen a Port 135 (but then I don't check every
incursion).

Maybe they can tell by probing on another port that I'm dialed up on
AOL and that it's not worth sending me the worm. The purpose of
MSBlaster isn't just to disable an individual machine, it's to spread
itself and disrupt service all around. The purpose of the various
worms that install a back door is to allow a spammer to relay mail
through your system. Not much point in doing that on a system that has
a slow Internet connection.



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

"Vladan" <luxey1@eunet.yu> wrote in message
news:1jmljvsflcu4ga89injdi2tvtps4cq4bld@4ax.com...
> Is it really that dangerous. I have just XP bundled firewall service,
> and got nothing. I have all remote and sharing services dissabled (not
> installed/ allowed). What's the deal?
>
Nothing, you'll be fine. It's really not that serious a virus, it's just
very persistent. A *real* virus is one that you never know you have. These
annoyances are just kids playing around, thinking they're cool. The fact is
I could write this worm in about 20 minutes if I wanted to, but it serves no
purpose but to annoy, so what's the point?

My wife got this worm yesterday, and it took about an hour to fix, and
it only took that long because I had to install SP1 first (which is a 125
meg download) before I could install the patch. The catch is, if you have
it, you need to keep your process list open and kill the thing every time it
pops up, because it only takes about 20 seconds to crash your RPC service,
which will shut down your system.

The real fix is to either keep wupdate.exe running in your system tray,
or go to http://windowsupdate.microsoft.com on a regular basis and let it
install the patches as they come out.

ryanm

"William Sommerwerck" <williams@nwlink.com> wrote in message
news:vjkgvd61dorj96@corp.supernews.com...
> I believe it is. Or a related one.
>
> Log off. Check the Task Manager Processes window for msblast and kill the
> process. Then find msblast.exe on your hard drive and delete it.
>
> Then log on and install the Microsoft update. I did these things
yesterday, and
> that was the end of that.
>
There is a second strain going around that is called cmd.exe (the same
name as your command line parser) that will restart itself after being
killed. Once you install the MS patch the RPC vulnerability is gone, though,
and it can no longer cause any problems.

ryanm

area242 wrote:

> I have it and it keeps shutting down my computer before I can f


Man, ain't that a











<g>

In article <vk59dn50imdc2a@corp.supernews.com> ryanm@fatchicksinpartyhats.com writes:

> The real fix is to either keep wupdate.exe running in your system tray,
> or go to http://windowsupdate.microsoft.com on a regular basis and let it
> install the patches as they come out.

There's an article in the Washington Post today (probalby in all the
newspapers eventually) about Microsoft wanting to make the automatic
update run by default. They feel that things are getting bad enough
that users who don't know any better really should get all the patches
automatically.

It has its plusses and minuses of course. I have one computer that's
connected to the Internet essentially all the time and two others that
are only connected occasionally. Perhaps you don't need the security
patches if the computer isn't on the net, but they might occaionally
fix other things that are worth while. And I'd hate to have the
computer realize that it's on line for the first time in three months
and then gobble up hundreds of megabytes of updates, keeping it from
doing what I want to do (and then get off the net).



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

Mike Rivers wrote:


> There's an article in the Washington Post today (probalby in all the
> newspapers eventually) about Microsoft wanting to make the automatic
> update run by default. -and-d.com)

Until the hackers figure out how to use it and start giving you their
automatic updates.

"Mike Rivers" <mrivers@d-and-d.com> wrote in message
news:znr1061339611k@trad...
>
> There's an article in the Washington Post today (probalby in all the
> newspapers eventually) about Microsoft wanting to make the automatic
> update run by default. They feel that things are getting bad enough
> that users who don't know any better really should get all the patches
> automatically.
>
I'm sure Sun or Apple or Netscape or the Federal Government or *someone*
will sue them if they do.

