Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

shutdown /a

[mjmalone]

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

Re:shutdown /a

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Re:shutdown /a

[Tony+Hoyle]

Rule 1: The first thing you do when putting any system on the net is make sure it's behind a firewall.
Rule 2: See rule 1. Then do it.

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Re:shutdown /a

[Jugalator]

Home users, maybe but businesses????

The largest ISP in Sweden, Telia, had 40 servers collapse from this virus and in effect prevented 16,000 users from logging on to their ADSL service. That gives you a great deal of confidence in an ISP, right? ;-)

Re:shutdown /a

[ChiefArcher]

Supposively, if they don't fix it by this weekend, all the infected boxes are going to attack microsoft's website all at once.

So in my opinion.... Don't patch it :)

ChiefArcher

Re:shutdown /a

[zoombat]

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

Re:shutdown /a

[RoLi]

I mean that's how you're supposed to setup any operating system. No net connection until you've got all the necessary patches installed and firewalls set up.

Exactly! It's pretty easy, actually:

• Unplug Internet connection
• Download patches from the Internet
• Set up firewall
• Plug in Internet connection

If that doesn't work, just send an email to support@microsoft.com

Re:shutdown /a

your_girlfriend.exe

Re:shutdown /a

[Geek+of+Tech]

That almost makes me want to infect my box. Oh well.

Re:shutdown /a

[OutRigged]

My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

Re:shutdown /a

[rworne]

(Score:2, Insightful) for a post recommending you download patches with your network cable unplugged. Wow, Slashdot is a haven for those with technical know-how, isn't it.

Perhaps he was meaning to suggest using a wireless access point. That way there is no physical medium for the virus to travel over.

Re:shutdown /a

[walt-sjc]

Replying to my own post, but I was just reading a message on one of the security lists I monitor, and by one account, this worm went right through Norton's firewall even thought the firewall was configured to block it. (Note: I have not verified this claim.)

I've Never trusted windows based firewalls due to the fact that firewall vendors rely on the hooks that MS provides - if the hooks are not in the right place, the damage can be done before the firewall software sees it at all. In linux / bsd, the hooks are right there in the kernel, and you can be SURE that they are in the right place, and that there is no path around them (since you can view the source.)

I always recommend that Windows users use an external (non-windows based) firewall. There are Lots of cheap ones out now. I think you can get a soho model for under a hundred dollars. Many soho "routers" have firewalls built in. Even one of my old DSL modems from 4 years ago had one (although it was really primitive.) Zone Alarm is a great second level of defense, as it helps deal with rogue software like some spyware, but I would not rely on it alone to protect you.

Re:shutdown /a

[Nucleon500]

Does the worm work with Wine?

Re:shutdown /a

[inKubus]

Sorry to whore this out here, but has anyone actually looked at the patch? I mean, this affects a rather important part of the Windows operating system. RPC is used for interprocess communication, named pipes, etc. Couldn't the CIA or something put a bug in it that will forward everything you cut and paste, type, send, etc. to some other entity? And what better way to get the masses to install it than a little worm to exploit a hole they purposely left open?

Furthermore, Microsoft paid out $520M only yesterday due to patent infringement with a component in MSIE.

I mean, I'm all patched up, so I know I'm safe but.. oh shit.. the shutdown timer just popped up! Microsoft must be reading what I'm typing. If only I can do this thing quick enough. OH FUCK I have to wait 20 seconds from the time I hit the reply button til when I press submit and it's getting down near 1 nowwwww

Wrong link

[JPelzer]

Shouldn't the "Removal Tool" link point to a Linux ISO download site or something? I mean, this is slashdot... :-)

The Rise

[mao+che+minh]

DOOM-DOOM-DOOM-DOOM DOOM *PANG*
DOOM-DOOM-DOOM-DOOM DOOM * PANG*

At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.

OK this is getting old.....

Honest question

[lseltzer]

Dear all of you who are being hit by this attack:

Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.

