|
It appears that a new worm (for now we're calling it msblast after its executable, msblast.exe) has surfaced today. It attacks port 135/tcp (that's Netbios), creates lots of RPC noise - some users report random machine shutdowns and reboots - and once it takes up residence in your computer, it proceeds to scan a random IP range and propagate itself to unprotected machines. Since this worm is brand, spanking new it may not be detected by (even recently updated) anti-virus software.. so get that firewall up and secured!
_http://msn.com.com/4520-6600_16-5062407.html _http://isc.sans.org/diary.html?date=2003-08-11 _http://news.com/2100-1002_3-5062364.html?tag=fd_top _http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html _http://vil.nai.com/vil/content/v_100547.htm |
:( I got it. It's REALLY annoying. I strongly think that this should be moved to the front page news, to warn everybody. It got to a point, that it would restart every 2 minutes or so. It was hard enough downloading the patch, on a 56k, with the damn thing restarting every minute.
|
Yes, I have been affected as well.* Currently, I am only using the build-in Windows XP firewall, but my system still gets the RPC error and shuts down.* Guess I'll have to put a better firewall in action.
Does anyone know if any permanent damage is caused by this worm? MNKid |
|
PC SHUTDOWN PROBLEMS - RPC EXPLOIT/REMOTELY RESTARTING
IDENTIFIED AS THE W32.Blaster.Worm VIRUS W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, msblast.exe ------------------------------------------------------------------------------------------------ TO CANCEL THE SHUTDOWN GO TO START -> RUN -> TYPE CMD TO ACCESS CMD PROMPT AND TYPE (SHUTDOWN -A) TO CANCEL IT. DO CTRL+ALT+DELETE AND KILL MSBLAST.EXE FROM THE PROCESSES LIST GO TO C:\WINDOWS\SYSTEM32 AND FIND MSBLAST.EXE AND RENAME IT TO BLASTMS.BAK (DON'T DELETE IT SINCE I DON'T KNOW IF IT IS AN IMPORTANT FILE, IF ITS A VIRUS IT WILL NOT BE ABLE TO START IF U RENAME IT, RENDERING IT USELESS.) NOW GO TO C:\WINDOWS\PREFETCH AND DELETE THE FILE THAT HAS MSBLAST.EXE IN ITS NAME. (IT STARTS WITH MSBLAST.EXE IN ITS FILENAME) THE VIRUS ADDS A REGISTRY VALUE TO AUTO LOAD WHEN WINDOWS STARTS UP, YOU MUST DELETE THE REGISTRY KEY. 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit 3. Then click OK. (The Registry Editor opens.) 4. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run 5. In the right pane, delete the value: "windows auto update"="msblast.exe" 6. Exit the Registry Editor. INSTALL THE PATCH FOR YOUR SYSTEM FROM THE LINKS BELOW NON SP1 USERS = .http://microsoft.com/downloads/detai...displaylang=en SP1 USERS = .http://securityresponse.symantec.com...tent/8205.html thx to fAlCoNNiAn from WINBETA :) |
Quote: Billybob3, it is on the front page. |
A friend just got it yesterday. As soon as he gets on the Internet, he get's a "two minute warning" that "NT AUTHORITY/SYSTEM" is shutting down the PC. The tip to cancel the shutdown will help a lot, thanx for that one. He's got a E-Machine with NO anti virus software! Users!
P.E.B.K.A.C. = Problem Exists Between Keyboard And Chair |
lol- there are a lot of users like that out there, i get enough phoning me and asking why they can't see a picture on their screen after the computer has been idle for 20 mins. "Move mouse- picture come back, leave for 20 mins picture goes away"
|
Yes I have luck and get it and i have to tell that is very noisy if you look bad Boys 2 and computer restarts every 10 min
But Norton is quick and already have remov. tool best regards, |
disinfectant here:
_http://download.nai.com/products/mcafee-avert/stinger.exe :) |
OMG so that's why my PC started Rebooting everytime I went online.*
this started happening to me yesterday. I woke up when my pc suddenly rebooted at 02:54 :(* *** at this point of time my PC got rebooted again *** Well I couldn't apply the patch http://download.microsoft.com/downlo...80-x86-ENU.exe because i was running XP SP2 v1204. and i still cannot. damn unlucky. Thanks HotRod for the info. :) *** at this point of time my PC got rebooted again *** I was running Norton AntiVirus 2003 Professional (up to date) but it didn't help at all, as HotRod said. /me uninstalls NAV2003 straightaway. I think if we ran Windows under Limited Users the worm cannot activate. Any ideas? NAV2003 can now detect the worm after everything has happened. <_< /me makes sure to run Windows hereafter with Norton AntiVirus 2003, Norton Personal Firewall 2003 and under Limited User. :D |
thanks for the info I was wondering why windows xp kept getting a rpc shutdown , but now since i deleted a worm norton detected it says i am missing the C:Windows\System32\cmd.exe file what can I do to retrieve it.....Please help :blink:
|
Seems it tries to DoS windowsupdate.com to try and stop you from applying the needed patches. Clever little bugger this one!
|
i had it too, installed the patch yesterday seem to be fine now.
