Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

shutdown /a

[mjmalone]

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

it hit me this morning!

[baxterux]

posted an article about it here http://www.baxter2.com/modules.php?name=News&file= article&sid=114 i have never seen a worm spread so fast! dangerously fast

Nasty little bugger

[snack]

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Cancelling this problem

[UnassumingLocalGuy]

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

A BBC link

[azzy]

Another article here [bbc.co.uk]

It is not easy, one stop!

[Eric Ass Raymond]

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list [securityfocus.com].

RPC?

[Quasar1999]

Funny, a few days ago I had my XP system exhibit the same problem (after using windowsupdate)... but I checked the event log and it told me that 0x70/0x71 was accessed by the BIOS unexpectedly.

After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.

In addition...

[OrthodonticJake]

My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".

also

[BigBir3d]

Internet Storm Center [sans.org]

Microsoft Bulletin [microsoft.com]

Note this is marked "Critical" now...

Nice touch.

[bbum]

From Symantec's analysis:

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?

Nahh....

A little something they left out...

[EvilNight]

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

Windows Update slashdotted?

[chiph]

Having trouble getting out to Windows Update. Looks like a lot of people are taking this one seriously.

Chip H.

Re:shutdown /a

[Anonymous Coward]

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Echoes

[saskwach]

Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. Even the most clueless of windows users can click on a link and then click the "Yes" button. I can see my logs filling with failed attempts to bring down my machine already...

Will it halt the Internet?

[mao che minh]

No, I shouldn't. This worm isn't clogging up bandwidth or DoS/DDoS attacking routers and web servers like Code Red and Nimda did. This is just making WinNT and greater workstations and servers (should you actually be using a Windows OS on a server that isn't heavily protected) to reboot.

Worm

[WesLsoN]

I run an ISP in Virginia, its nailing all of our Windows XP users.

Re:A little something they left out...

[BrainInAJar]

Turn off the timer.

Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"

Re:Fscking Windows.

[Jellybob]

Nothing like this would ever happen on a UNIX platform like Linux.
I'm Still using Linux 7.2, and that's rock solid. Never had to update it.

Yeah... nothing like that.

Other of course than the multitude of root kits out there, sendmail holes, bind holes, apache holes, anything else holes.

And yeah. Linux 7.2 - guess you havn't been around long enough to remember.

You got the wrong security bulletin

[daun3507]

While you should have the MS03-010 [microsoft.com] patch installed, it is the wrong one for this worm. Make sure you use MS03-026 [microsoft.com]. This is the patch that it links to in the removal tool [symantec.com] link.

CERT advisory notice....

[JaJ_D]

The Cert [cert.org] advisory can be found here [cert.org]

to disable the forced shutdowns...(XP)

[j0se_p0inter0]

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

Re:Cancelling this problem

[rkz]

you don't need the "now" this is not unix.

screenshots on msblast

[baxterux]

here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN" [baxter2.com]

no crash? still not safe.

[dr bacardi]

You know you've got it when a 60 second shutdown timer pops up on your screen.

This was a bug in the first version of the worm, it has since been fixed so that no shutdown occurs. see http://lists.insecure.org/lists/fulldisclosure/200 3/Aug/0418.html for the updated version.

* - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus

* preventing crash of RPC service on remote machine.

Sad really

[BoomerSooner]

Every Windows Sysadmin should check these sites daily:
TechNet [microsoft.com]
TechNet HotFixes [microsoft.com]
And
WindowsUpdate [microsoft.com]

It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.

Linux people: Rejoice!

[Eudial]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
}

// end mblaster_l.c

Removal bad! Reformat good!

[c0y]

Sure, go ahead and use that removal tool. And ignore the fact that you've probably been gang raped by a bunch of skript kiddies for the last month.

Seriously, best current practices dictate that before a compromised machine is reconnected to the 'net you:

1. Reformat
2. Reinstall from manufacturer's original media
3. Apply all necessary security patches.

Getting the patches without a 'net connection is left as an exercise to the reader.

THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS

[kunsan]

I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

Regards/
JP

Re:Nasty little bugger

[ChiChiCuervo]

I discovered spybot on a friends computer last saturday. It appears to be a "prequel" to our friend slammer here. My guess is that spybot created a number of staging hosts in order to quickly propagate slammer yesterday afternoon.

However, there are alot of nasty little payloads that spybot brings in. I'd recommend googling for msconfig35.exe for removal instructions for the spybot payload.

Proper removal instructions

[XSforMe]

Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool."
Not really... there have been several reports that the thing has flogged machines so badly that it might not be even posible to connect to windowsupdate/any other internet site. For proper removal instructions, take a look at CERT's advisory [cert.org] or Trendmicro's KB [trendmicro.com]

Re:Honest question

[jav1231]

Ummm..is it not functionally inhibitive to block port 80 on a webserver? That's the port this is using. It's using a DCOM exploit, not just standard RPC. JAV

Re:shutdown /a

[MSG]

don't fool yourself into thinking that a common distribution like RedHat 8/9 is secure out of box.

A common distribution, like Red Hat Linux 8/9, has a firewall on by default.

Re:Honest question

[ANTI]

1. Because I came back from vacation today. And didn't even make it through half of my email before my RPC service restarted _itself_.
2. Because apt-get upgrade runs daily on my other systems and I'm just not used to _manually_ installing security updates.
3. Because the exploit existed for at least 7 years ... and nothing ever happened.
4. Because I'm within a corporate intranet with f..scking expensive cisco switches that could easily stop the worm on the medium.

I could give you hundreds more,
but it all boils down to:
This shouldn't bother me - the user - not at all.

RPC, NetBios etc are a menace

[g8oz]

All these crappy Microsoft net-enabled 'features' turned on by default are a menace to the average user and the Internet in general.

Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).

And I am sure there are many, many more.

Windows 2000 Service Pack 4 has fix

[Knight2K]

If you have already the service pack mentioned in this slashdot article [slashdot.org], then according to the Microsoft Security bulletin linked in the article you already have the fix. So you might as well get the whole Service Pack while your at it.

Re:shutdown /a

[zoombat]

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

Auto Update?

[ttyp0]

I know all our Windows boxes at the office use the "auto update" feature to download patches at 3am each night. I figured most people would be using this great feature. Instead of trying to keep up with all the security fixes, I let Microsoft push them to me.

Anti SCO T-Shirt [anti-tshirts.com]. $1 donated to Open Source Now Fund on each shirt.

Re:Laptops

[zoombat]

Yeppers. I was waiting for a 'Road Warrior' to return (I consult on Friday afternoons only) so I could update his laptop. Upon seeing the news this morning, I sent him an email with instructions (crossing fingers!) on how to use Windows Update.

Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion [ntbugtraq.com] about this very patch (MS03-026).

Re:Admins are not lazy

[g0hare]

Maybe you could try Microsoft's FREE Software Update Service (SUS) which lets you download all updates to a centtral server, approve the ones that work and automatically deploy them to your Active Directoy clients - I patched 64 machines in less than 10 minutes of my time. I sure hope knowing how to use MIcrosoft products doesn't get me banned from Slashdot...

Re:Admins are not lazy

[Capt_Troy]

Ummm... Isn't that what the automatic update thing does? You can set it to automatically download and install critical updates, or warn you when they are available. Am I missing something? It seems like windows has had this for a long time now.

T.

Re:Precisely

[aug24]

I'm an idiot? You don't even know to capitalise the first letter in a sentence!

MS have released broken patches [esj.com] in the past you moron. Hence big businesses doesn't usually let admins apply patches to production machines without regression testing, hence my question. That's one reason why it takes so long for patches to get applied.

Also, I wasn't comparing any OS with any other, so leave out the 'Linux is just as bad' rant. How old are you?!