Re:Honest question

[caluml]

Why aren't you blocking stupid useless open ports from the Internet?

Most people:
What's a port?
Do I have any?
How can I check?

Re:Honest question

[Maserati]

I had to explain ports and firewalls to one of our Account Services people yesterday. My analogy was a company with oine main number and everyone else on extensions behind that number. So if calling their number (IP address) and asking for extension 80 (port) lets you talk to Janie (900.69.69.69:69) then that's just like connecting to a web server at an address:port combination.

Specifically, we were trying to figure out if a clients BOFH was a BOFH, a PFY or a PHB. We think he's a PHB since there's a lot of money (cash and obligations) sunk into a project that needs a port opened in their firewall and he won't/can't/hasn't opened it up yet.

This may still be better than the other (former) client who put two people in our office using VPN to connect to their home network... and then changed their proxy configuration without telling anyone (like their helpdesk). It took me a week of phone tag to get one of their network analysts to finally say "OK, try this". Then they sent her an XP laptop with that setting locked into the old-and-wrong setting. I think she had to ship it back since they wouldn't cut loose with the admin password. Neither would I, but the box would have worked before I sent it out. We aren't suing them for specifically "rampant idiocy", but that MUST be a factor. We're suing them, a spokesfigure was perp-walked recently and business is way down. I wonder how long they'll manage to stay out of Chapter 11.

Stupid people suffer.

Re:Honest question

[Ilgaz]

Well, I wonder why MS opens RPC (135) to outside World.

Yes yes, services use it, as Steve Gibson's sayin "impossible to close without firewall" ...

Don't blame people not using firewall, they are mostly newbies , e.g. XP home users. Ask the real question: Why you open a port outside World by default OS install?

Everyone knew port 135 would be exploited in a real bad way before, that was just a matter of time.

If os is a client only, do not turn on rpc listening on port 135... Its THAT hard?

Re:Honest question

[wfrp01]

What's a port?
Do I have any?
How can I check?

A place where ships are safe from storms. See also 'port of entry'.
You have an output port on your behind.
Do yoga.

Nasty little bugger

[snack]

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Cancelling this problem

[UnassumingLocalGuy]

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

Virus

If this thing wouldn't keep crashing computers, it would be spreading like greased wildfire.

It is not easy, one stop!

[Eric+Ass+Raymond]

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list.

In addition...

[OrthodonticJake]

My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".

also

[BigBir3d]

Internet Storm Center

Microsoft Bulletin

Note this is marked "Critical" now...

Re:Good timing...

[brejc8]

The removal tool takes several minutes to run.
Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
Then run the tool afterwards to ensure it has
gone.
The exact patch needed is here
http://www.microsoft.com/technet/treeview/de fault. asp?url=/technet/security/bulletin/MS03-026.asp

A little something they left out...

[EvilNight]

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

Re:A little something they left out...

[BrainInAJar]

Turn off the timer.

Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"

This thing hit our customers yesterday...

[Snarfangel]

I work at an ISP, and over half of our tech support calls yesterday were because of this worm. You wouldn't believe the number of people who thought we were somehow going into their computer and not only kicking them off the internet, but rebooting their computers. (Yes, sir, the tech support staff feels horribly underworked today, so we thought we'd make things more exciting and pi** off a few customers in the process.) I hope they find the person involved and perform medical experiments on him.

Just seen an ATM affected...

[mccalli]

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.

Then try, really, really hard to stop laughing...

Cheers,
Ian

Re:Just seen an ATM affected...

[Zak3056]

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.
Then try, really, really hard to stop laughing...

I don't know why I have to point this out, but that's NOT funny--it's freaking SCARY.

You got the wrong security bulletin

[daun3507]

While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

Precisely

[Overly+Critical+Guy]

There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.

All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...

