RPC DCOM Worm On The Loose

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

Great

[mjmalone]

The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!

Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?

Re:Great

[rylin]

I have a copy! You can fetch from 212.192.128.76:4444 ;)

users being hit hard

[towaz]

the call centre here is off the scale with people ringing in with rpc problems...
all xp users though

Re:users being hit hard

[Sorthum]

Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.

Re:users being hit hard

[TheRealFixer]

Yeah, except the stolen car doesn't take off by itself in the middle of the night and start hitting every other car it sees.

Credit...

[chill]

At least Microsoft was nice enough to credit LSD in the tech note.

Re:Credit...

[GnomeKing]

At least Microsoft was nice enough to credit LSD in the tech note.

Is that what they were taking when they wrote the code?

Security Advisory

[Blangopolis]

The security advisory can be found here.

After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

Effects

[Papa+Legba]

This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

Cagliostro

I saw it happen LIVE!

[__aaklbk2114]

I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.

Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!

Here I am thinking that I just screwed up their machine with the new apps somehow.

Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn :)

Increase in TCP 135 Activity

This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

milspec

go ME!

[StevenHallman76]

Affected Software:

* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003

Not Affected Software:

* Microsoft Windows Millennium Edition


finally! all these years of running Win ME have paid off! so long suckers!

OMG

[stephenry]

OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!

Re:I have already patched my entire network.

It's called Linux. It's protected me from Nimda, Code Red, etc...

Re:Port 4444

Shell is on 4444. TFTP is on standard port. Random scanner? SHA-1 of packed worm is BED8E439F28A1A0D3876366CBD76A43CDCCF60FA. It'll lookup windowsupdate.com and flood on the 16th. Filename is msblast.exe, length 6176 bytes. Partial string "to say LOVE YOU SAN!!" appears even in the packed version (UPX 1.22). More detailed stuff to follow...

Re:I have already patched my entire network.

I'm afraid you have a false sense of security. A firewall is only part of the solution.

A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.

Firewalls *may* not protect you here

[venom600]

Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.

Re:I have already patched my entire network.

[TheGreenLantern]

While I'm sure this is technically true, some of us are responsible for networks that are slightly more complicated than an XBox, an HP Pavilion downloading porn and bootlegs 24-7, and an old P2 running Suse in our parents basement.

Slashdot saves my girlfriend!

[brandonY]

My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!

I was *nailed* by this thing over the weekend

[drgroove]

At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".

Odd, I thought. I *am* the administrator.

I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.

Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.

The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a .dll file, delete them.

The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.

Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.

Hope that helps someone out there!

Re:This is just sick.

[The+Bungi]

That fix has been there for almost a month. So... shut up, please. There's nothing worse than going off on a "OMG, M$ suxx is teh gahyest!!1!!" rant when you're just plain wrong.

Re:On the way?

[Loki_1929]

"My Co-Worker and I manage about 375 PCs at a University which has no firewall,"
"the Sysadmins need to be ... fired."

"You should have had auto-updates turned on for your boxes"
"the Sysadmins need to be ... fired."

"We had autoupdates on,"
"the Sysadmins need to be ... fired."

Reasonable boarder security, strict firewall rules, roll-over security, implementing patchs and updates after they've been tested within a "sandbox" or other non-production machine, and constant security/threat analysis - these are the building blocks to a secure and operational infrastructure; not turning on "auto-update" for all your windows boxes. That's absolutely ridiculous. Next time a faulty patch comes down the line, it's going to take down some, most, or even all of your machines. I can remember Microsoft security patches causing anything from network connection problems to out-right system corruption requiring repair/reinstallation of the OS. Be very careful throwing stones at other admins when your own procedures are just plain laughable.

"So, uh, what were you other Windows admins doing when you should have been doing your job?"

Where was I? Reviewing the procedures I have in place to ensure that this type of vulnerablity never touches anything that would be vulnerable to it, and ensuring that all critical systems are buffered in case of internal infection through user stupidity. Where was I? Doing my job, correctly.

I'm not sure about removing it....

[TheBoostedBrain]

Trend Micro says that this worm performs a DDoS to Windows Update Site, I'm not really sure about removing it...

Re:On the way?

[Sethb]

You want to know what a real University setting is like? I've worked at 2 of the 3 state Universities here, and generally it's a mishmash of 20% Win95, 40% Win98, 20% Win2000, and 20% Windows XP machines, none of which authenticate to a domain, administered by someone who started working there as a student, but was kept on after graduation because they were cheap labor.

Patches? Well the user should take care of that, right? After all, they've got Internet Explorer, they can surely remember to visit WindowsUpdate and get patches on their own.

Oh, AntiVirus definitions? Well, our software doesn't update those automatically, you've got to click the icon and push update every month or so, but the users can do that.

None of the above is hyperbole, and were actually the standard practices as recently as 18 months ago.

Heck, doing testing? That'd require a SECOND computer for each technician! That'd cost money! We can't afford to but TWO computers for one person, we're already splurging on 1 IT person per 500 computers! Oh, and we gave you 1 student who's slightly above minimum wage too. What more do you want?