J.

Nessus did this attack months ago

[four12]

I was experimenting with nessus [nessus.org] several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."

Re:Nice touch.

[dBLiSS]

Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?

Nahh....

They did deal with this, almost a month ago. But there isn't much they can do if users don't apply the patch.

Wrong

[johnburton]

You know you've got it when a 60 second shutdown timer pops up on your screen

Actually this is what happens when it fails to infect your system and crashes the process instead. So you know you've not got it when you see this.

writeup is bollocks

[Cally]

Sorry, this writeup is wrong in almost every respect. I work at an Infosec co BTW so I do know what I'm talking about.

• It's not "on the rise" - luckily, this one's a slow spreader and not terribly effective due to the use of tftp which easily limits it's spread. The _real_ worm won't do anything so dull.
  
  
• You don't know you've got it when you get a shutdown timer. The worm uses the oc192-dcom.c exploit, which contains the universal offsets which don;t crash the service. The reboots are a symptom that you're being hit by worm /traffic/, and you're vulnerable. You may already have it; you may not.
  
  
• It's not an easy one to stop. There are reports that the MS patch doesn't fix the issue in every case. In addition, there's another similar DCOM exploit for which Microsoft HAS NOT RELEASED A PATCH. Fortunately, it's just a DoS...
  
  
• Finally, if you've been owned by this worm, don't waste time messing about with a "removal tool". Back up your data, reformat, reinstall. Or, better, install Linux or BSD :)
  
  

The only, uhm, 'interesting' aspect of this worm is that on Friday it's going to nuke WindowsUpdate. The worm will probably never go away competely so W.U. could well be unusable for months to come. Totally predictable, of course, it's just a surprise that it lasted this long.

Re:Sad really

[aziraphale]

> Check daily for patches on your software, patch it, reboot, get back to work

Actually, the most common cause of a 'forced reboot' on any of my Windows systems nowadays isn't an MS patch (neither of the last couple of RPC vulnerability patches required a reboot on WinXP or 2003) - it's Norton Antivirus. NAV uite often seems to download something that requires a full reboot of the machine. Quite why it's possible to patch the OS without a reboot, but an application can't restart itself cleanly without a full restart I have no idea...

Re:shutdown /a

[RocketScientist]

Shutdown is native in XP Pro, but it is also installable from the resource kits. It's pretty handy, it lets you remote shutdown machines over the network.

Re:Laptops

[Anonymous Coward]

The opposite is true too. I keep getting told there's a critical security patch, and download it, reboot only to be told I need the same security patch over and over again.

Re:Sad really

[zoombat]

It's really that simple. Check daily for patches on your software, patch it, reboot, get back to work.

Actually, I think you're over-simplifying the process somewhat:

• If you run any mission-critical applications, you'd better be testing the patches before you deploy them - especially ones that don't have an uninstaller.
• Often down-time needs to be scheduled (especially on servers) which always occurs when you need to reboot after installing the patch.
• Being the guinea pig for just-released patches can be problematic if there are problems with the patch. Generally waiting a couple days is a decent idea to see if MS amends their bulletin or people report problems with the patch.
• Tracking down and patching mobile users can be difficult, especially if they are off-site, but failure to do so can increase risk of future exposure.

I guess the last one applies more to Network Admins than System Admins, but they tend to be hard to separate these days. Oh, and all these items are significantly more problematic in the case of a service pack release, as more things tend to be effected...

Re:shutdown /a

[Anonymous Coward]

You know what his point was. Why not clarify it using the correct terms? Just slamming him for using the wrong terms without offering a correction is lame. Very lame.

I believe he meant "just block the port to the WAN (internet) as opposed to the LAN", then suggested that if your LAN was large (e.g. a college campus), there would still be a risk.

Re:shutdown /a

[OutRigged]

My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

Re:shutdown /a

[Silvers]

I just installed the patch on a WinXP Home machine. Upon reconnecting to the internet, it got infected again.

