THE WELCH COMPANY
440 Davis Court #1602
San Francisco, CA 94111-2496
415 781 5700
rodwelch@pacbell.net


S U M M A R Y


DIARY: August 12, 2003 11:23 AM Tuesday; Rod Welch

Msblast virus under Windows 2000 Microsoft guidance on firewall helpful.

1...Summary/Objective
2...Virus Msblast.exe Reported in News
3...Detection of Mblast Virus
.....Denial of Service Attack Self-perpetuates Virus
.....Virus Blocks Use of Windows Update System to Correct Problem
.....Impact on Performance Caused by Virus
......We have have a number of symptoms....
..........Windows Registry Corrupted by Virus
.....Recovery from Virus and Protection Against Future Problems
.....Install Corrective Software from Microsoft
.....Firewall Software Virus Protection Prevents Access
........HOW TO: Configure TCP/IP Filtering in Windows 2000.
........Microsoft Guidance on Filtering for TCP/IP Not Effective
........TCP/IP Filtering Prevents Operations of Internet and Email
.....Format and Install OS to Avoid Undiscovered Exploits by Virus
4...C13 McAee Detected and Deleted Virus Softwarfe
5...McAfee Detected and Deleted Virus Softwarfe on C13
6...Microsoft Recommends Calling Microsoft for Support to Recover
7...Decided to transfer operations from c13 to c11.
8...C13 Downloaded and Installed Corrective Software from Microsoft
9...C11 Virus Msblast.exe Found
10...Virus Msblast.exe Found on C11 as Well as C13
11...C11 Update McAfee to Check for the Virus
.....Virus Program File Denies Access to Delete Within Widows
.....Safe Mode Permits Deleting Virus from the Disk
.....Virus File Deleted from C11 with Windows Safe Mode Op
12...C12 Appears to Not Have Virus Msblaster Installed
13...Work Plan to Recover from Virus ad Prevent Future Problems
............McAfee Online Purchase Update Virus Definitions Failed C12

ACTION ITEMS.................. Click here to comment!

1...Security best practices suggest that previously compromised
2...Need to format the hard drive for partition I and install w2k again,

CONTACTS 

SUBJECTS
Virus Bssx.exe Reported by McAfee After Downloading Update   r W2k fr
Virus Bssx.exe Reported by McAfee After Downloading Update for W2k fr
Virus Reported by McAfee on W2K Update Downloaded from Microsoft bssx
Time Out Internet Connection Failed on C11 in San Francisco NTS Enter
Blaster Virus Reported by Reuters Patch Available from Microsoft
Internet DSL Software NTS Enternet 300 Unreliable with Windows 2000 S
Domain Name Similar to Work Group - RW
Internet DSL Security Virus Protection Firewall Network TCP/IP Filter
C13 Virus Blaster Reported by Reuters Patch Available from Microsoft
Network Setup/Configuration
Blaster Virus Reported by Reuters Patch Available from Microsoft
Win32.poza.worm Reported by Reuters Patch Available from Microsoft
Virus Protection Requires Firewall in Addition to Virus Protection So

1815 -
1815 -    ..
1816 - Summary/Objective
1817 -
181701 - Follow up ref SDS 5 0000, ref SDS 4 0000.
181702 -
181703 - A news report disclosed a new virus problem.  Investigation showed two
181704 - computers have the virus. ref SDS 0 Q15H  We have a number of symptoms
181705 - that fit the virus profile. ref SDS 0 1T6I  Obtained guidance from
181706 - Microsoft on detection, recovery and provention. ref SDS 0 VU4P
181707 - Developed work plan to solve the problem, requiring about 20 steps.
181708 - ref SDS 0 N96G   Encountered problems updating McAfee on c12; ran
181709 - McAfee on c12 across the network and seem to establish c12 does not
181710 - have the virus problem. ref SDS 0 FP6K  A few days later installed a
181711 - network router for additional virus protection. ref SDS 0 595N
181712 - Microsoft reports best practice for recovery from a virus problem is
181713 - to format the disk and install the software on a clean disk.
181714 - ref SDS 0 AT5M
181715 -
181716 -     [On 030813 someone requested assistance handling virus problem;
181717 -     submitted link to this record. ref SDS 8 0001
181719 -      ..
181720 -     [On 030814 installed network router for firewall to prevent virus
181721 -     problems. ref SDS 9 NG8J
181723 -      ..
181724 -     [On Jerry Nord submitted additional input on recovering
181725 -     from virus problems. ref SDS 11 E27O
181726 -
181727 -
181728 -
181729 -
181731 -  ..
1818 -
1819 -
1820 - Progress
1821 -
182101 - Virus Msblast.exe Reported in News
182102 -
182103 - There is a report on the Internet today...
182104 -
182105 -        http://story.news.yahoo.com/news?tmpl=story&ncid=578&e=7&u=/nm/20030812/bs_nm/tech_windows_worm_dc
182106 -
182107 -
182108 - ....saying that a computer virus is spreading throughout the world.
182110 -  ..
182111 - The virus is not limited to email, and home computers are most at risk
182112 - -- the article says....
182113 -
182114 -         Blaster is unusual in that it does not spread specifically via
182115 -         e-mail as it can travel through a normal Internet connection
182116 -         making any computer running unsecured versions of Windows
182117 -         software vulnerable.
182119 -  ..
182120 - Millie called this morning and said that N&P computers have been
182121 - corrupted.
182123 -  ..
182124 - Background...
182125 -
182126 -         On 030618 a virus was reported from downloading files from
182127 -         Microsoft. ref SDS 4 M58P  McAfee disabled the virus.
182128 -         Microsoft was notified and on 030619 Microsoft reported they
182129 -         are unaware of a problem. ref SDS 5 HX7H
182130 -
182131 -
182132 -
182133 -
182134 -
1822 -

