Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

shutdown /a

[mjmalone]

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

Re:shutdown /a

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Re:shutdown /a

[zoombat]

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

Re:shutdown /a

[OutRigged]

My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

Re:shutdown /a

[walt-sjc]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)

I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.

Nasty little bugger

[snack]

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Cancelling this problem

[UnassumingLocalGuy]

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

It is not easy, one stop!

[Eric+Ass+Raymond]

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list.

In addition...

[OrthodonticJake]

My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".

also

[BigBir3d]

Internet Storm Center

Microsoft Bulletin

Note this is marked "Critical" now...

A little something they left out...

[EvilNight]

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

Re:A little something they left out...

[BrainInAJar]

Turn off the timer.

Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"

You got the wrong security bulletin

[daun3507]

While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

to disable the forced shutdowns...(XP)

[j0se_p0inter0]

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

screenshots on msblast

[baxterux]

here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"

Linux people: Rejoice!

[Eudial]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
}

// end mblaster_l.c

THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS

[kunsan]

I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

Regards/
JP

Re:Laptops

[zoombat]

Yeppers. I was waiting for a 'Road Warrior' to return (I consult on Friday afternoons only) so I could update his laptop. Upon seeing the news this morning, I sent him an email with instructions (crossing fingers!) on how to use Windows Update.

Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion about this very patch (MS03-026).

Nessus did this attack months ago

[four12]

I was experimenting with nessus several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."

Re:Remote Procedure Call

[PurpleFloyd]

RPC isn't just for over-the-network calls; it's also what some Win32 apps use for interprocess communication. Thus, if RPC is borked, your whole system is in trouble (I had a system where the RPC DLLs were corrupted; I couldn't even use simple things like copy and paste, since programs couldn't communmicate with the clipboard buffer).

The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.

Correct method to circumvent the virus

[mortisnoir]

Since the shutdown tends to occur the moment you access the internet, do the following;

1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool

Good Luck!

msblast.exe available...

[dark-br]

for analysis here

Also some cool screenshots of the beast in action here, and here