Slashdot Mirror

← Back to Stories (view on slashdot.org)

Win32 Blaster Worm is on the Rise

Posted by CmdrTaco on from the i-can't-hold-her-together-any-longer-captain dept.

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

14 of 1,251 comments (clear)

  1. shutdown /a by mjmalone · · Score: 5, Informative

    My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

    shutdown /a

    That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

    --
    Visualize the world of wine
    1. Re:shutdown /a by Anonymous Coward · · Score: 5, Informative
      You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

      I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

    2. Re:shutdown /a by zoombat · · Score: 5, Informative
      FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

      Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

      The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

    3. Re:shutdown /a by OutRigged · · Score: 5, Informative

      My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

      Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

      --
      RaGe
      We're all just noise on the wires..
  2. Nasty little bugger by snack · · Score: 5, Informative

    I've been helping my friends get this NASTYNESS off of their machines too.

    Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

    When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

    -Tim

  3. Cancelling this problem by UnassumingLocalGuy · · Score: 5, Informative

    Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

    C:\WINDOWS>shutdown -a now

    Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

    --
    "Hu, ho, ho-ah-oh-oh-oh. Hu, ho ho-ah-oh-oh-oh. Mario Paint! Whoaaa!"
  4. It is not easy, one stop! by Eric+Ass+Raymond · · Score: 5, Informative
    The patch does not appear to work properly.

    Read more on SecurityFocus' mailing list.

    --
    BOO! TERRO
  5. also by BigBir3d · · Score: 5, Informative

    Internet Storm Center

    Microsoft Bulletin

    Note this is marked "Critical" now...

  6. A little something they left out... by EvilNight · · Score: 5, Informative

    If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

    --
    Hell is being intelligent in a world full of idiots.
  7. You got the wrong security bulletin by daun3507 · · Score: 5, Informative

    While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

  8. to disable the forced shutdowns...(XP) by j0se_p0inter0 · · Score: 5, Informative

    Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

  9. screenshots on msblast by baxterux · · Score: 5, Informative

    here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"

    --
    who wants to rule the world?
  10. Linux people: Rejoice! by Eudial · · Score: 5, Informative
    All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

    To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

    Now you can actually *see* when the worm tries it's futile attack on your superior OS.
    // begin mblaster_l.c
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    #define PORT 135

    int main()
    {
    int sock_f;
    struct sockaddr_in sockaddr_l;
    socklen_t len_s;
    struct sockaddr_in remote_a;
    char buffer[4096];
    int remote_p;

    sock_f=socket(AF_INET,SOCK_STREAM,0);
    if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

    sockaddr_l.sin_family=AF_INET;
    sockaddr_l.sin_port=htons(PORT);
    sockaddr_l.sin_addr.s_addr=INADDR_ANY;
    memset(&sockaddr_l.sin_zero,0,8);
    if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
    { printf("Error: %s \n", "Could not bind socket"); return 1; }

    if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
    len_s=sizeof(struct sockaddr);
    while(1)
    {
    if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
    if(recv(remote_p,&buffer,4096,0)==-1) continue;
    printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
    printf("%s",buffer);
    close(remote_p);
    }
    }

    // end mblaster_l.c
    --
    GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
  11. THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS by kunsan · · Score: 5, Informative

    I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

    Regards/
    JP

    --
    The facts expressed here belong to all, the opinions to me. The distinction between fact and opinion is yours to decide.