SUBJECTS
Procedures for Detecting Presence of Virus Software on Computers

190301 -  ..
190302 - Detection of Mblast Virus
190303 -
190304 - Logged onto Microsoft's website.
190305 -
190306 -        http://www.microsoft.com/security/
190307 -
190308 -    [On 030816 Microsoft has another website for guidance on detection,
190309 -    recovery and protection. ref SDS 11 WO69
190310 -
190312 -  ..
190313 - There is a report saying....
190315 -      ..
190316 -     Denial of Service Attack Self-perpetuates Virus
190317 -     Virus Blocks Use of Windows Update System to Correct Problem
190318 -
190319 -     A new worm known as W32.Blaster.Worm (also known as MBlaster,
190320 -     W32/Lovsan.worm, MSBlast, W32.blaster.worm, Win32.posa.worm,
190321 -     Win32.poza.worm) has been identified that is seeking to exploit
190322 -     the vulnerability patched with Microsoft Security Bulletin
190323 -     MS03-026. Blaster is designed to launch a denial of service attack
190324 -     against Microsoft's Windows Update Web site.
190326 -      ..
190327 -     Further research of Microsoft Internet resources shows technical
190328 -     analysis at....
190329 -
190330 -          http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp
190331 -
190332 -     ...this location explains...
190334 -  ..
190335 - To detect this virus, search for msblast.exe in the WINDOWS
190336 - SYSTEM32 directory or download the latest anti-virus software
190337 - signature from your anti-virus vendor and scan your machine.
190339 -  ..
190340 - [...did this and found virus software on c13, ref SDS 0 UO5K,
190341 - and on c11. ref SDS 0 HN7L  Search on c12 did not show the
190342 - file msblast.exe. ref SDS 0 5M9O
190343 -
190345 -      ..
190346 -     Impact on Performance Caused by Virus
190347 -
190348 -     Spread through open RPC ports. Customer's machine gets re-booted
190349 -     or the file "mblast.exe" exists on customer's system.
190351 -           ..
190352 -          Note below, McAfee found mblast.exe on c12, ref SDS 0 Q15H,
190353 -          and later on c11.
190355 -      ..
190356 -     This worm scans a random IP range to look for vulnerable systems
190357 -     on TCP port 135. The worm attempts to exploit the DCOM RPC
190358 -     vulnerability patched by MS03-026.
190359 -
190360 -
190361 -
190362 -
1904 -

SUBJECTS
Symptoms Indicating Presence of Virus Software on Computers

200301 -       ..
200302 -      We have have a number of symptoms....
200303 -
200304 -
200305 -          1.  System error message shown below. ref SDS 0 03BH
200307 -               ..
200308 -          2.  Reg clean operation reports persistant error, even after
200309 -              "fix" is called.
200311 -               ..
200312 -          3.  The Windows media player failed briefly earlier today.
200314 -               ..
200315 -          4.  Windows Update doesn't work.  When this is clicked,
200316 -              processing ends, which aligns with published guidance on
200317 -              virus symptom. ref SDS 0 LI8V
200319 -               ..
200320 -          5.  Windows Shutdown seems to run differently, the screen
200321 -              colors are different.
200323 -               ..
200324 -          6.  Windows file management features are failing, cannot
200325 -              copy or move files between directories using drag and
200326 -              drop.
200328 -               ..
200329 -          7.  We also had problems last night with dose command,
200330 -              ref SDS 6 DE9O  I would be feel a lot better of the
200331 -              failure was due to a virus and not to a failure of
200332 -              Windows.
200333 -
200335 -           ..
200336 -          Windows Registry Corrupted by Virus
200337 -
200338 -          Once the Exploit code is sent to a system, it downloads and
200339 -          executes the file MSBLAST.EXE from a remote system via TFTP.
200340 -          Once run, the worm creates the registry key:
200341 -
200342 -               HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
200343 -               CurrentVersion\Run "windows auto update" = msblast.exe
200344 -               I just want to say LOVE YOU SAN!! bill
200345 -
200346 -                  [On 030816 Microsoft provides additional technical
200347 -                  details that align with the report today. ref SDS 11
200348 -                  WP73
200350 -           ..
200351 -          This report aligns with our experience the past week or so,
200352 -          per above. ref SDS 0 AL3F
200354 -           ..
200355 -          Symptoms of the virus:
200356 -
200357 -              Some customers may not notice any symptoms at all.  A
200358 -              typical symptom is the system is rebooting every few
200359 -              minutes without user input. Customers may also see:
200360 -
200361 -              •  Presence of unusual TFTP* files
200363 -                  ..
200364 -              •  Presence of the file msblast.exe in the WINDOWS
200365 -                 SYSTEM32 directory
200366 -
200367 -
200368 -
200369 -
200370 -
2004 -