The patch, as stated elsewhere, does not work on all machines.

I turned on the firewall hoping that will fix

Re:Just seen an ATM affected...

[Mr_Silver]

There was a trial about ten years ago. A retired policeman went on holiday and whilst he was away his money was taken from his Halifax account via an ATM. Halifax took him to court because they said that their security was infallible and the man must have given his ATM card to someone to extract money whilst he was on holiday to defraud the Halifax. The man lost.

Good memory!

His name was John Munden and it was October 1992.

Some articles are here [poptel.org.uk] and here [elistx.com] about it.

Re:shutdown /a

[Brad Cossette]

There's a (I think) better alternative, though a little tricker to run.

In WinXP (works for Home or Pro), run "Dcomcnfg", double click on component services, d-click on computer, r-click on My computer and select properties. Select the Default Properties Tab and uncheck "Enabled Distributed COM on this computer".

This'll shut down that subsystem which is vulnerable to the attack in the first place, and give you time to update patches etc. Works even if the virus is currently in place (you'll still need to remove it later).

A friend of mine got nailed with this last night, she's a mother of 3 knows jack about computers (mind you, I know jack about raising a family so we're even). No firewall, and didn't even know there was a "Windows Update" option to upgrade her OS. As much as I don't like a "Big Brother" type interferance from Microsoft (especially them), its situations like this which make me think that having them forcing updates remotely to PC's may not be a bad thing - some people just don't know, and don't want to have to worry about stuff like that.

New version of Blaster is starting to appear

[Jugalator]

A new version of Blaster has started spreading. The new version is called RPCsdbot.A by Trend Micro and appears to be more stable and can also open a backdoor to IRC.

RPCsdbot.A Information [trendmicro.com]

Ok,

[sjwt]

So i got the timer,
i got the reboot,
i scaned with the program..
no virus..

Is it posible the 'error' and timer
can be from just a random problem??

or have i got some undetecable varent?

Re:Laptops

[silas_moeckel]

Thats why you require laptops to have firewalling on them especialy for sales guys.

Outside consultants are harder to deal with realy this is why you us an IDS to see whats happening inside your firewall(s) and reset and shun nastyness. It also helps to stop those programming team security audits (watch a programmer when his port gets turned off for 30 minutes as he tries portscan a box they turn so red it's funny) allways get this in corprate documentation perferably with a set off the IDS and it's a terminatable offence.

Re:Remote Procedure Call

[PurpleFloyd]

RPC isn't just for over-the-network calls; it's also what some Win32 apps use for interprocess communication. Thus, if RPC is borked, your whole system is in trouble (I had a system where the RPC DLLs were corrupted; I couldn't even use simple things like copy and paste, since programs couldn't communmicate with the clipboard buffer).

The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.

Holes in what?

[leonbrooks]

Linux: The kernel (1). Stuff commonly exposed by a desktop Linux installation (0). Remote all-your-base-are-belong-to-us exploits (0).

Windows: all-your-base-ar[Rebooting in 60 seconds]

Now go and average that out over a year. Bear in mind that MS-Windows exploits are being reported on a small software set (OS, email client, database, web server, web browser, email client) and Linux exploits are being reported on any of 4000 (Mandrake) - 8000 (Debian) packages, most of which will not be installed on your typical desktop or server. Estimate a percentage installed on each and discount appropriately.

Now assign a severity rating, maybe base=25% remote=50% privesc/root/admin/ring0=25% to each incident and see how they compare.

And so on. No sense comparing an overdecorated Niva with a Land Cruiser and complaining about the mileage, either.

Re:Sad really

[harrkev]

Congratulations on the stereotypical Slashdot posts. Dollar signs in Microsoft's name, unbased claims of patches breaking things, and sarcastic quips at the end.

I know that you are a troll, but I can't help it...