> It has its plusses and minuses of course. I have one computer that's
> connected to the Internet essentially all the time and two others that
> are only connected occasionally. Perhaps you don't need the security
> patches if the computer isn't on the net, but they might occaionally
> fix other things that are worth while. And I'd hate to have the
> computer realize that it's on line for the first time in three months
> and then gobble up hundreds of megabytes of updates, keeping it from
> doing what I want to do (and then get off the net).
>
Are the computers networked? If so, your best bet is just a simple
firewall. If not, then I don't know what to tell you except that keeping
windows updated is equally as important as keeping your virus definitions
updated.

ryanm

In article <zwB0b.22$Hp.5036@twister.rdc-kc.rr.com> radelman@mn.rr.com writes:

> Until the hackers figure out how to use it and start giving you their
> automatic updates.

They already have, almost. I get two or three "Dear Microsoft
Customer" e-mails every week with what I assume is NOT a Microsoft
update.

What's curious is that in this newspaper article about automatic
updates, Microsoft said that they e-mailed registered Windows users
pointing them to a link to the security patch that would have blocked
the MSBlaster worm. This is a bit like "The Boy Who Cried 'Wolf'"
story though. If I indeed received one of those (and maybe I did), I
wouldn't have opened it anyway.



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

"ryanm" <ryanm@fatchicksinpartyhats.com> wrote in message news:vk59dn50imdc2a@corp.supernews.com...

> The real fix is to either keep wupdate.exe running in your system tray,
> or go to http://windowsupdate.microsoft.com on a regular basis and let it
> install the patches as they come out.


I think this is dangerous and can become an unwelcome event. I like to
think I am smart enough to decide for myself what is 'critical' and what is
not. There are a few things that I simply don't need in my configuration,
and one of them is another background task that initiates it's own ping.
I take it out of every PC that I run across when asked for help. I simply
advise the owner to take the time to click on the MSUpdate icon about
twice a week before closing down... we're talking about a minute or two
of lost time.

--
David Morgan (MAMS)
http://www.m-a-m-s.com
http://www.artisan-recordingstudio.com

"David Morgan (MAMS)" <mams@NOSPAm-a-m-s.com> wrote in message
news:zxM0b.15173$_P1.1476@nwrddc01.gnilink.net...
>
> I think this is dangerous and can become an unwelcome event. I like to
> think I am smart enough to decide for myself what is 'critical' and what
is
> not. There are a few things that I simply don't need in my configuration,
> and one of them is another background task that initiates it's own ping.
> I take it out of every PC that I run across when asked for help. I simply
> advise the owner to take the time to click on the MSUpdate icon about
> twice a week before closing down... we're talking about a minute or two
> of lost time.
>
Well, that's what I said. *Either* use the auto update or go to the
update site on a regular basis and install the stuff. When you go to
windowsupdate it actually separates the security patches ("Critical
Updates") from the program/driver updates and new feature updates
("Recommended Updates"). The problem is that most people forget to do it, so
for most people the convenience of an automatic, scheduled download that
prompts you to install is more useful. Also, while *you* may be smart enough
to differentiate between necessary updates and unnecessary ones, I'm not
generally impressed by the average person's ability to make such
determinations, especially after having spent several years on a help desk.
The truth is, MS doesn't just come up with this stuff to irritate the people
who know what's going on, they've been monitoring support desks for decades
and come up with this stuff because the average user can't manage to stay up
to date on their own.

ryanm

In article <1fzyz42.5cqnrg19bzia4N%neillmassello@earthlink.net> neillmassello@earthlink.net writes:

> But hasn't part of the problem been all those automatic "features" that
> Microsoft enables by default in its OS and application software?

I think that the only real offender is the Outlook Express (?) mail
program which automatically opens attachements as the default. Seems
like I read that they had changed that default.


--
I'm really Mike Rivers - (mrivers@d-and-d.com)

In article <vk7bek370ic77@corp.supernews.com> ryanm@fatchicksinpartyhats.com writes:

> "David Morgan (MAMS)" <mams@NOSPAm-a-m-s.com> wrote in message
> news:zxM0b.15173$_P1.1476@nwrddc01.gnilink.net...

> > I simply
> > advise the owner to take the time to click on the MSUpdate icon about
> > twice a week before closing down... we're talking about a minute or two
> > of lost time.

Not for us dial-up users. Well, it might take only a minute to click,
but some of those patches and service packs take an hour and a half to
download. It's OK if you can actually download the program or patch
and install it the next morning, but I've run across some where I can
only find the "live install" version, and some of those require that
you install something else first.