SUBJECTS
Filtering TCP/IP Network Connections Firewall Virus Protection Intern
Software Patch from Microsoft Download to Prevent Future Problems
TCP/IP Filtering Firewall Virus Protection Internet Security
Recovery C11 C12 C13
Microsoft Requirements and Guidance for Recovery
Virus Protection Software McAfee to Detect and Delete Virus Program
Article Provides Link to Microsoft Guidance on Detecting Recovery and

260901 -      ..
260902 -     Recovery from Virus and Protection Against Future Problems
260903 -
260904 -     The Microsoft website on the Internet that explains detection
260905 -     procedures, per above, ref SDS 0 VU4P, also explains procedures
260906 -     for recovery and protection.
260907 -
260908 -         [On 030816 supplemental guidance from Microsoft received.
260909 -         ref SDS 11 E27O
260911 -      ..
260912 -     Virus protection software - run to locate and remove the virus
260913 -     program causing the problems.
260915 -                ..
260916 -               [...below, ran McAfee, found and deleted virus
260917 -               msblast.exe on c13, ref SDS 0 Q15H, and on c11.
260918 -               ref SDS 0 AN6M
260920 -                ..
260921 -               [...below, McAfee virus definition update process failed
260922 -               on c12, unable to run McAfee, ref SDS 0 RN6K, however,
260923 -               could not find msblast.exe on c12. ref SDS 0 5M9O
260924 -
260925 -
260926 -
260927 -
2610 -

SUBJECTS
Patch Microsoft Software Download for Windows 2000 OS that Prevents t

270301 -      ..
270302 -     Install Corrective Software from  Microsoft
270303 -
270304 -     The article on the Internet said that a patch is available from
270305 -     Microsoft at....
270306 -
270307 -        http://www.microsoft.com/security/
270308 -
270309 -           [...did this for
270310 -
270311 -                   c11.......... ref SDS 0 N49L
270312 -                   c12.......... ref SDS 0 E84F
270313 -                   c13.......... ref SDS 0 AN3F
270315 -            ..
270316 -           [On 030816 Microsoft reports that people who install this
270317 -           corrective software avoided this virus problem. ref SDS 11
270318 -           WP5Y
270319 -
270320 -
270321 -
270322 -
270323 -
270324 -
2704 -

SUBJECTS
Firewall Software and or Hardware Routter System to Prevent Future Ac
Virus Protection Firewall Hardware Software
Firewall Virus Protection Internet Security Network TCP/IP Filtering
Software Firewall Recommended by Microsoft Listed on Microsoft Websit

290601 -      ..
290602 -     Firewall Software Virus Protection Prevents Access
290603 -
290604 -     Firewall system either using a router or software should be
290605 -     installed to prevent access of virus software through the
290606 -     Internet.
290608 -      ..
290609 -     Microsoft lists a number of locations where firewall software can
290610 -     be installed for free.
290611 -
290612 -            [On 030814 Morris recommended installing a hardware router
290613 -            system as a strong solution than relying on a software
290614 -            firewall system. ref SDS 9 E14G
290616 -             ..
290617 -            [On 030814 installed hardware firewall system. ref SDS 9
290618 -            NG8J
290619 -
290620 -
290621 -
290622 -
290623 -
2907 -

