GwieF, Kamakaze and Cosmo all got their computers infected today with a worm. GwieF discovered it first when he spotted a suspicious file (msblast.exe) in the running processes list. Kam then checked for the file and didn't have it, but shortly afterwards the same file appeared in his system32 directory. Upon asking, it was discovered that Cosmo also had the same file. The times of infection (discovered by checking the created date on the msblast.exe file were: some time in the morning, 8.33pm, and 7.13pm respectively.
A patch for this flaw has been available since 16 July 2003 (revised on 21 July 2003), so the lesson here as usual is that if you are using Windows, make sure you keep up to date with the latest security patches (after all, you can be sure that as soon as a flaw has been publically announced, it's only a matter of time before someone tries to exploit it).
Fortunately for me:
- I always keep up to date with Windows security patches. To help with this, I'm subscribed to Microsoft's Product Security Notification mailing list, so I always know when I need to go get a new patch.
- I have a lovely shiny firewall/router that I installed last week. It's an Olivetti M4 (P133 with 16MB RAM) running SmoothWall v2.0 beta 5 (incidentally I had been having trouble getting SmoothWall 1.0, or indeed any form of Linux at all to install on this machine, apparently because Linux has had some weird problems with the Olivetti M4 - fixed in later versions of the kernel, but that's another story).
Looking at the firewall logs, in the past 40 minutes alone my firewall has detected 29 attempts to access TCP port 135, from a different IP address every time, so it would appear that this thing is spreading quite rapidly (especially given the rate at which it infected the aforementioned PCs).