Re:Precisely

[aug24]

I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

Did you merrily click past the EULA that said if it destroyed your system and data it wasn't MS's fault or responsibility? Did you install on one box and then do a complete round of System Test, or did you just blindly trust MS?

J.

There are several reasons...

[aug24]

Have you met many people who are MS sysadmins? A good proportion of those that I have met are Joe User types who have knowledge of how to set up, auto-reboot and backup machines, and not a lot more.

Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.

Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...

J.

Re:There are several reasons...

[Tyler+Eaves]

2 "windows" holes versus 9 "linux" holes?

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)? I'm willing to bet zero.

Does windows still have 2 holes once you factor in Exchage, Outlook Express, IIS, IE, Office, SQL Server etc?

Re:There are several reasons...

[Surreal_Streaker]

How many of those Linux holes where in the core operating system (IE, kernel + GNU tools)?

IE is not a core part of the core Linux operating system no matter what you've heard.

Re:There are several reasons...

[koa]

Heres another problem I see with this whole thing. WHY does this patach REQUIRE a reboot after installation? One would think that by 2003 Production server uptime would at LEAST be somewhere on the minds of the people in Redmond! I mean, look- you stop the effected service (windows can do this y'know!) then you replace files.. then START the services back up. I would write more in this post but I accidentally moved my mouse and I need to reboot my machine for the changes to take effect!

to disable the forced shutdowns...(XP)

[j0se_p0inter0]

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

screenshots on msblast

[baxterux]

here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"

Re:Windows Update slashdotted?

[javatips]

or maybe the machine reboots every 60s

Linux people: Rejoice!

[Eudial]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
}

// end mblaster_l.c

Re:Linux people: Rejoice!

[Junks+Jerzey]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

Sigh. The Windows exploit is essentially a buffer overrun. Microsoft knew about this and released a patch *before* this worm was even written. So it comes down to two things:

1. It's a common problem caused by people writing OS-level services in languages that are prone to these types of problems. Windows and Linux are in the same boat here. Many such exploits have been found in boths OSes, and more will be found in the future.

2. It doesn't matter how fast a patch is released if people don't download and install the patches. Again, both Windows and Linux are identical in this respect.

If Linux were on 90% of all desktop PCs, you'd see the same kinds of viruses and worms. It's not like there haven't been UNIX worms in the past; to think otherwise is fooling yourself. And if Linux were that popular, it would only be a matter of time until bogus "security updates" started making the rounds, so people log in as root to install them, and BANG.

THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS

[kunsan]

I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

Regards/
JP

Stop Blaming Users, Blame Microsoft

[mizidymizark]

I know this is Slashdot and all the Linux users need their daily affirmation that they are right, but guys, lay off the common user. To expect someone over dialup to have Windows XP patched with the 200 MB of updates since XP came out is rather harsh. I know this hits more broadband users, but working in tech support, we have seen a fair amount of dialup users get hit as well. So before telling the everyday user to switch to Linux for their home machine, maybe we should get Microsoft to check their product for problems before shipping it out.

Re:Good timing...

[irc.goatse.cx+troll]

Something similer happened to me yesterday. A friend of mine immed me saying his computer kept saying it had 60 seconds to reboot, and something about rpc crashing. So I responded with a screenshot of dir c:\ running on his machine.
Moral of the story: I'm an asshole.
(For the record, I then told him where to get the patch, and how to cancle a running shutdown.)

I might not be speaking for everyone, but I say:

[burgburgburg]

I welcome our new Skynet Overlords.

Re:Honest question [Corporate Answer]

Welcome to the corporate world. All things, including service packs, must be tested on all platforms with all applications before being deployed into the environment.

We don't have a couple dozen windows boxes. We have a couple hundred thousand. Patching is *painful*. We're not talking purely servers that are affected--standard workstations. Servers get patches at a much faster rate than the user desktops.

Even after the 4-6 months goes by and the patches get the official blessing for end-user install, users don't like watching the service packs run for half an hour when they login. Besides, who trusts the users to sit around and let them install without playing with stuff.