SUBJECTS
TCP/IP Filtering Network Connection Configuration to Prevent Access b

300301 -      ..
300302 -     ...if you use Windows 2000, you can take steps to block the
300303 -     affected ports so that your computer can be patched. Here are some
300304 -     modified instructions from the TechNet article
300305 -
300307 -         ..
300308 -        HOW TO: Configure TCP/IP Filtering in Windows 2000.
300309 -        Microsoft Guidance on Filtering for TCP/IP Not Effective
300310 -        TCP/IP Filtering Prevents Operations of Internet and Email
300311 -
300312 -        Microsoft recommends changing configuration of TCP/IP to enable
300313 -        filtering on the ports that are vulnerable to access by a
300314 -        virus.
300315 -
300316 -               [...below, this method failed on our computer.
300317 -               ref SDS 0 5U6K
300319 -                ..
300320 -               [On 030814 Morris suggested using a hardware firewall
300321 -               system. ref SDS 9 HO6N
300323 -                ..
300324 -               [On 030814 TCP/IP Filtering failed on c12. ref SDS 9
300325 -               0001
300326 -
300328 -         ..
300329 -        Network and Dial-up Connections.
300330 -
300331 -            In the Control Panel, open this feature by double clicking
300332 -            on the list.
300334 -             ..
300335 -            Or, right click on the Network directory and open
300336 -            Properties.
300338 -             ..
300339 -            This displays a list of network connections on c11 and C13
300340 -
300341 -               Make New Connection
300342 -               Local Area Conneciton    LAN   Enabled 3Com Etherlink
300343 -               Local Area Conneciton 2  LAN   LNE100TXFast Ethernet
300344 -               Local Area Conneciton 3  LAN   NTS Enternet PPPoE
300345 -
300347 -         ..
300348 -        Right-click the interface you use to access the Internet, and
300349 -        then click Properties.
300350 -
300351 -            On our computer, it appears there are tow "interface"
300352 -            connections to access the Internet....
300353 -
300354 -               Local Area Conneciton 2  LAN   LNE100TXFast Ethernet
300355 -               Local Area Conneciton 3  LAN   NTS Enternet PPPoE
300357 -             ..
300358 -            Microsoft could help the cause by explaining that either
300359 -            one or both of these need to be serviced.
300361 -             ..
300362 -            After making these changes were unsuccessful connecting to
300363 -            the Internet, so tried to restore configuration for LAN 3
300364 -            using the NTS Enternet.
300365 -
300367 -         ..
300368 -        In the Components checked are used by this connection box,
300369 -        click Internet Protocol (TCP/IP), and then click Properties.
300371 -         ..
300372 -        In the Internet Protocol (TCP/IP) Properties dialog box, click
300373 -        Advanced. Click the Options tab.
300375 -         ..
300376 -        Click TCP/IP filtering, and then click Properties.
300378 -         ..
300379 -        Select the Enable TCP/IP Filtering (All adapters) check box.
300381 -         ..
300382 -        There are three columns with the following labels.  Select the
300383 -        Permit Only option for all three labels.
300384 -
300385 -
300386 -             Permit All       Permit All        Permit All
300387 -           x Permit Only    x Permit Only     x Permit Only
300389 -              ..
300390 -             TCP Ports        UDP Ports         IP Protocols
300392 -            ..
300393 -           This guidance may be adequate for network engineers, but is
300394 -           somewhat incomplete and misleading for people who are not
300395 -           experienced with computer hardware configuration.
300397 -            ..
300398 -           DSL connections with Windows 2000 are configured using NTS
300399 -           Enternet 300.  The list of adapters in the Networks
300400 -           directory has two devices that are shows as LAN 2 and LAN 3.
300401 -           One is for the hardware circuit board and the second is for
300402 -           NTS Enternet 300 software program.  Both of these have a
300403 -           TCP/IP protocol configuration.  Microsoft's guidance does
300404 -           not say to apply filtering to both or only to one and if
300405 -           only one, which one.
300407 -            ..
300408 -           In our case, c13 the hardware device is LAN 2, and NTS
300409 -           Enternet 300 is LAN 3.  Initially, I applied the filtering
300410 -           instructions to both devices.  Experience showed that DSL
300411 -           operations failed with this configuration.  However, since
300412 -           there was a delay between entering the configuration and
300413 -           testing DSL, because a number of other tasks are underway
300414 -           today on several computers, plus watering the plants, fixing
300415 -           lunch, what have you, it was not evident why DSL was not
300416 -           running.  Eventually, a decision was made to remove
300417 -           filtering from one of the devices.  Since NTS Etnernet 300
300418 -           is software and since it is LAN 2 listed below the hardware
300419 -           device LAN 2, a guess was made to first restore the initial
300420 -           configuration to this device.  At this time, DSL service was
300421 -           tried immediately, and performance was restored.  This
300422 -           experiece seemingly imparted that Microsoft guidance only
300423 -           applies to the 1st device that supports DSL connections.
300425 -            ..
300426 -           Later, however, performance failed with this configuration.
300427 -           Tried switching to set filtering on NTS Enternet 300 LAN 3
300428 -           device and remove it from device LAN 2.  This also failed.
300429 -           The only way we are able to have consitent performance is
300430 -           using the following configuration on both LAN 2 and 3....
300431 -
300432 -               [On 030814 Morris suggested using a hardware firewall
300433 -               system. ref SDS 9 HO6N
300435 -            ..
300436 -           x Permit All     x Permit All      x Permit All
300437 -             Permit Only      Permit Only       Permit Only
300439 -              ..
300440 -             TCP Ports        UDP Ports         IP Protocols
300441 -
300442 -           ...which is opposite from guidance that Microsoft seems to
300443 -           be prescribing.
300445 -            ..
300446 -           On c12 there was a similar scenario.  There were some
300447 -           problems getting the DSL connection, because the
300448 -           configuration for NTS Enternet 300 had to be updated, since
300449 -           this computer is rarely connected to the Internet, maybe
300450 -           once in six months or a year.  Initially, this configuration
300451 -           was done incorrectly from relying on memory rather than
300452 -           taking the time to look up the correct configuration.  By
300453 -           the time this was accomplished, other tasks had to be
300454 -           performed.  When DSL was eventually available, it didn't
300455 -           work.  Took some time to remember that the TCP/IP filtering
300456 -           needed to be changed to only the hardware device.  After
300457 -           this was done, DSL service was available to download the
300458 -           software correction recommended by Microsoft. ref SDS 0 235K
300460 -            ..
300461 -           On c11 NTS Enternet 300 software is LAN device 2, and the
300462 -           hardware circuit board is LAN device 3, the opposite from
300463 -           c12 and c13.  Without guidance restored configuration by
300464 -           removing filtering on LAN 2 instead of LAN 3 because on c11
300465 -           LAN 2 is software.  There is no evidence this is correct.
300467 -            ..
300468 -           Eventually, these filtering schemes failed, because when
300469 -           configured according to Microsoft guidance, access to the
300470 -           Internet failed, per above. ref SDS 0 5U6K  As a result, had
300471 -           to remove all of these configurations.
300472 -
300473 -               [On 030814 Morris suggested using a hardware firewall
300474 -               system. ref SDS 9 HO6N
300475 -
300476 -
300477 -
300478 -
3005 -

