RPC Shutdown

[Nastrodamus]

It dependings on what OS you have....

I think I should ask someone to write the article about it and post it. It may require that you download one small file though for ease of manipulation.

[igodit]

Now this is funny, I posted a warning about this a couple of weeks ago, then another that there was a worm being built by Hackers to expliot that gaping hole Microsoft left.

I made updates to all the Workstation at my office the instant I heard about the RPC flaw.

I hope you listened! Worm is spreading

Last night a worm started to spread (MSBlaster) it infects vulnerable systems by randomly scanning IP subnets, after august 15 till the end of the year it will start a distributed DDOS attack on Windowsupdate.com. A message is placed in the registry:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

It also starts a remote command session and listens to port 4444.

Due to random methods of the worm it may cause the infected computer to crash/ reboot, see pic form ComputerAssociates--->

Luckily this worm does not harm your system that much, it might fill up your network though.

Don't think if you have a firewall that you are safe and dont have to patch, a collegua laptop might be infected at home and is plugging it in your network now!

[igodit]

PSS Security Response Team Alert - New Virus: W32.Blaster.worm

SEVERITY: CRITICAL DATE: August 11, 2003

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.

Customers that have previously applied the security patch MS03-026 before today are protected and no further action is required.

IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets re-booted or has mblast.exe exists on customer's system.

TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customer may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:

- Presence of unusual TFTP* files

- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.

For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Network Associates: http://us.mcafee.com/virusInfo/defau...virus_k=100547

Trend Micro: http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

Symantec: http://securityresponse.symantec.com...ster.worm.html

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please visit this link: http://www.microsoft.com/technet/security/virus/via.asp

PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits download and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673

1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.

2. Right-click the connection on which you would like to enable ICF, and then click Properties.

3. On the Advanced tab, click the box to select the option to Protect my computer or network.

This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/sec...n/MS03-026.asp. Install the patch MS03-026 from Windows Update http://windowsupdate.microsoft.com

As always, please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.

RECOVERY: Security best practices suggest that previously compromised machine be wiped and rebuilt to eliminate any undiscovered exploits that can lead to a future compromise. See Cert Advisory:

Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech_tips/win-UN...ompromise.html

For additional information on recovering from this attack please contact your preferred anti-virus vendor.

RELATED MICROSOFT SECURITY BULLETINS: http://www.microsoft.com/technet/sec...n/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp

As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.

[MiTcHiE]

howcome a firewall wont help??????

[kilaj1]

quick question, does it always show that message when it reboots? does that message come up once infected? I have win2kpro.

I ask becasue of what igodit said about the PC resets becasue of it.

[MiTcHiE]

u get the message just as u log on to the net

[wheelman]

I waited a good while before I got the message

[MiTcHiE]

was it enough time to update ur virus definitions or download the patch???

[deakie]

remember what i said. this was only the test run. the other is yet to come. :'(
let me know if you are having difficulty getting the file via http and i'll stick it on a ftp for ya.

[MiTcHiE]

i just downloaded the fixblast removal tool, just incase when i reach home my pc is infected. Its only 165k. i highly doubt that though since i have a firewall.

its kinda tricky to remove this worm though. u have to disable system restore first, then run the tool, if after u get a message saying some files couldnt be removed or accessed, or summen like that u will have to turn the pc off, then startup in safe mode and then run the tool again. then restart and run the tool again just to make sure and then update ur virus definitions, then do a scan.

this is a whole lot to do, not to mention for someone who isnt really computer savy.

i feel sorry for some people