So....We filter internal site connections to try and contain infections, and work as quickly as possible to mitigate the risks of downtime for system updates vs. the risk of collateral damage (outages) caused by Microsoft's weak code and security practices (AKA bug).

After two years, we're almost done with the Windows2000 conversion, but Microsoft has already been pushing for immediate XP deployment for a year...

Why aren't they all patched? Because nothing moves fast in large installation bases.

Calling it what it is: A "Windows" virus

[FunWithHeadlines]

I heard about this latest virus scare on the radio, and I noticed it was called a "Windows virus" this time, and not the usual "computer virus." It seems even non-techies are finally catching on that these are Windows problems being exploited, and if you run non-Windows machines you are unaffected.

Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.

Re:60 second timer

[razberry636]

Of course, if you're getting hammered this isn't going to help much.

A nasty work is quickly spreading across the internet forcing about 90 percent of the connected computers to become inoperable. Thousands of phones are ringing at IT desks all over the world. On the other ends of those phones are screaming, panicky users crying because their computers won't work. Management is calling because now you're the bottleneck causing inefficiency in the team, and you might need to start looking for a new job if this isn't taken care of. And then you trip over a network cable.

I think getting hammered is the best thing to do right now.

Re:Echoes

[fishbert42]

'You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail.'

Actually, in my hotmail spam repository account I already do get tons of messages saying things like that. But, I don't think they're talking about computer security. =)

Excuses not to be patched

[unfortunateson]

Yeah, it's stupid, but there's a lot of machines that won't get patched:

• Dialup -- those patches are big
  
• FUD about Windows Update watching your machine for bootleg licenses
  
• but most of all, warnings from folks such as Brian Livingston and Woody Leonhard about flawed patches prompt folks like me to delay installation of just about any patch for at least a week, to see if they'll patch the patches.
  

Now, I didn't get hit -- between the firewall, ZoneAlarm and the patches, I think I'm Ok.

Honest answer

[djembe2k]

OK, maybe I'm not really who you are aiming this question at, but probably those folks aren't going to answer, or give the serious and honest answer you're looking for, so I'm what you are going to get.

I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.

My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.

Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.

We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.

When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.

At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.

So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.

Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.

And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.

The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.

This is not FUD

[JRHelgeson]

The security community has been saying for nearly a month that people needed to update their machines. We watched as the hacker community perfected their code for the RPC/DCOM vulnerability and posted their work on hacker sites and discussion groups. Yet the more we begged and pleaded people to update their machines, the more I heard "Aw, they're just hyping the FUD factor."

Let it be suffice to say that if a company is trying to sell you something based upon the FUD factor, treat the information as suspect. I agree, vendors whose software doesn't sell on its own laurels hype the hell out of the FUD factor and give the industry a bad reputation. But don't lump these vendors in with the security consultants that are trying to provide a free service and free advise based upon information that is going around in the security community.

When you get security information, consider the source. Is the security information provided with a sales pitch attached? If so, google the information to determine if it is FUD or legetimate. If it's legit, it'll pay to listen.

Regardless, people, patch your *#&($*@& machines!

Laptops

[mrscott]

Think about this scenario: a perfectly competent administrator has a properly configured firewall which blocks the problem. The "road warrior" brings his laptop from from 3 weeks on the road and had used a bunch of hotel access points where he got the worm. He connects it to his docking station in the office effectively bringing the problem behind the firewall.

Re:Laptops

[zoombat]

Yeppers. I was waiting for a 'Road Warrior' to return (I consult on Friday afternoons only) so I could update his laptop. Upon seeing the news this morning, I sent him an email with instructions (crossing fingers!) on how to use Windows Update.

Careful with Windows Update; it is notorius for falsely reporting that patches are installed properly.. See this discussion about this very patch (MS03-026).