SUBJECTS
Format Drive and Install OS Again to Ensure Removal of Harmful Effect

310301 -      ..
310302 -     Format and Install OS to Avoid Undiscovered Exploits by Virus
310303 -
310304 -
310305 -     Security best practices suggest that previously compromised
310306 -     machines be wiped and rebuilt to eliminate any undiscovered
310307 -     exploits that can lead to a future compromise.  See Cert Advisory:
310308 -     Steps for Recovering from a UNIX or NT System Compromise.
310310 -          ..
310311 -         http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
310313 -      ..
310314 -     What to Do If You Think Your Computer Has Been Infected...
310315 -
310316 -        Evidently, this in addition to what is already
310317 -        recommended above.
310319 -      ..
310320 -     If you think your computer has been infected with the Blaster
310321 -     worm, please contact Microsoft Product Support Services or your
310322 -     antivirus vendor for assistance removing it.
310324 -      ..
310325 -     For Microsoft Product Support Services within the United States
310326 -     and Canada, call toll-free (866 727 2338).
310327 -
310328 -         Tried all day to follow this guidance and was unable to reach
310329 -         Microsoft. ref SDS 0 YQ5W
310330 -
310331 -
310332 -
310333 -
310334 -
3104 -

SUBJECTS
Update OS Software Download from Microsoft

320301 -  ..
320302 - Microsoft further recommends....
320303 -
320304 -    1.  Get the latest critical updates for the version of Windows that
320305 -        you are using [there is a link to...
320306 -
320307 -           http://v4.windowsupdate.microsoft.com/en/default.asp
320308 -
320309 -        ...and make sure you get the update addressed in Security
320310 -        Bulletin MS03-026.
320311 -
320312 -           This is the "patch" available from Microsoft, reported
320313 -           above. ref SDS 0 0125
320315 -            ..
320316 -           Did this on c13, seems to have reduced some symptoms.
320317 -           ref SDS 0 AN3F
320319 -         ..
320320 -    2.  Make sure you install and use antivirus software.
320321 -
320322 -
320323 -
320324 -
3204 -

SUBJECTS
McAfee Ran Detected and Deleted Virus
Symptom Sychost.exe Has Generated Errors and Will be Closed by Window

360401 -  ..
360402 - C13 McAee Detected and Deleted Virus Softwarfe
360403 - McAfee Detected and Deleted Virus Softwarfe on C13
360404 -
360405 - Ran McAfee
360406 -
360407 -     Updated virus definitions on McAfee on c13 using standard
360408 -     procedure to download from the Internet.
360409 -
360410 -
360411 -
360413 -  ..
3605 -
3606 -
3607 - 1349
3608 -
360801 - Report McAfee found the virus....
360802 -
360803 -                I:\00\02\system32\msblast.exe
360805 -                 ..
360806 -                W32/Lovsan.worm
360807 -
360808 - ...which fits the warning in the news, per above. ref SDS 0 0078
360809 -
360810 -        [...below, c11 has the same problem. ref SDS 0 HN7L
360812 -         ..
360813 -        [...below, c12 seems not to have the virus. ref SDS 0 5M9O
360815 -  ..
360816 - We need to find out what damage is typically caused by this virus?
360817 -
360818 -     Symptoms and impact is developed above. ref SDS 0 0078
360819 -
360820 -
360821 -
360823 -  ..
3609 -
3610 -
3611 - 1451
3612 -
361201 - Just got the following message....
361202 -
361203 -      sychost.exe has generated errors and will be closed by Windows.
361204 -      You will need to restart the program.
361206 -       ..
361207 -      An error log is being created.
361208 -
361209 -           OK
361210 -
361212 -  ..
361213 - This message appeared a few days ago.  Clcking OK did not seem to
361214 - have any impact.  The program...
361215 -
361216 -
361217 -                      sychost.exe
361218 -
361219 -
361220 - ...is not familiar.  Seems like candidate for symptom of virus, per
361221 - above. ref SDS 0 1T6I
361222 -
361223 -    A search on the disk for....
361225 -                       ..
361226 -                      sychost.exe
361227 -
361228 -    ...and for....
361230 -                       ..
361231 -                      sychost*.*
361232 -
361233 -    ....was not successful, indicating this is a registry error of
361234 -    some kind.
361235 -
361236 -
361237 -
361238 -
361239 -
361240 -
3613 -