|
I'm gonna apply the patch now.. i didnt have it but better safe than sorry eh? B)
|
1 Attachment(s)
Quote: I opened the WindowsXP-KB823980-x86-ENU.exe\common - SFX CAB archive, unpacked size 4,141,816 bytes. With WinRar I downloaded it 8/2/03 but inside it look like that there is support for SP2 I am just not sure if it for 1204 or not. But it might be worth looking for a work around, Or possibly uninstall SP2 1204 or maybe restore point if you don't have it shut off. |
ms worm patch needs a patch .."this patch causes problems with files if they are transfered to unpatched machines....theres a patch for the patch, but MS need to be phoned to get it and they seem to be a bit busy on their hotline so they've left a message to say so." ..... LOL
:D |
You should be able to manually install the patch on xpsp2 machines. Just extract the archive, look in the "sp2" folder, copy the 3 files from that folder to the "Update" folder, Open the update folder, right click the update.inf file and select "Install".
All it does is to copy the 3 files frome the "sp2" folder to your system32 dir and your dllcache dir. You could even copy the files manually to those 2 dirs from safe mode if you liked. |
Still trying to fix a friends PC that got hit by this virus. While installing NAV 2003, the virus started to delete files as they were installed! This happened AFTER removing the MSBLAST file and registry entries. The same thing happened while trying to install McAfee too. I'm running the FIXBLAST program from Norton right now, if that fails I'll take his HDD and install it in my PC and scan it from there. This is a darned tricky one! I also noticed CTRL-ALT-DEL doesn't bring up Task Manager. Hmmmmm.
|
Quote: It apparently sets a reg key that turns off your windows update. You're right, it is a clever little bugger! I just took a look at my firewall logs and you wouldn't believe the hundreds (maybe thousands now!) of blocked attempts on port 135 from IP's everywhere. If you've got a firewall log you've got to read it to believe it (I love my ZoneAlarm Pro :)). All the best, E3 |
... hm, any of you with infections run zonealarm or another firewall that would stealth your ports? As far as I understand the worm doesn't enter by mail but by a process similliar to portscans?
greetz, micha |
Quote: Have you installed the Patch yet? I am curious if that is why your log is so full. I am using ZA as well, but my logs are normal. |
I didn't get this, Luckily, Even though I was patched I had tons of probes on 135 and 445 until about 8:30 last night. Looks like Comcast is filtering those ports right now from what I have read at other places. Kind of nice not having a log full of 135 & 445 probes.
|
For anyone who hasn't done this yet (or can't)....The fix and the patch...
Near as I can tell, you should run the patch first, then the fix... |
I ran the FixBlast on a friends PC that was hit, and 5 hours later it's still hasn't found anything. First time, I let it go for an hour with nothing. Don't they test these things before they release them?
P.S. Stinger from Mc Afee worked just fine, found a few other viruses too. The PC is back to normal. |
i didn't get this either, though my mom did, i just got back from fixing hers
if anybody else gets this and they have a problem with it shutting down so quick, when you get the shutdown message, quickly open a command prompt and type shutdown -a , that'll abort the shutdown and let you work |
Quote: Yep... installed KB823980 about two days after it came out. ZAP has everything running in stealth per Shields Up at grc.com too. Just to give you some real numbers I looked at my latest logs... View is set to show last 500 entries, and that only spans about the last two hours now... With about 10 exceptions they're all attempts on 135/137. Most of the source's are IP's with the same first or second octet range as mine (Australia). Looks like lots of peeps down here neglected to update ;). Maybe that's why it's quieter up there 'North of the 45th Parallel' :). All the best, E3 |
Thanks for the fixblast pcdad... ran it on my cousin's computer and it worked like charm.. B)
|
how does this virus work as soon as i logged on to isp trend found this virus on my pc being auto downloaded from ??
this happens everty time i log on |
It's auto starting when you boot up. You need to check all your startup items and remove the altered ones. Try running the repair tool posted in this thread
|
Quote: Cartel had the same problem. He is now busy trying Stinger. Will let you know about his results. Cheerz Dave B) |
Quote: Hi there DoG, For some reason installing by the update.ini file didn't succeed. I will try to manually copy those files. So I should copy the following files to System32 and dllcache folder right? ole32.dll rpcrt4.dll rpcss.dll I couldn't find a directory called dllcache. Any ideas please? Thank you. My computer is still vulnerable. :( |
I have the same problem like ~*McoreD*~
I didnt manage to suces intall thisanti worm patch to win sp2 1213 |
Quote: I think we don't wanna worry anymore. I never thought dllcache would be a protected operating system folder. :D Just untick hiding protected operating system files (recommended) in Folder Options > View and then you will find dllcache in C:\Windows\System32\dllcache. Voila! :w00t: Thanks DoG!
|
Now this is not funny. I rebooted to Safe Mode and tried to replace ole32.dll, rpcrt4.dll, and rpcss.dll in C:\Windows\System32\ but it kept saying: the file is being used by the system and it cannot be replaced. :huh:
Should I try Recovery Console and then try to do it by command prompt? I downgraded to Windows XP SP1 and then applied the patch. |
| All times are GMT +1. The time now is 07:25 AM. |
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.