|Tuesday, August 12, 2003|
I haven't been able to find out much about it, but there seems to be a worm using the exploit in MS03-026 making the rounds. One of my PCs at home was infected. The removal procedure was to kill a process named msblast.exe (in windowssystem32 on my machine), remove the "windows update" key from the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun registry key, and install MS03-026. I was seeing a ton of traffic over port 135 on my firewall, both inbound and outbound, which ceased when I killed msblast.exe. I don't know if it does anything to your PC aside from installing the one executable. The worm itself seems to send outbound requests on port 135 to sequential IP addresses, but it doesn't appear to work off of your subnet; I have another win2k pc on this network that didn't get hit. I suspect that I was infected from a machine at work when I had the VPN up, I'd thought that the firewall was good protection but the VPN is a hole I'd forgotten about.
[Later] Charles Miller has a few links to more information.
10:02:50 AM permalink