SUBJECTS
Call Microsoft for Guidance and Support

3703 -
3704 - 1455
370501 -  ..
370502 - Microsoft Recommends Calling Microsoft for Support to Recover
370503 -
370504 - Per Microsoft guidance, above, ref SDS 0 HS6M, called Microsoft at....
370505 -
370506 -                     866 727 2338
370507 -
370508 - ...getting busy signal.
370509 -
370510 -
370512 -  ..
3706 -
3707 -
3708 - 1556
3709 -
370901 - Still busy.
370902 -
370904 -  ..
3710 -
3711 -
3712 - 1620
3713 -
371301 - Still busy
371302 -
371303 -     Microsoft's number remained busy throughout the day and night.
371304 -     Eventually got an answer that was a recording that said they are
371305 -     busy.  Referred to a website and said that at the end of the
371306 -     recorded message, if there is a busy signal to call back later.
371307 -
371308 -
371309 -
371310 -
371311 -
3714 -

SUBJECTS
Transferred Operations from C13 to C11 Because Virus Detected on C13

3903 -
3904 - 1620
390501 -  ..
390502 - Decided to transfer operations from c13 to c11.
390503 -
390504 - Think I am okay, because nothing is transferred from i: drive where
390505 - the operating system is located.
390507 -  ..
390508 - Need to format the hard drive for partition I and install w2k again,
390509 - plus configure all the software, as shown in the record on....
390510 -
390511 -        Orignial installation.............. 010202, ref SDS 1 0001
390512 -
390513 -        Re-installation.................... 010214, ref SDS 2 0001
390515 -  ..
390516 - The symptoms from the virus, and perhaps other non-virus related
390517 - issues suggest a new installation for w2k on c13 is needed.
390518 - ref SDS 0 1T6I
390520 -  ..
390521 - Since the keyboard is broke on c11, switched keyboards for production
390522 - work.
390524 -  ..
390525 - Also, need to connect DSL to update McAfee on C11 to ensure it is not
390526 - infected from transfers from c13.
390527 -
390528 -
390529 -
390530 -
390531 -
3906 -

SUBJECTS
Patch Microsoft Software Download for Windows 2000 OS that Prevents t

4003 -
4004 - 2027
400501 -  ..
400502 - C13 Downloaded and Installed Corrective Software from Microsoft
400503 -
400504 - Was finally able to access Microsoft website and download the software
400505 - recommended to prevent further access by the virus, per above.
400506 - ref SDS 0 235K
400508 -  ..
400509 - After downloading and installing software from Microsoft, some of the
400510 - symptoms have been eliminated. ref SDS 0 9M58
400512 -  ..
400513 - After installing the corrective software, was able to use the regular
400514 - Windows Update feature which had been failing, per above. ref SDS 0
400515 - VO3V
400517 -  ..
400518 - Tried updating Windows 2000 on c13, but get message saying....
400519 -
400520 -      HTTP/1.1 Server Too Busy
400521 -
400522 -      This suggests that upgrading software on c13 may not be a good
400523 -      idea, because will not have access to Microsoft servers for a
400524 -      day or so.
400525 -
400526 -
400527 -
400528 -
400529 -
4006 -

SUBJECTS
Virus Bssx.exe Reported by McAfee After Downloading Update   r W2k fr
Virus Bssx.exe Reported by McAfee After Downloading Update for W2k fr
Virus Reported by McAfee on W2K Update Downloaded from Microsoft bssx
Virus Definitions on c11 Updated for 1 Year from Today 030526 Cost $1

430601 -  ..
430602 - C11 Virus Msblast.exe Found
430603 - Virus Msblast.exe Found on C11 as Well as C13
430604 - C11 Update McAfee to Check for the Virus
430605 -
430606 - Tried to update McAfee on c11, but got a message saying the account
430607 - needs additional payment.
430609 -  ..
430610 - This means we need the McAfee update.
430611 -
430612 -     McAfee was updated for c13 on 030526. ref SDS 3 0001
430613 -
430614 -        [On 030813 purchased virus upgrade from McAfee. ref SDS 7 0001
430615 -
430616 -
430618 -  ..
430619 - Did a search on c11 and found....
430620 -
430621 -                   i: 00 02 system32 msblast.exe
430622 -
430623 - ...per Microsoft guidance, shown above. ref SDS 0 VU4P
430624 -
430626 -  ..
430627 - Tried to delete msblast.exe from c11 using Windows file management
430628 - tools, and got an error message saying....
430629 -
430630 -           Cannot delete msblast Access is denied.  The source file
430631 -           may be in use.
430632 -
430633 -
430634 -
430635 -
4307 -

