DSL reports has a security forum that has been taking this sucker apart and giving us the code:

have a look:

http://www.dslreports.com/forum/remark,7649146~r oo t=security,1~mode=flat

Their fault-the patch was released over a month ago, before there were any known exploits for it.

Interesting. I had noticed when I stopped by Municipal Court to schedule a trial date that the computers were down. I was told by an employee that it was due to the power outage [philly.com], a comment that didn't make sense considering that I knew for a fact that the server farm was a floor above us...

As pissed as I am at the asshole who wrote the worm (it took nearly half an hour to schedule something that normally takes 2 minutes-- thank "Bob" that I was in Municipal Court, which is only starting to modernize from an old IBM mainframe setup, rather than in Common Pleas or Federal District Court, which are totally computerized-- and in he case of Common Pleas at least, running on Windows), this is, of course, another example of why governments, in the name of security, should go to more open-source solutions.

My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them. I guess a few computers were infected with this worm and they wanted to ensure things were taken care of. So, here's the deal: I figure that today alone, due to lost productivity, salaries, benefits etc.... this company lost $250k from this worm. So, I ask: When are companies going to wake up and realize that the fundamental foundations that Windows are built on are flawed when it comes to security? There have got to be studies out there examining total cost of ownership of the various platforms. For instance, I spent a couple days of my time updating our remaining Wintel systems to guard against this virus and am soooo happy 95% of my work is done on OS X.

I work in IT for the Department of Transportation in TX. Today, around noon, we suffered state-wide outages. It would have been easy to prevent- we have the tools to automatically deploy patched and updates to every computer on our network. Unfortunately, the people who have the necessary privileges to use do so, didn't.

My section was not affected, because I took it upon myself to patch the computers I was responsible for. Hundreds of people in my building were unable to use their computers for half the day. My section had problems because the servers we rely on were infected.

I hope (in vain) that 'little' problems like this will teach system administrators to keep their machines up to date.

Somebody's trying to run a plant dependent upon Microsoft...

I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).

and how many switched after Code Red? ILoveYou? the countless others? Those who got inffected either had someone take care of it or just reinstalled the system. This is what they are trained to do and expect it with computers.

There was also a power outage in Center City. I just saw the report on Channel 6. Apparently a water pipe blew in the PECO substation and much of the area was without power until sometime tonight.

The 10pm news here in Philly interviewed one of the city's IT guys. He stuttered and stammered his way through the whole thing, and looked to me like a man afraid for his job as he claimed that there was "no warning and no way to be prepared for this"-- not a verbatim quote, but close enough.

I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, [nipc.gov] and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.

Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.

~Philly

According to the DSLReports thread posted/linked above, people who were up to date with their Windows Update or had Windows Auto-Update on still got hit. :-/

My bad :
Here is the forum that matters:

http://www.dslreports.com/forum/remark,7652257~r oo t=security,1~m

Actually, many hospitals DO run critical systems on Microsoft software. Also, the LAN need not be on the internet to catch a virus. Hospitals (such as the one I work in) have connections to several large companies. When these companies get infected, so do we. Another thing is laptops. All it would take is an infected laptop to plug into the network for the virus to spread. There are plenty of opportunities for viruses to propagate into the network, not just having 'access to the internet'.

My bad. I made a bad link that wasnt what I wanted:
If you wanna look at the code its HERE:

http://www.dslreports.com/forum/remark,7652257~r oo t=security,1~mode=flat

The grain of salt is that they are reverse engineering. But it still is there and interesting.

Again my appologies.

It contains the message

"I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"

Doesn't mean there is a agenda but there could be.

Funny you should mention that, I saw the story on /. and I figured this time it was worth the update (someone mentioned that something like winnuke would appear and that did it). I do a ghost of my partition and I install all the critical updates. Soon after my computer starts to lock up, so I restore the image and the computer is back to normal. After doing the same tango a couple of times, I decide that the RPC patch is most imp't so I only get that one. Lucky my computer didn't lock up or I would have reverted to the unpatched state. You can't really get all the patches MS dishes out.

I'm an admin for a local County department. While our network was mostly unaffected (I'll get to that in a second), the county's Central IS department, that runs the county backbone from which we get our internet feed, had their exchange 5.5 box (on nt4 - not patchable) go down sometime really early this morning.

My department's network consists almost entirely of win2k boxes with the odd 9x client at some of the less well funded sites. We've got a dozen 2k servers and roughly 300 workstations, the vast majority of which were patched, and a restrictive firewall. Today we got hit by a worm for the first time, from another county department (behind the firewall), and from a dial-in client at a charity who uses one of our databases. I blocked port 135 from the rest of the county and terminated that dialin client, and started checking out the few boxes we knew hadn't been patched yet. I want to stress that the worm that hit us was not the MSBlast thing everyone's talking about. It doesn't shut down the machine (although it seems to crash the RPC service ~50% of the time). It's not detected by Trend's newest definitions (that include msblast), or by Symantec's msblast remover tool. Whatever it was, it did a number on those workstations and we left them unplugged from the network pending figuring out what the hell is wrong with them.