> Well, that's what I said. *Either* use the auto update or go to the
> update site on a regular basis and install the stuff. When you go to
> windowsupdate it actually separates the security patches ("Critical
> Updates") from the program/driver updates and new feature updates
> ("Recommended Updates").

I still look through the critical updates and only take the ones that
apply. Many of them are to programs that I don't use, so I don't want
to take the time to download them.

I've asked this before and never had a useful answer, so I'll ask
again. When you install a service pack, it backs up and saves the old
stuff that it's replacing. After a couple of weeks, I'm sure I can get
rid of that garbage, but I don't know what it's called or where to
find it. Every time I update, my drive gets fuller and fuller.

And what's with the Sobig virus today, and the idiots that are sending
it (probably unintentionally). I must have received 20 messages
containing it this morning, and this afternoon, received about have a
dozen which I think were supposed to contain it, but had no file
attached. Some people can't even spread viruses right. Sheesh!



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

"Mike Rivers" <mrivers@d-and-d.com> wrote in message
news:znr1061410224k@trad...
>
>
> I've asked this before and never had a useful answer, so I'll ask
> again. When you install a service pack, it backs up and saves the old
> stuff that it's replacing. After a couple of weeks, I'm sure I can get
> rid of that garbage, but I don't know what it's called or where to
> find it. Every time I update, my drive gets fuller and fuller.
>

After installing a service pack you could probably figure it out by using
"Search" and then clicking under
"search Options" check the "date" box and then under the drop
down menu highlight "created on" and then specify "in the last 1 day"

-mke

Mike Rivers wrote:

> I've asked this before and never had a useful answer, so I'll ask
> again. When you install a service pack, it backs up and saves the old
> stuff that it's replacing. After a couple of weeks, I'm sure I can get
> rid of that garbage, but I don't know what it's called or where to
> find it. Every time I update, my drive gets fuller and fuller.

< ...snip.. >

And thus(last verse): [to the tune of 16 Tons... ]
--
I've got Power Point, Word, and even Excel
In the office suite package from Microsoft hell.
It's worse than a tape-worm as I shell out the clams
coz each up-grade needs more disk space and RAM

[chorus]
Re-boot 16 times, what do you get
Another error message or the blue screen of death
My registry's corrupted and the re-boot's slow
I got my bugs from the Microsoft store
--------------------------------------------------------------------------

Ron Capik [aka: the NJ Editorial Minstrel ]

"Mike Rivers" <mrivers@d-and-d.com> wrote in message
news:znr1061409847k@trad...
>
> I think that the only real offender is the Outlook Express (?) mail
> program which automatically opens attachements as the default. Seems
> like I read that they had changed that default.
>
Not Express, the full version of Outlook. When you select a message, the
"preview" window (which is where most people read their email) would execute
JavaScript or VBScript that was embedded in the message. The preview window
is essentially a web browser and does all the stuff that web browsers do,
only because it's reading local content (the contents of the message) there
are no security restrictions against executing files, so a script could be
embedded in a message that copies an attached file to a specific location on
the computer and then executes it. Allowing scripts to be executed from
emails isn't inherently a bad thing, but it is easily abused and MS
should've taken into consideration that it would be abused. Outlook no
longer does that, and even old versions should've been patched by now.

ryanm

"Mike Rivers" <mrivers@d-and-d.com> wrote in message
news:znr1061410224k@trad...
>
> Not for us dial-up users. Well, it might take only a minute to click,
> but some of those patches and service packs take an hour and a half to
> download. It's OK if you can actually download the program or patch
> and install it the next morning, but I've run across some where I can
> only find the "live install" version, and some of those require that
> you install something else first.
>
You can usually find the downloadable installs if you do a little
digging, at least for the service packs and larger updates. They are
generally intended for network administrators who need to install on a lot
of machines, but I often download them even though I only have 3 or 4
machines to update.