SUBJECTS
Could Not Delete Msblaster Virus Reported by Reuters Patch Available
F8 Safe Mode During Boot Sequence System Maintenance Delete Files
Safe Mode System Maintenance F8 During Boot Sequence Delete Files

460501 -      ..
460502 -     Virus Program File Denies Access to Delete Within Widows
460503 -
460504 -     Tried deleting the file from a DOS Window and got same message.
460506 -      ..
460507 -     Tried booting c11 and selecting the DOS boot option, and got an
460508 -     error message.
460509 -
460510 -
460512 -      ..
460513 -     Safe Mode Permits Deleting Virus from the Disk
460514 -     Virus File Deleted from C11 with Windows Safe Mode Op
460515 -
460516 -     Called Morris.
460517 -
460518 -         Morris recalled that w2k can be started in safe mode by
460519 -         pressing F8 early in the boot sequence.
460521 -          ..
460522 -         Safe mode is similar to working at a DOS promt without
460523 -         standard w2k processes tha enable the virus to avoid being
460524 -         deleted, per above. ref SDS 0 HN8R
460526 -      ..
460527 -     Booted the computer and launched safe mode using the F8 option.
460529 -      ..
460530 -     Safe Mode gives two options....
460531 -
460532 -         1.  Windows 2000
460533 -
460534 -         2.  MS DOS
460536 -      ..
460537 -     Since the MS DOS mode failed previously, selected option 1 for
460538 -     Windows 2000.
460540 -      ..
460541 -     This takes several minutes to boot, i.e., there is a long pause,
460542 -     but eventually a DOS prompt appears on the screen, rather than the
460543 -     standard Windows screen.
460545 -          ..
460546 -         Changed the directory to...
460547 -
460548 -                   i: 00 02 system32
460550 -          ..
460551 -         Did a dir and found
460552 -
460553 -                         msblast.exe
460555 -          ..
460556 -         Called command....
460557 -
460558 -                   I:\00\02\System32>del msblast.exe
460560 -          ..
460561 -         Got a message saying file deleted.
460563 -          ..
460564 -         Did....
460565 -
460566 -                   I:\00\02\System32>dir msblast.exe
460568 -          ..
460569 -         Got a message saying file not found.
460570 -
460571 -
460572 -
460573 -
460574 -
4606 -

SUBJECTS
McAfee Will Not Update on Internet Using DSL Connection
Virus Blaster on C13 Reported by Reuters Patch Available from Microso

480401 -  ..
480402 - C12 Appears to Not Have Virus Msblaster Installed
480403 -
480404 - A search on c12 did not find....
480405 -
480406 -                   msblast.exe
480407 -
480408 - ...per Microsoft guidance, shown above. ref SDS 0 VU4P
480410 -  ..
480411 - Appears to suggest that c12 is not infected.  Will switch to c12 as
480412 - primary work system while correcting problems with c11 and c13.
480414 -  ..
480415 - However, was unable to run McAfee because could not update the virus
480416 - definitions.
480417 -
480418 -
480419 -
480420 -
480421 -
480422 -
480423 -
4805 -

SUBJECTS
Develop Work Plan to Detect Recover and Prevent Future Problems
Work Plan Virus Recovery Protection Work Plan
Virus Protection Firewall Hardware Software

