[Full-Disclosure] RE: [Full-Disclosure]Ooops-->was-->what to do

["Evans, Arian" <Arian.Evans@fishnetsecurity.com>]

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=utf-8">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>

<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6249.1">
<TITLE>RE: [Full-Disclosure] what to do</TITLE>
</HEAD>
<BODY dir=ltr>
<DIV><FONT face=Arial size=2>Per below, you'll probably want to enable&nbsp;port 
53 UDP or you won't be able to resolve windowsupdate.microsoft.com. You might 
have to enable bootp too, depending on what kind of network you are 
on...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>If you have further issue, email me @my cc:'d work 
address, and I'll answer as I can...</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
  <DIV><FONT size=2>-----Original Message----- <BR><B>From:</B> Arian J. Evans 
  [mailto:arian.evans@bigfoot.com] <BR><B>Sent:</B> Tue 8/12/2003 1:04 AM 
  <BR><B>To:</B> 'akbara'; 'Gabe Arnold' <BR><B>Cc:</B> 
  full-disclosure@lists.netsys.com; bugtraq@securityfocus.com; Evans, Arian 
  <BR><B>Subject:</B> RE: [Full-Disclosure] what to do<BR><BR></FONT></DIV>
  <P><FONT size=2>et al,<BR><BR># has she tried booting into safe mode ?<BR># 
  then removing the msblast or what not program ?<BR><BR>If everyone hasn't seen 
  it by now, the problem is endless<BR>rebooting; we've seen it with a number of 
  clients...good<BR>luck updating before the system goes down 
  again...<BR><BR>It's part of the offset the exploit uses and which 
  OSes/events<BR>it overwrites the proper part of the stack to exploit, 
  and<BR>which events it just crashes the OS...(the vast majority<BR>of crashes 
  we are seeing are XP, though some 2k server...)<BR><BR>Bottom line: the 
  endless shutdown cycle is part of the story<BR>of the worm, given the OS and 
  how the worm hits it.<BR><BR>But there is a solution:<BR><BR># cannot use 
  Windows update because when the RPC is shutdown,<BR># SYSTEM automatically 
  initiates a shutdown of the computer as<BR># you are all aware of. What is the 
  best solution to keep data files<BR># intact while removing this 
  worm?<BR><BR>The endless shutdowns are a result of getting banged on 
  repeatedly<BR>by this worm. Options:<BR><BR>NT 4.0: hmmm...probably disable 
  RPC service...<BR><BR>Windows 2000: |Network|Local Area Connection (or 
  whatever you<BR>have named this)|Properties|Advanced|Options|&gt;TCP/IP 
  Filtering&gt;<BR>|Properties|x-enable TCP/IP filtering|<BR><BR>&gt;Permit only 
  on UDP and ICMP. Do not define.<BR>&gt;Permit only on TCP and define 80 and 
  443 (http and https).<BR><BR>Continue on to windowsupdate.microsoft.com and 
  update w/out<BR>further issue. Later, if you feel comfortable (or have the 
  need),<BR>relax your filter settings.<BR><BR>Windows XP: turn on the included 
  firewall, found under the similar<BR>options to above for 2k (sorry--I don't 
  have an XP machine handy<BR>or I'd list the exact steps...)<BR><BR>Good luck, 
  Cheers,<BR><BR>Arian J. Evans<BR><BR>ps// if bugtraq cross-post is 
  inappropriate, apology to admins<BR>for having to remove. There's been a lack 
  of OS-native controls<BR>mitigation discussed on this 
issue...<BR></FONT></P></BLOCKQUOTE>

</BODY>
<P><FONT face=Tahoma color=#808080 size=1>The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. <BR>Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities<BR>other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication <BR>in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.</FONT></P></HTML>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html