Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

shutdown /a

[mjmalone]

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

Re:shutdown /a

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Re:shutdown /a

[zoombat]

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

Re:shutdown /a

[OutRigged]

My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

Re:shutdown /a

[Silvers]

I just installed the patch on a WinXP Home machine. Upon reconnecting to the internet, it got infected again.

The patch, as stated elsewhere, does not work on all machines.

I turned on the firewall hoping that will fix

Re:shutdown /a

[walt-sjc]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)

I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.

Nasty little bugger

[snack]

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Cancelling this problem

[UnassumingLocalGuy]

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

A BBC link

[azzy]

Another article here

It is not easy, one stop!

[Eric+Ass+Raymond]

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list.

RPC?

[Quasar1999]

Funny, a few days ago I had my XP system exhibit the same problem (after using windowsupdate)... but I checked the event log and it told me that 0x70/0x71 was accessed by the BIOS unexpectedly.

After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.

In addition...

[OrthodonticJake]

My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".

also

[BigBir3d]

Internet Storm Center

Microsoft Bulletin

Note this is marked "Critical" now...

Nice touch.

[bbum]

From Symantec's analysis:

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?

Nahh....

A little something they left out...

[EvilNight]

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

Re:A little something they left out...

[BrainInAJar]

Turn off the timer.

Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"

Echoes

[saskwach]

Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. Even the most clueless of windows users can click on a link and then click the "Yes" button. I can see my logs filling with failed attempts to bring down my machine already...

Will it halt the Internet?

[mao+che+minh]

No, I shouldn't. This worm isn't clogging up bandwidth or DoS/DDoS attacking routers and web servers like Code Red and Nimda did. This is just making WinNT and greater workstations and servers (should you actually be using a Windows OS on a server that isn't heavily protected) to reboot.

You got the wrong security bulletin

[daun3507]

While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

CERT advisory notice....

[JaJ_D]

The Cert advisory can be found here

to disable the forced shutdowns...(XP)

[j0se_p0inter0]

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

screenshots on msblast

[baxterux]

here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"

Linux people: Rejoice!

[Eudial]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
}

// end mblaster_l.c

THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS

[kunsan]

I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

Regards/
JP

Proper removal instructions

[XSforMe]

Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool."
Not really... there have been several reports that the thing has flogged machines so badly that it might not be even posible to connect to windowsupdate/any other internet site. For proper removal instructions, take a look at CERT's advisory or Trendmicro's KB

RPC, NetBios etc are a menace

[g8oz]

All these crappy Microsoft net-enabled 'features' turned on by default are a menace to the average user and the Internet in general.

Please block TCP/UDP Netbios ports 135-139, as well as SMB over TCP(port 445), RPC over HTTP (port 593), the MS-SQL port the Slammer worm used (port 1434).

And I am sure there are many, many more.

Re:Laptops

[zoombat]

Yeppers. I was waiting for a 'Road Warrior' to return (I consult on Friday afternoons only) so I could update his laptop. Upon seeing the news this morning, I sent him an email with instructions (crossing fingers!) on how to use Windows Update.

Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion about this very patch (MS03-026).

Nessus did this attack months ago

[four12]

I was experimenting with nessus several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."

New version of Blaster is starting to appear

[Jugalator]

A new version of Blaster has started spreading. The new version is called RPCsdbot.A by Trend Micro and appears to be more stable and can also open a backdoor to IRC.

RPCsdbot.A Information

Re:Remote Procedure Call

[PurpleFloyd]

RPC isn't just for over-the-network calls; it's also what some Win32 apps use for interprocess communication. Thus, if RPC is borked, your whole system is in trouble (I had a system where the RPC DLLs were corrupted; I couldn't even use simple things like copy and paste, since programs couldn't communmicate with the clipboard buffer).

The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.

Correct method to circumvent the virus

[mortisnoir]

Since the shutdown tends to occur the moment you access the internet, do the following;

1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool

Good Luck!

Internet 2 Ops letter regarding Blaster traffic

[jgaynor]

Just got this from the Abilene (Internet 2) Operations Center. Apparently this is significantlyi affecting at least the .edu side of the network:

Abilene Connectors and Participants,

As you're all probably painfully aware by now, a worm exploit of the Microsoft
DCOM RPC vulnerability, W32/Blaster, was unleased on Monday August 11. Details
regarding the vulnerability and exploit can be found at the references provided
below.

Worm traffic on Abilene is very high, peaking at 7%+ of all packets on the
network. We're performing an analysis of Abilene netflow data, and early this
afternoon will provide a private communication to sites that are sourcing a
large amount of worm traffic.

Recommendations for network border filtering are included the CERT W32/Blaster
advisory, http://www.cert.org/advisories/CA-2003-20.html. Filters should be
defined as input and output - to protect yourselves and to protect from
infecting others.

Abilene Connectors, please pass this communication on to your Participants.

References:

Microsoft DCOM RPC:
http://www.cert.org/advisories/CA-2003-16.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2003-0352

W32/Blaster:
http://www.cert.org/advisories/CA-2003-20.html

Regards,

XXXX XXXXXXX
Director, REN-ISAC

msblast.exe available...

[dark-br]

for analysis here

Also some cool screenshots of the beast in action here, and here

Actual Removal Instructions:

[einhverfr]

I helped a friend remove this virus yesterday. Here is what we did:

1: Enable Internet Connection Firewall (for once, it actually has a use!)
2: Download and install MS03-026
3: Remove the following registry key:
HKey_Local_Machine\SOFTWARE\Microsoft\Window s\Curr entVersion\Run\windows auto update
4: search for and remove all files beginning with msblast.exe

Turns out aside from DDOS'ing Microsoft, this worm is pretty harmless.

Re:Actual Removal Instructions:

[einhverfr]

Yeah, rebooting your computer every minute.

Actually to be technically accurate, it is the RPC overflow that reboots your computer. The worm worm on your computer is actually rebooting *other peoples' computers* every minute ;-)