510501 -  ..
510502 - Work Plan to Recover from Virus ad Prevent Future Problems
510503 -
510504 - We have taken some initial steps to detect and recover from access and
510505 - hard caused by virus software.  Identify a methodical process to treat
510506 - each computer comprehensively, and take steps to prevent future
510507 - problems.
510509 -  ..
510510 - This is a classic problem of getting the cat, the fox and the chicken
510511 - across the river.
510512 -
510513 -    1.  McAfee virus protection on c13 to find and remove virus.
510514 -        ref SDS 0 0125
510515 -
510516 -            Did this. ref SDS 0 UO5K
510518 -         ..
510519 -    2.  Software to correct problems, downloaded from Microsoft.
510520 -        ref SDS 0 235K
510521 -
510522 -            Did this. ref SDS 0 AN3F
510524 -         ..
510525 -    3.  Set TCP/IP filtering to block access to Ports on c13.
510526 -        ref SDS 0 IQ6R
510527 -
510528 -            Did this, as alternative to installing firewall, but it
510529 -            turned out to cause new problems by preventing normal
510530 -            access to the Intenet, so restored original configuration.
510531 -            ref SDS 0 5U6K
510533 -         ..
510534 -    4.  Firewall hardware network Internet router. ref SDS 0 595N
510535 -
510536 -        Since modifying TCP/IP failed, per above, ref SDS 0 FL5F, need
510537 -        this alternate method for blocking access by virus software to
510538 -        the computer via the Internet.
510539 -
510540 -            [On 030814 installed firewall router to protect c11, c12
510541 -            and c13.
510543 -         ..
510544 -    5.  Transfer ops temporarily from c11 back to c13, because c13 now
510545 -        seems clean, per above. ref SDS 0 AN3F
510546 -
510547 -            Did this.
510549 -         ..
510550 -    6.  Disconnect network from c11 to c12 and to c13, since
510551 -        msblast.exe is reported to transfer itself across networks.
510552 -        ref SDS 0 0078
510553 -
510554 -            Did this.  Simply unplug power to the network hub.
510556 -         ..
510557 -    7.  Update SDS on C12.
510558 -
510559 -            Did this.
510561 -         ..
510562 -    8.  Delete msblast.exe from c11
510563 -
510564 -            Tried MS Windows file management, and this failed on c13.
510565 -            ref SDS 0 HN8R
510567 -             ..
510568 -            Was able to delete virus file using Windows safe mode, per
510569 -            above. ref SDS 0 M346
510571 -         ..
510572 -    9.  McAfee update license on c11 and udate virus definitions
510573 -
510574 -            [On 030813 did this step. ref SDS 7 0001
510576 -         ..
510577 -   10.  McAfee run on c11 to verify virus successful deleted as a
510578 -        backup to step 4. ref SDS 0 C67S
510579 -
510580 -            After updating McAfee, did this.
510582 -         ..
510583 -   11.  Microsoft software correction on c11, as was done on c13, per
510584 -        above. ref SDS 0 AN3F and under Recovery. ref SDS 0 0125
510585 -
510586 -            After running McAfee and verifying c11 is clean, connected
510587 -            to Microsoft and downloaded software correction.
510589 -         ..
510590 -   12.  McAfee update license on c12 and udate virus definitions
510591 -
510592 -            Had to update NTS Enternet 300 with current account
510593 -            status.
510594 -
510595 -            Cannot connect to the McAfee network to update virus
510596 -            definitions because getting another report HTTP Server
510597 -            Busy. ref SDS 0 6V6G
510598 -
510600 -             ..
510601 -            McAfee Online Purchase Update Virus Definitions Failed C12
510602 -
510603 -            Finally got DSL working on c12, and was able to make some
510604 -            progress on updating the McAfee software.  Have so far been
510605 -            unable to update McAfee virus definitions on c12 because
510606 -            when this task is selected, the McAfee on-line software for
510607 -            purchasing a program update executes an endless loop.  It
510608 -            brings up a "Purchase" screen, which is the same that was
510609 -            done successfully with c11, per above. ref SDS 0 NL5N
510610 -            However, when "Purchase" is selected to complete the
510611 -            transaction there is some flashing as though something is
510612 -            being attempted, then the original screen returns saying it
510613 -            is time to update the software.  For some reason, the
510614 -            purchase transaction never occurs.
510615 -
510616 -                [On 030813 same problem prevented purchasing an upgrade
510617 -                for McAfee on c12. ref SDS 7 545G
510619 -                 ..
510620 -                [On 030814 called McAfee technical support and was
510621 -                connected to a 900 number, but the engineer could not
510622 -                solve the problem. ref SDS 10 0001
510624 -                 ..
510625 -                [On 030919 was able to complete purchase transaction of
510626 -                McAfee software online. ref SDS 9 0001
510627 -
510629 -         ..
510630 -   13.  McAfee run on c12 to verify virus clean system as a backup to
510631 -        investigation reported above. ref SDS 0 5M9O
510632 -
510633 -            Was ultimately able to run McAfee on c12 across the
510634 -            network from c11, where McAfee was updated.
510635 -
510636 -               [On 030822 McAfee on c11 would not recognize c12, even
510637 -               though c11 was recognizing c12 on the network.  Was able
510638 -               to run McAfee code on c11 across the nework from c12 in
510639 -               order to scan for virus problems on c12. ref SDS 12 E147
510641 -         ..
510642 -   14.  Microsoft software correction on c12, as was done on c13, per
510643 -        above. ref SDS 0 AN3F
510644 -
510645 -           Did this.
510647 -         ..
510648 -   15.  Transfer ops to c11 again in order to replace w2k on c13.
510650 -         ..
510651 -   16.  Install wk2 clean on c13.
510652 -
510653 -        This is a two day job.
510655 -         ..
510656 -   17.  Upgrade all software on c13.
510658 -         ..
510659 -   18.  Transfer ops from c11 back to c13.
510661 -         ..
510662 -   19.  Upgrade w2k on c11.
510664 -         ..
510665 -   20.  Upgrade w2k on c12.
510666 -
510667 -
510668 -
510669 -
510670 -
510671 -
510672 -
510673 -
510674 -
510675 -
510676 -
5107 -