Gee. I seem to remember that about a year ago, Microsoft withdrew a patch because it was buggy. This means that even though I formed it as a joke, IT HAS HAPPENED . If it had NOT happened, then you could feel free to tear into me.

It has also been revealed that Micro$ sells their $190 operating system [buy.com], but could sell it for under $50 and still make a profit. They sell it for more because the CAN. The average person has no choice. Microsoft has them by the short hairs. It is called a MONOPOLY (no, not the board game). Look it up. Your best buddy, Billy G. was found the be the head of a convicted monopolist corporation. It just completely sucks that the government let them off easy (at least there is still hope for Europe).

Of course there is also the fact that the cost of Word has skyrocketed since the demise of WordPerfect.

Now, about that Kernel release which corrupts filesystems -- was that an even or an odd release? You do know that the odd ones are to be considered alpha or beta quality, don't you? (hint: this means that the software is NOT guaranteed to be stable).

Also, the number of holes last month for Linux probably includes all of the associated stuff that goes with it: various servers and applications and such. Take the Microsoft number and add in the holes for the web browser, web server, database server, office, and so on. Then, let's talk numbers.

In short, grow a clue or turn your 'puter off.

Re:shutdown /a

[walt-sjc]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)

I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.

Correct method to circumvent the virus

[mortisnoir]

Since the shutdown tends to occur the moment you access the internet, do the following;

1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool

Good Luck!

Internet 2 Ops letter regarding Blaster traffic

[jgaynor]

Just got this from the Abilene (Internet 2) Operations Center. Apparently this is significantlyi affecting at least the .edu side of the network:

Abilene Connectors and Participants,

As you're all probably painfully aware by now, a worm exploit of the Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
regarding the vulnerability and exploit can be found at the references provided
below.

Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
network. We're performing an analysis of Abilene netflow data, and early this
afternoon will provide a private communication to sites that are sourcing a
large amount of worm traffic.

Recommendations for network border filtering are included the CERT W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
defined as input and output - to protect yourselves and to protect from
infecting others.

Abilene Connectors, please pass this communication on to your Participants.

References:

Microsoft DCOM RPC:
http://www.cert.org/advisories/CA-2003-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2003-0352

W32/Blaster:
http://www.cert.org/advisories/CA-2003-20.html

Regards,

XXXX XXXXXXX
Director, REN-ISAC

msblast.exe available...

[dark-br]

for analysis here [trustmatta.com]

Also some cool screenshots of the beast in action here [baxter2.com], and here [baxter2.com]

Actual Removal Instructions:

[einhverfr]

I helped a friend remove this virus yesterday. Here is what we did:

1: Enable Internet Connection Firewall (for once, it actually has a use!)
2: Download and install MS03-026
3: Remove the following registry key:
HKey_Local_Machine\SOFTWARE\Microsoft\Window s\Curr entVersion\Run\windows auto update
4: search for and remove all files beginning with msblast.exe

Turns out aside from DDOS'ing Microsoft, this worm is pretty harmless.

Maryland MVA

[Anonymous Coward]

Whoops.. [state.md.us] Radio just reported that anyone who has a license expiring today has a 1-day extension. Thanks, Bill.

Re:Good timing...

[irc.goatse.cx troll]

shutdown -a in a console. you need to be administrator I believe. (yes, thats -a, contrary to windows normal use of /a)

Re:Auto Update?

[KodaK]

811493. That's a number I'll never forget. I used to use the Auto Update feature too, until that patch came out.

When my machines applied that patch, the very next day they slowed to a crawl. Unusable crawl. Clicking start & Run would take literaly 5 minutes. It turns out that there was an incompatibility between that patch and our antivirus software. It took them a couple of days to figure that out, even though I told them that was the case as soon as we got it.

Anyway, don't automaticaly install updates. Stay up on the patches, sure. Deploy them in some other way (I use the domain log on scripts) when you're sure they won't screw anything up. Do your testing as quickly as possible.

Re:RPC Exploit, not virus ?