I just went to microsoft.com/downloads, scrolled down to the downloads
search at the bottom, selected XP as the product, typed "SP1" as the search
term, and the very first item to come up was the download page for the "IT
Professionals" service pack install. It's 125 megs because you have to
download *all* the components rather than just the ones that apply to you.
The thing about the live install is that it checks to see what you have and
then only installs the stuff you need, often resulting in a faster download
time. On the other hand, I use GetRight. It's a download manager that allows
you to resume downloads, so you can download a file a little bit at a time
and stop and start whenever you need to. I also have DSL, so 125 megs
doesn't take all that long for me, but for modem users it's an eternity, so
a download manager is helpful.

> I've asked this before and never had a useful answer, so I'll ask
> again. When you install a service pack, it backs up and saves the old
> stuff that it's replacing. After a couple of weeks, I'm sure I can get
> rid of that garbage, but I don't know what it's called or where to
> find it. Every time I update, my drive gets fuller and fuller.
>
First let me say that it's really not a good idea to delete them. Your
system will automatically rollback on certain kinds of errors or crashes,
and if you've deleted the files then there's nothing to roll back to. You
can really cause yourself a lot of headaches by deleting the files, and
generally the only fix is a complete reinstall of windows, but I'll tell you
where they are anyway since it's your headache. ; )

In Windows Explorer, go to C:\Windows. Click on Tools->Folder Options in
the menu at the top. In the General tab, select "Use Windows Classic
Folders", and on the View tab, select (or put a check in the box next to)
"Display the contents of system folders" and "Show hidden files and
folders", and unselect (or remove the check next to) "Hide extensions for
known file types" and "Hide protected operating system files". I keep these
options set this way all the time, but if you're used to the hidden
extensions and stuff it can be confusing. At any rate, with these options
you should be able to see a series of folders within the C:\Windows folder
called things like this:

$NtServicePackUninstall$
$NtUninstallKB821557$
$NtUninstallKB823559$
$NtUninstallKB823980$
$NtUninstallQ307869$

...etc. The folder names should be blue, which means they are compressed
(assuming you're using NTFS), and the folder icon should be slightly
transparent, which means they are system folders. On my system, the
$NtServicePackUninstall$ folder contains 198 megs of files. You can delete
these folders, but honestly, I would recommend you don't.

ryanm

> I've asked this before and never had a useful answer, so I'll ask
> again. When you install a service pack, it backs up and saves
> the old stuff that it's replacing. After a couple of weeks, I'm sure
> I can get rid of that garbage, but I don't know what it's called or
> where to find it. Every time I update, my drive gets fuller and fuller.

You need to thoroughly search the hard drive, directory by directory. I'm almost
100% certain that Microsoft clearly labels the directly where it's stored.

I believe you can also choose not to back it up. This was an option when I
installed the 2000 Pro Service Pack 4 the other day.

In article <vk8535l5m7m76@corp.supernews.com> ryanm@fatchicksinpartyhats.com writes:

> You can usually find the downloadable installs if you do a little
> digging, at least for the service packs and larger updates.

> I just went to microsoft.com/downloads, scrolled down to the downloads
> search at the bottom, selected XP as the product, typed "SP1" as the search
> term, and the very first item to come up was the download page for the "IT
> Professionals" service pack install. It's 125 megs because you have to
> download *all* the components rather than just the ones that apply to you.

Yup, I found that too, but when I saw the size, I took the other
route. Network administrators don't usually use dialup connections.

> At any rate, with these options
> you should be able to see a series of folders within the C:\Windows folder
> called things like this:
>
> $NtServicePackUninstall$
> $NtUninstallKB821557$
> $NtUninstallKB823559$
> $NtUninstallKB823980$
> $NtUninstallQ307869$
>
> ...etc. The folder names should be blue, which means they are compressed
> (assuming you're using NTFS)

Oh, so THAT'S what the blue folder names mean. I was wondering if I
could delete those.

> On my system, the
> $NtServicePackUninstall$ folder contains 198 megs of files. You can delete
> these folders, but honestly, I would recommend you don't.

OK, so why the recommendation that they not be deleted? Lyle Caldwell
gave me the same advice (also without a reason). Maybe they shouldn't
be deleted immediately after installing a service pack, but it seems
like after a couple of weeks on the new service pack, there wouldn't
be a good reason to uninstall it and go back to the previous version.
Besides, if something went wrong a while after installing a service
pack, it would never occur to me that the service pack could be the
problem.

