>I am curious if any of the various anti-virus programs successfully stopped
it?

Below is a copy of a letter I received 8/16 from NAI (McAfee), the vendor of
our enterprise av package. If you want to cut to the chase on av-specific
response read the paragraph titled "McAfee VirusScan(R) Anti-Virus
Software."

I had no hits. However MS announced the patch sometime in advance and I was
able to push it out to my desktop and server boxes. The ports mentioned in
the press were closed anyway. 

Best,

Alan

P.S. While McAfee offered a downloadable search/extraction tool I found the
one at Symantec preferable. They both worked fine though.

==========================
This past Monday, many of our customers were exposed to an attempt to
exploit a vulnerability in some versions of the Microsoft Windows operating
system. This vulnerability, referred to as MS03-06 was something that we
initially told you about a little more than two weeks ago. Since that time,
the vulnerability has been exploited and an active worm exists (W23/Lovsan
worm). Any vulnerable Windows desktop or server connected to the Internet
may be open to an attack. By exploiting the RPC vulnerability in Windows,
the worm is able to execute (without requiring any action on the part of the
user) and could potentially crash machines, causing downtime and continue to
spread to vulnerable computers for further propagation. This worm is still
moving aggressively across the Internet. We're making sure you are
protected.

The McAfee Protection-in-Depth Strategy
The McAfee(R) Protection-in-Depth(TM) Strategy delivers the industry's only
complete set of system and network protection solutions differentiated by
intrusion prevention technology that can detect and block the
W32/Lovsan.worm before it can cause damage to systems and networks. With the
core components of the McAfee Protection-in-Depth Strategy, customers can
take immediate steps to identify and resolve occurrence of the LovSan worm.

McAfee System Protection Solutions
McAfee ThreatScan 
The latest ThreatScan(TM) signature (2003-08-12) includes detection of the
W32/Lovsan.worm virus. This signature is available for ThreatScan v2.0,
v2.1, and v2.5. By using ThreatScan customers can detect incidents of the
LovSan worm.

Network Associates Stinger Tool
An update has been made available to the Stinger tool so that customers can
stop further infection of desktop PCs, download the required Microsoft
software patches and re-establish the security of infected desktop systems.
This is a no-cost tool available through the Network Associates web-site.

McAfee Desktop Firewall
McAfee Desktop Firewall would block access to TCP port 135 if no legitimate
applications where defined to make use of the port, and would have prevented
the worm from opening TCP port 4444.  This would prevent infected systems
from further propagating the worm.  Even if the worm had been executed by a
unsuspecting user (received for example, in email) the worm would not have
been able to connect to any remote computer system, in effect isolating the
infected computer on the network.

McAfee Entercept System Intrusion Prevention
McAfee Entercept(R) stopped the W32/Lovsan.worm before it was a known
threat/attack. The McAfee Entercept solution provides patented protection
against exploitation by code execution as a result of buffer overflows,
protecting the integrity of the server. This protection functions whether or
not the server has the latest security patch installed. The McAfee Entercept
solution and its patented technology safeguards servers against buffer
overflows, without any signature or code updates. 

McAfee VirusScan(R) Anti-Virus Software
McAfee Anti-Virus solutions protected against W32/Lovsan.worm before it was
even discovered. W32/Lovsan.worm exploits the MS03-026 vulnerability, and
McAfee anti-virus solutions with signatures updated since August 8, 2003 are
able to detect a variety of threats containing code that attempts to exploit
that vulnerability. By scanning files as they are saved to disk, downloaded
through the Internet gateway, or as they pass through the e-mail server,
McAfee anti-virus solutions can detect and eradicate W32/Lovsan.worm from
your environment.


McAfee Network Protection Solutions
Sniffer Distributed and Sniffer Portable Software
Sniffer(R) Technologies filters can be used to alert managers to the
presence of the malicious worm exploiting the Microsoft RPC buffer overflow
vulnerability. Sniffer Technologies filters for Sniffer Portable and Sniffer
Distributed, can identify the Lovsan.worm used to exploit Microsoft RPC
vulnerability and to monitor traffic on TCP port 135. 

McAfee IntruShield Network Intrusion Prevention
McAfee IntruShield(R) can both detect and block W32/Lovsan.worm, stopping it
before it even reaches the targeted host computer. Users that have updated
their systems with signature set 1.5.9.3, released on July 22, 2003, are
fully protected from this worm. Users who have not yet updated their systems
will be notified of suspicious activity via the McAfee IntruShield anomaly
detection engine. Users who have not updated should do so immediately.

InfiniStream Security Forensics
InfiniStream(TM) Security Forensics mining capabilities can accurately pin
point the infected machines, and the source of infection, reducing mean time
to resolution and the chances of reoccurrence. Furthermore, as the new
variants of the worm are introduced, InfiniStream enables customers to
rapidly isolate destructive email payloads for verification through the
WebImmune online virus scanning system.

We're Here to Help
Our legacy is built on helping our customers protect their business by
protecting the security and availability of the technology that powers it.
As part of our McAfee Protection-in-Depth Strategy, we offer a full range of
emergency services that complement the technology solutions identified
above. 

To help you, we've documented all the steps to resolve this issue on our web
site at www.networkassociates.com. 

To receive more information about this threat and a custom solution please
click here:
https://secure.nai.com/us/forms/registration/survey.asp?code=ne269.


Regards,

Network Associates Sales

-----Original Message-----
From: Booth Martin [mailto:Booth@xxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 2:46 PM
To: pctech@xxxxxxxxxxxx
Subject: Re: [PcTech] Hit by LoveSan/Blaster ?


hit but not hammered. That was the first virus on my own machine I've ever
had cause disruption.
 
I am curious if any of the various anti-virus programs successfully stopped
it?
 
 
 
---------------------------------------------------------
Booth Martin http://www.MartinVT.com
Booth@xxxxxxxxxxxx
---------------------------------------------------------
 
-------Original Message-------
 
From: PC Technical Discussion for iSeries Users
Date: Tuesday, August 19, 2003 1:37:33 PM
To: pctech@xxxxxxxxxxxx
Subject: [PcTech] Hit by LoveSan/Blaster ?
 
Hi Folks,
 
Thought I subscribed to this the INSTANT David announced it but guess not J
So how many of you got hammered by LoveSan/Blaster ?
Chuck
 
 
 
 

_______________________________________________
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.


=== [ KI (USA) Corporation - http://www.kiusa.com ]
====================================== 
Tel. 859.986.1420  --  Fax. 859.986.1485 
This e-mail, including any attachments, contains information from KI (USA)
Corporation that may be confidential or privileged. Mail is intended only
for those to whom it is addressed. If you are not the intended recipient do
not copy, distribute, or take any action in reliance on the contents of this
message. 
If you have received this e-mail in error notify the sender immediately then
delete or destroy all electronic and hard copies of this communication,
including attachments. 
KI (USA) Corporation's anti-virus system checks for known viruses. However
you are advised to run your own virus check before opening any attachments
received. KI (USA) Corporation will not accept any liability once an e-mail
and/or any attachment is received. 
Views expressed in the e-mail are those of the author and not necessarily
those of KI (USA) Corporation. 
============================================================================



As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.