[Keeper]

No. Windows ME isn't either.

Win95, 98, 98SE, and ME are all based off of the same codebase. All are unaffected.

WinNT, Win2k, WinXP, and Win2k3 are all based off of the same codebase. All unpatched machines are targets.

Re:Actual Removal Instructions:

[einhverfr]

Yeah, rebooting your computer every minute.

Actually to be technically accurate, it is the RPC overflow that reboots your computer. The worm worm on your computer is actually rebooting *other peoples' computers* every minute ;-)

another way...

[headblur]

after you know you're infected, boot into windows. disable dcom via dcomcnfg -> components -> computers -> my computer properties. reboot into windows and use stinger or some other tool to get rid of the worm...then download the windows patches. if you need DCOM, turn it on. most users won't.

Cmd line tool to scan network for vuln. computers

[OmegaGX]

Here is a nice command line utility to scan your network for vulnerable machines. It gives you a neat list of patched and compromisable computers.

http://www.iss.net/support/product_utilities/ms03- 026rpc.php [iss.net]

Re:shutdown /a

[dwillden]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I myself have spent most of today trying to clean it off my laptop. I wanted to comment on Norton's falings on this. My system had crashed once before I recieved a Liveupdate from Norton that immediately detected it. In otherwords it was slamming systems and Norton couldn't see it.

Then even though I had followed all the steps to clean it off, Including verifying that the registry key was cleared and that the msblast.exe was deleted, I was still getting the shutdowns. I'd also like to note that I was able to be online for a while without a crash if I avoided using any MS internet software. using Opera and Mozilla I was able to stay on long enough to dl the updates and cleaner tools

Re:Honest question

[Anonymous Coward]

I don't think Steve Gibson is right as I have successfully closed port 135 for years on both NT 4.0 and W2K with no firewall via "dcomcnfg" and checked via "netstat -na".
Of course, I don't use any Micro-shaft garbage like Outlook or useless and dangerous OS services that may open port 135 (or any other Micro-shaft ports). Of course, leaving this security hole open by default is just another example of the total incompetence of Mickeysoft.

Anyway, I just noticed that the COX network has just blocked port 135.

Re:Prophylactic?

[Megane]

Not only that, but the patch requires a reboot to take effect. Not everybody can afford to reboot a server at just any old time. The above method prevents the worm from copying itself onto your machine without needing a reboot. Something like that isn't without precedent. The old internet worm of ages back could be prevented from spreading by simply adding a symbol to a library file.

However, it won't stop the worm from affecting your system. This morning I found copy & paste not working right in Mozilla, and Start->Settings->Network and Dial-up Connections just brought up an empty window. But there was no msblast.exe. Apparently I had been hit by the worm, but it wasn't able to use TFTP to copy over and run the code. (FWIW, I had installed the patch but not yet restarted the machine.)

So while that cheesy mkdir will probably prevent the worm from spreading (not a bad goal in itself), it apparently won't prevent the exploit from making your system flaky.

And Zed2K really needs to calm down and stop acting like such a know-it-all.

Re:Wow

[antiMStroll]

Apache != Linux any more than Apache on Windows = 2k Server. Nice try. This is a true vulnerability of the core OS, not a 3rd party app. Apples calling the kettle black.

Re:Remote Procedure Call

[PurpleFloyd]

RPC is used to call other programs' functions remotely; it's a network-transparent protocol that lets an application run a function from another process, and recieve the data returned. While it's designed to work well over networks, it doesn't have to be run over anything but one system: many Windows apps use it, including MS Installer and MS Office. It's a form of IPC; it's somewhat similar to BSD-style sockets (another network-transparent IPC system more often encountered under UNIX/Linux, and, of course, on the Internet; sockets differ from RPC calls in that they're based around datastreams rather than functions).

IPC is more a problem with multiple solutions than an implementation; RCP, shared memory, BSD sockets, pipe links, and other IPC implementations are used based on what is best for the specific application.