What about the folder ....\service pack files ? It seems like
everything in there is also in the \i386 folder. Is it safe to delete
the service pack files folder?

I've tried a few different programs that find duplicate files, and
have turned up multiple copies in seemingly unrelated folders (demo
songs in mp3 format, things I've never consciously downloaded, in the
i386 and \owner\documents\music [approximately] folders for instance).
But they also have showed files as duplicates which are close, like
two different versions of the same Word document, but not exactly the
same, and don't even have the same file name. I thought it might be
looking at checksums as well as file names, but if it does, it's being
lied to. I just don't trust anything automatic, and I don't have the
patience to look through 26,000 files.

I guess I'll do what everyone else does, buy a new computer in a year
or so and start all over again.



--
I'm really Mike Rivers - (mrivers@d-and-d.com)

"Mike Rivers" <mrivers@d-and-d.com> wrote in message
news:znr1061427682k@trad...
>
> Yup, I found that too, but when I saw the size, I took the other
> route. Network administrators don't usually use dialup connections.
>
You should look at getting a download manager. I like this one:
http://www.getright.com/

> Oh, so THAT'S what the blue folder names mean. I was wondering if I
> could delete those.
>
Blue folders and files are simply compressed. By the way, you can
compress any folder or file on an NTFS formatted drive simply by right
clicking on it, selecting properties, clicking on Advanced, and checking
"Compress contents to save space". I have an entire drive that I use for
storage that is compressed, and right now I have about 180 gigs on a 120 gig
drive with almost 20 gigs to spare. Granted, when you open the files or copy
them to an uncompressed drive it's a bit slower than when dealing with
uncompressed files, but for the extra storage space it's worth it. All of
this assumes that you checked the "allow compression" feature when you
formatted the drive (or you bought a preformatted NTFS drive with the
compression turned on).

A caveat I should mention, wav files do not compress very much, and even
if they did the potential for data loss is probably enough reason *not* to
use NTFS compression on your audio tracks. The accuracy of the error
correction and the lossyness of NTFS compression is debatable, so while it
works great for data, I probably wouldn't want to compress the drive I mix
from.

> OK, so why the recommendation that they not be deleted?
>
Because Windows rolls back updates without telling you sometimes. If it
rolls back and there's no file to roll back to, windows dies a quick and
painful death. However, the service packs all ask if you want to back up the
files first, if you simply tell it no then it will remember that it has
nothing to roll back to, and just give you a "You should reinstall windows"
error message. The individual patch folders could probably be deleted safely
after a couple weeks, although there is always the possibility that MS sent
out a patch that is worse than the original bug they sought to fix.

> Maybe they shouldn't
> be deleted immediately after installing a service pack, but it seems
> like after a couple of weeks on the new service pack, there wouldn't
> be a good reason to uninstall it and go back to the previous version.
> Besides, if something went wrong a while after installing a service
> pack, it would never occur to me that the service pack could be the
> problem.
>
The problem is usually when you install something else, seemingly
unrelated, at a much later date. You install something that has an older
version of DirectX that replaces one of your audio driver files and Windows
tries to automatically roll back to the version it had before the service
pack because, even though it's old, it's newer than the one that the app you
just installed overwrote your current driver with. Oops, you deleted the
older driver, so now you have no EAX driver to power your surround speakers
(just an example), or whatever. Your best bet is to never back up the files
at all, so that Windows doesn't expect to be able to roll back. However, the
danger there is that if your machine reboots or something terrible happens
in the middle of the service pack install, you suddenly have half an
operating system, and you have to reinstall both Windows *and* the service
pack, along with all your 3rd party software and stuff. Better to just let
Windows eat up the drive space with backups, in my opinion. Of course I keep
windows segregated on a 20 gig system drive all by itself, I install all my
apps on an 80 gig secondary drive, and use a 120 gig drive for storage. That
way if Windows dies I can simply format the 20 gig drive and reinstall, and
all my data and app config files are neatly saved on my secondary drive.
It's also much faster booting and cleaning up, because the system drive is
so (comparitively) small, and I never have to worry about using up the space
on my c drive and then getting paging errors in Windows.