It seems to spread the same way, scanning network ranges (apparently at random - when the dialin client finished scanning our block it went on to start scanning 5.69.something) on port 135 and attempting to infect any it hit. One thing to note is that is crashed the RPC service on a couple of fully patched clients, but for most of them it had no effect. On the ones that it did infect (IE, the ones that weren't patched), it disabled file copying through the GUI (both drag&drop and copy&paste). It also disables a number of odd things, mostly dialogs, like IE's "Find (on this page)" Between those two I suspect it infected at least one system DLL. Something it did didn't agree with Word, which would popup up an error on creating a new document, saying that the document could not be registered, so other documents would not be able to link to this one. I didn't spend too much time on it (There were only a few unpatched boxes, we took them offline and went home), but I didn't find any reference anywhere to this. It wasn't scanning out from the infected machines, so it may have a time delay or something built in.

So, first, the people in the story weren't the first government agency to be affected, by far (although none of our public services were affected AFAIK). And second, has anyone else seen a second RPC worm going around? Or is this some mutated version of msblast?

Exploding Pintos don't suddenly cause other Pintos in the vincinity (or even halfway across the planet) to explode.

The fact is that not only is OS X relatively insignificant on the market, but so is the CPU architecture that it runs on. AFAIK, there still hasn't been a virus or worm written for OS X.

And Apple has been good about making security patches available through Software Update. Good patches, that don't happen to unpatch previous security patches, like Microsoft's non-Service Pack patches have a tendency to do. (Something which was a problem when the Slammer worm hit.)

I recently took a contract job to bring the IT operations of a local, growing business from a mom & pop deal to a more enterprise ready footing.

I have about 25 XP/98 machines to look after, but only 2 of them laptops (3 if I count my own). First thing I did when I was hired was grab both of the laptops and patch the hell out of them. Next was the 2K server, and lastly today I spent the whole day running around updating everything I could on the rest of the desktops. No programs got hosed in the update process either, which was a relief. We're behind a small NAT engine too, so I feel rather confident that we'll weather the storm.

My point is that businesses such as my current customer have no clue that an operating system (indeed, almost any program as well) needs to be taken care of. This is the issue that will keep biting Microsoft in the ass - until they make it plain as day that "You need to do regualar maintenance to our products" people will run with security holes. If they can't see that it's broken, why would they fix it?

Another point - I'm looking into SUS so I don't have to worry nearly as much (or spend so much time waiting for WindowsUpdate) but I'll need another server to use it. The lone server my customer has is almost over loaded at the moment, runing SBS with 256M of RAM. SUS requires 2k Server or above to run - why, I don't know. Just like Microsoft to turn a problem they've created into a marketing opportunity. No wonder they're having trouble stemming the Linux tide.

Soko

I work for a healthcare organization and it was indeed pretty bad. Our desktop folks had gotten behind on their testing of security patches, so many of our systems were unpatched. All it took was one connected clinic to start it off and pretty soon routers started shutting down due to the huge network traffic as the worm spread.

It was pretty freaky. My coworker was patching systems in the Emergency Department as patients started getting some long wait times. Downtime measures tend to be slow in comparison to what people are used to.

One of the reasons that this patch may not be installed everywhere, besides the obviously long QA side of testing patches before deployment (I was burned by SP3 and a Promise IDE controller) is that it is pretty far reaching. Any game house or animation company for games like Quake or UnrealTournament2003 will probably not have applied this patch. Reason: It made it so they could not open any of the files made in gmax [discreet.com]

I suggest you take some factory tours, the majority of modern factories/plants use Windows for their control software. Unless the end product is something very critical or very expensive, plant designers and control software writers tend to stick with well documented comodity hardware (Win32).

I suggest that you know more about what you are talking about.

We still use good old fashioned PLC's for most of our control systems. The fault and downtime reporting goes to a computer in the sky, but it always has. We do have one system that is a mix of PLC and Windows, and ended up with a virus last night (second time in three months). The contractors say that we can't run virus scanners since they can't predict the results...

However I can pretty much predict what will happen once their stuff gets infected (the first time it caused to crash and nearly destroyed two cars).

I can't speak about other plants, but by and large PLC's still rule.

For those of you that are new to this, check out http://www.plcs.net/ for a primer on the subject.

And as for "well documented comodity hardware", that would be a PLC. Natch :)

And as for tours, we run a tour bus through the place nearly every day. So stop by and give us a visit (if you are a hardware geek, we've got some realllyyy big iron :)

And who am I? Just your average Saturn Controls Engineer goofing off at work :)

A friend in the 3rd Circuit Federal Appeals Court -- located in downtown Philadelphia -- faced an outage this morning. No computers for an hour and a half (at least).