Re:The problem with that is

[WNight]

That's the legacy of MS policies like "DOS ain't done till Lotus don't run!"

You just know you'll let auto-update run and one day it'll "disable" your MP3s because WMV offer so much more security, or something similar.

Re:Sad really

[RoLi]

Check daily for patches on your software, patch it, reboot, get back to work.

Too bad that this "check daily, patch, reboot" procedures never get mentioned in any MS-paid TCO-analysis.

No patch for NT4 --- Thanks M$ !

[menscher]

Micro$haft says:

Microsoft tested Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition. These platforms are vulnerable to the denial of service attack however due to architectural limitations it is infeasible to rebuild the software for Windows NT 4.0 to eliminate the vulnerability.

Well, we patched what we could, and moved most critical services to Linux, but there's still one or two machines running NT. And it's only a matter of time before some luser slips a copy of this worm past our firewall....

Considering the amount if infrastructure that depends on NT4, doesn't this intentionally put the US at greater-than-necessary risk? I'd be fun to see M$ tried under the new anti-terrorism laws.....

Nessus did this attack months ago

[four12]

I was experimenting with nessus several months ago. I unchecked the "safe checks only" option and ran it against a series of internal Windows systems and crashed RPC. I thought "wow, this could be really dangerous if nessus'd a range of public IPs."

Re:Remote Procedure Call

[PurpleFloyd]

RPC isn't just for over-the-network calls; it's also what some Win32 apps use for interprocess communication. Thus, if RPC is borked, your whole system is in trouble (I had a system where the RPC DLLs were corrupted; I couldn't even use simple things like copy and paste, since programs couldn't communmicate with the clipboard buffer).

The only real solution in this case is a good firewall and keeping up with the endless stream of security patches; unfortunately, Microsoft in their infinite wisdom have decided that users can't turn off RPC's network functionality. While turning off services you don't need is good security practice, there are some exploitable services that the system needs and you can't just turn off. RPC falls into this category, and you can't do much besides firewall and patch it.

Correct method to circumvent the virus

[mortisnoir]

Since the shutdown tends to occur the moment you access the internet, do the following;

1. Unplug internet connection
2. Enable Win XP firewall on all valid connections
3. Connect internet connection
4. Download and install the patch from MS
5. Update anti-virus or download and run the removal tool

Good Luck!

msblast.exe available...

[dark-br]

for analysis here

Also some cool screenshots of the beast in action here, and here

Re:Gimme A Chance!!

[dirtydiaper]

Don't worry I know your problem.. You put the wrong boot disk in.. The one you want is the CD that says LINUX not Microsoft Windows XP. If that doesnt work.. Open up you case and find the worm.. They are a brownish colour some are a couple inches long.. good luck!

Re:Sad really

[b-baggins]

Now, this being modded as funny is REALLY sad.

Apple's versioning is as follows: .x = new release = full price .xy = maintenance upgrade = free.

So, 10.1 was full price. 10.1.1 was free. 10.2 was full price. 10.2.6 was free. 10.3 is full price. 10.3.x will be free. 10.4 will be full price, etc.

Apple does not sell upgrade CDs. You buy a full install. This means you don't need to have any previous version of OS X on the machine. So compate the right things. So let's put this in terms the Microsoft Marketing Influenced(TM) can understand.

I paid $129 for the full version of OS X. You paid $299 for the full version of Windows2000 Professional.

I paid $129 for the full version of Jaguar. You paid $399 for the full version of WindowsXP Professional.

I will pay $129 for the full version of Panther. You will pay >$399 for the full version of Longhorn Professional.

Now who should we laugh at?

For all the ranting slashdotters do on how stupid the non-tech/geek person is, I find it hilarious that such a logical, programmer-centric versioning system totally confuses said slashdotter.

I guess MS was pretty smart to call Winnt 5 Windows 2000, and Winnt 5.1 Windows XP, or you'd all be screaming about that $399 "upgrade" as well.