> What about the folder ....\service pack files ? It seems like
> everything in there is also in the \i386 folder. Is it safe to delete
> the service pack files folder?
>
I want to say the service pack files folder is simply a place where the
install files were saved during the download and then run from by the
installer, but I may be wrong about that, so don't take my word for it.
Delete them at your own risk.

> I guess I'll do what everyone else does, buy a new computer in a year
> or so and start all over again.
>
I just keep upgrading hard discs with larger sizes. But then I'm a
packrat and I keep every file that ever crossed my desktop. I have emails
from 1996 that I haven't looked at since then, but I won't throw them away
because "you never know"... : )

ryanm

In article <vkaq92iub95j1f@corp.supernews.com> ryanm@fatchicksinpartyhats.com writes:

> You should look at getting a download manager. I like this one:
> http://www.getright.com/

Before I go looking, what does it do? Why does anyone need a download
manager? I've never heard of one.

> > OK, so why the recommendation that they not be deleted?

> Because Windows rolls back updates without telling you sometimes. If it
> rolls back and there's no file to roll back to, windows dies a quick and
> painful death.

WHAAAAAAATTTTTT? Why would it do that? Oh, geez, I don't think I want
to know.

> However, the service packs all ask if you want to back up the
> files first, if you simply tell it no then it will remember that it has
> nothing to roll back to, and just give you a "You should reinstall windows"
> error message.

I think it's reasonable to back up old files when installing new ones,
and I appreciate having the choice. I always say "yes." But like
everything else old on my computer, if I'm not using it or it's been
superceded by something else, when housecleaning time comes around, it
goes. It's kind of scary to think that at some point, Windows will, on
its own, decide that it wants to use some old file that it replaced
months ago.

> The problem is usually when you install something else, seemingly
> unrelated, at a much later date. You install something that has an older
> version of DirectX that replaces one of your audio driver files and Windows
> tries to automatically roll back to the version it had before the service
> pack because, even though it's old, it's newer than the one that the app you
> just installed overwrote your current driver with.

I hate when that happens. I remember installing old Windows programs
(shareware and freeware, mostly) that would just stomp over DLLs and
overwrite them with whatever happened to be current at the time the
program was written. Every once in a while I'd smile when I was
greeted with a message something like "There is a newer version of
wxyz.dll present. Do you want to overwrite it?" and think that someone
has finally got the right idea, but then the next program comes along,
replaces new with old, and I have to go hunting for the new version
again so that some other program will work. I used to set all the
files in the \windows\system folder to read-only but today it's so
hard to keep up.

> Better to just let
> Windows eat up the drive space with backups, in my opinion. Of course I keep
> windows segregated on a 20 gig system drive all by itself

This (XP) is on a laptop with a 20 GB drive, so either I do some
housekeeping now and then or eventually it becomes full. I'm at about
half full now and I don't do much audio work on this computer, so most
of the obesity comes from Windows itself and applications. Thing is
that when you dump an application, uninstalling usually doesn't take
away everything that it put there, because of the risk that something
else might be using a file that was installed in a common or shared
directory, and heck, I don't know if it does or doesn't, even if it's
polite enough to ask if I want to delete it or leave it, so I leave
it.

Speaking of seemingly unrelated things, we were talking about CD label
design programs, and Bob Smith said that his version of Easy CD
Creator let him install the jewel case designer separately. I had an
older version of the program (came with an iOmega USB CD-R drive) that
had the jewel case program, but the newer versions that I have on my
newer computers don't have it at all. I thought I'd try to install
just that part from my older version and it wouldn't let me run the
setup program that was in its folder, so I ran the main setup program,
hoping that it would either let me do a "custom" install (so I could
pick just the label design program) or at least back out, but no, it
went it and installed the whole works.

Apparently it made the comptuer think that the CD drives were USB,
which they weren't, so neither the new or nor the original versions of
Easy CD Creator recognized the drives. So I did what every red blooded
Windows user would do and un-install