At least learn to use HTML for easy clickability. Create your link like this:

<a href="http://www.dslreports.com/forum/remark,76522 57~root=security,1~mode=flat">link to the article</a>

Which will come out like this:

link to the article [dslreports.com]

Actually the medical clinic near my house has a complete mac network including servers.

If the other worm you are talking about is hitting port 445 it is probably the Backdoor.irc.Cirebot [symantec.com] trojan. It targets port 445 (vs 135), and opens up a backdoor. Its still an RPC attack though...

Hopefully, the other worm you are seeing isn't a mutation.

The fucking patch did not work. I have being awake all night trying a new version of the patch and appliyng work arounds...

Apache is the most popular web server. It gets hammered harder by the script kidiies than IIS.

Who installed the logic module in your brain?

This is exactly what sparked my interest in linux 4 years ago. A nasty virus went through the company I worked for, corrupting all windows systems and making my java development environment unusable. Most of our development team had to spend a few days re-installing windows, the development programs, database, etc... There was one team member who used Linux and he was completely unaffected. Instead of re-installing windows 2000 on my laptop, I put Linux on it instead. I was pleasantly surprised at how easy it was to rebuild a Java development environment and Oracle test database within Linux. Over the past couple years, I've gradually phased in Linux at home as well. My kids prefer Linux to Windows now, using it exclusively except when they want to play a game that we can't get to work with Wine or Winex. (Zoo Tycoon or Age of Mythology, both MS games) I have no regrets at all about making this switch, which is was basically prompted by a virus.

Life support systems, heart monitors, and other devices of that sort are not plugged into a LAN. The requirements for those kind of devices is unbelievable -- I actually feel sorry for anyone who has to work on such systems, after having seen what kind of hoops those devices have to go through.

According to the Symantic page regarding the worm [symantec.com]:

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

So it seems the creator did have a point to prove.

OK, first off, it's easy to set up a system account to only allow certain access. If you don't want them to log in, set the shell to /bin/false (or whatever). Similarly for POP3 etc.

Secondly, most of those systems have versions which can use LDAP and/or a database as authentication sources, freeing it from the OS.

Thirdly, you've just annoyed people who have access to these different systems as they now have to change their password in 3 (or more?) different places.

Not all hospitals do.

I work for one of the largest health care systems in the US, and we didn't even hardly get touched by this new virus. We did have I think one office (NOT in a hospital, one of the 'corporate' ones) get hit by this, but it only affected a handful of users.

Then again, we are tortured by VMS and some Sun Mail programs... ;)

Microsoft has a duty to prevent forseeable harm to others. There's simply NO wiggling out of this. If you make a crap product and someone else acts as the fuse, you're still on the hook for making a crap product.

Windows: Unsafe at any speed.

I'm convinced that most regular users do not "get" what Windows Update is for

I just got back from visiting "the relatives" all of last week. Heartland area of the US. Farm-type folks that grow food many of you eat. Anyway, the parent poster's statement is correct. These people have a few PC's as a matter of modern necessity. One of these (win98) runs a payroll app, is connected via dialup to the internet, is connected via ethernet to two other "critical" systems running WFW3.11, and was running a *completely* unpatched version of IE4.0 / Outlook Express. Oddly, they didn't have near the problems one might expect for all this (impressively, ad-aware came up clean aside from cookies) but when I mentioned "Windows Update", which sits right there on the Start Menu plain as day, to my relative who runs the '98 box, all I got was "what's that?".

My early-teen cousin was running his family's 98 box similarly. Unpatched. Ad-aware found all manner of crap that might just have, with luck, woken him up. Still, I had to explain all this nonsense, including *what* windows update was, *how* to run it (click here, click here, look the list over, click this, wait. reboot. repeat until the list is empty), how spy-ware/ad-ware differs from virii/worms, etc.

These aren't stupid people. Ignorant of the complexity of things that we all here take for granted. (In fact, I'd wager we give "joe sixpack" too much credit, not that I'm calling dumb on the world or anything.) It is just that their priorities are differently aligned than the hobbyist/admin types here (or that of people who try to design software with these people in mind, even). It was an eye-opening experience.

Now, to the credit of my linux geek membership, I might be able to upgrade the WFW systems to hardware made inside this decade and run the critical software in dosemu or the like, put the dialup on a firewall, and other things before they get convinved to shell out $20,000 on software and hardware upgrades this time next year.

"ILOVEYOU" virus 2.6 - 15.0 Billion

BBC [bbc.co.uk] California-based IT consultancy Computer Economics estimated worldwide damage to be $2.6bn by the end of Thursday. It said that figure could soar to $10bn by next week.

USAToday [usatoday.com]

Lloyds of London put the estimate for Love Bug at $15 billion.

Melissa 1 Billion

USAToday [usatoday.com]

the economic damage from the Melissa virus in 1999 to be about $1 billion.

CodeRed 2.6 Billion

BizJournals.com [bizjournals.com]

"Code Red, which started in mid-July, so far has cost the U.S. economy $2.6 billion."

Klez 9 Billion

The Register [theregister.co.uk]

"The Klez virus last year cost businesses $9 billion worldwide in lost productivity,"

SirCAM 1 Billion

BSTPierre.org [bstpierre.org]

"SirCam", which also propagates through email, cost $1 billion.

TOTAL for these alone: at least 16.2 - 28.6 billion

Here's a rundown of what I've found out dealing with the MSBlast worm, some of which wasn't posted to the list yet (or I just missed it). Luckily my systems here were patched before this came out, but a few people brought in laptops that weren't patched, so here's what to expect.

MSBlast Symptoms:

Windows XP: Computer displays a message that the computer will shut down in 60 seconds.
Go to a command prompt and type "shutdown /a" to abort the shutdown.)
This indicates that your computer is infected with the MSBlast worm.

Windows 2000: Computer displays an error message about "svchost.exe" fatal errors. Odd behavior follows, such as not being able to drag-and-drop certain items, Internet Explorer context menus (right click menus) don't work properly, and other bizarre behavior.
This _does_not_ necessarily mean that a computer has the worm, but the svchost.exe could be crashing as a result of the worm trying to get in. However, you should still run the removal tool to make sure.
Some people have associated this with the install of Service Pack 4, but it appears to be coincidental and not related to the SP4 install. However, SP4 does seem to have it's own user-reported set of issues unrelated to this worm, as discussed here:
http://www.w2knews.com/anecdotes.htm

Windows ME/98/95: Unaffected by this worm.

Windows Update: Windows Update is running incredibly slowly.
You may or may not be able to get in to update your system. This is due to the fact that millions of people are all hitting the service at once trying to get the patch to stop this worm. If you keep trying, you will eventually get in, but it may take a number of tries and 5 minutes or so per try. Additionally, you may get an HTTP 1.1 Server Too Busy error message even after you are in. Just keep clicking on the "Review and Install Updates" link on the left side pane and it will eventually let you in. When it does make a connection, the window or system may appear to hang for up to a minute or two. Just wait it out and it will eventually wake back up with the Blindly-Accept-Our-New-License-Terms window. Read the license terms thoroughl and print out a copy for your files (sorry, couldn't resist) and then OK" and the updates will then download (slowly) the needed files and install them.
To make matters worse, the worm will start a Denial of Service attack against the Windows Update site on Saturday Aug 16, so if you think it's bad now, you aint seen nothing yet.

Worm Trivia: The worm contains the following text, which is not displayed on the screen:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

If you experience either of the above symptoms on your PC's, you need to apply the appropriate patch from here immediately:

Windows XP Security Patch:
http://download.microsoft.com/download/9/8/b/98bcf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe
Windows 2000 Security Patch:
http://download.microsoft.com/download/0/1/f/01fdd 40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB8239 80-x86-ENU.exe
Windows NT 4.0 Security Patch:
http://download.microsoft.com/download/6/5/1/651c3 333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE
Wind ows NT 4.0 Terminal Server Edition Security Patch:
http://download.microsoft.com/download/4/6/c/46c9c 414-19ea-4268-a430-53722188d489/Q823980i.EXE
Wind ows Server 2003 Security Patch:
http://download.microsoft.com/download/8/f/2/8f211 31d-9df3-4530-802a-2780629390b9/WindowsServer2003- KB823980-x86-ENU.exe

Then, run this program to scan your system for any remaining parts of the worm.

Removal Tool:
http://securityresponse.symantec.com/avcenter/Fix

Once again, replying to myself. Oh, well.

I got to spend most of the day playing with this. Turns out this is msblast. The '60 seconds to reboot' thing only affects XP, not 2k. The reason we were getting these strange symptoms and nothing for the virus scanners to catch is that this is a failed msblast. The buffer overflow hit, but failed to download the payload through tftp. (Yes! Finally, an advantage to having your WAN links running at 750% of capacity - virus-induced TFTP transfers fail!) We found that installing MS03-026 on the system and rebooting cleared the weird behavior, and for one or two that did actually manage to download the actual virus file, Trend's newer virus defs find it and kill it mercilessly (even removing the registry entry.)(Trend pattern file v606, released yesterday, supposedly found msblast, but we didn't see any actual detections until v608 came out today. Could have just been that none of the machines had downloaded it yet yesterday...)

Hope this helps the people who had similar symptoms.