Win32 Blaster Worm is on the Rise

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

shutdown /a

[mjmalone]

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

Re:shutdown /a

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Re:shutdown /a

[Jugalator]

Home users, maybe but businesses????

The largest ISP in Sweden, Telia, had 40 servers collapse from this virus and in effect prevented 16,000 users from logging on to their ADSL service. That gives you a great deal of confidence in an ISP, right? ;-)

Re:shutdown /a

[ChiefArcher]

Supposively, if they don't fix it by this weekend, all the infected boxes are going to attack microsoft's website all at once.

So in my opinion.... Don't patch it :)

ChiefArcher

Re:shutdown /a

[zoombat]

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

Actually, I had quite a scramble this morning making sure all my mobile users were properly patched. That's my single biggest point-of-entry problem for worms and viruses; people take their notebooks home or on the road and come back infected and reconnect inside the firewall. It's much harder to properly enforce policies on mobile users. Fortunatly all our laptops were either patched or left at work yesterday and patched this morning.

The other possible point of entry is VPN's which are also notorius for letting in computers that were infected via a different net connection.

Re:shutdown /a

[RoLi]

I mean that's how you're supposed to setup any operating system. No net connection until you've got all the necessary patches installed and firewalls set up.

Exactly! It's pretty easy, actually:

• Unplug Internet connection
• Download patches from the Internet
• Set up firewall
• Plug in Internet connection

If that doesn't work, just send an email to support@microsoft.com

Re:shutdown /a

[Geek+of+Tech]

That almost makes me want to infect my box. Oh well.

Re:shutdown /a

[OutRigged]

My computers can run without network connections, thank you. You might have noticed that Microsoft phased out standalone patches a couple years ago.

Um, no they didn't. Every patch Microsoft releases can be downloaded as a standalone installer. Windows Update is intended for home users, but Microsoft knows an admin isn't going to run Windows Update on every computer he maintains. The hotfixes as they are called can even be slipstreamed onto an install CD, so they're applied automatically at setup. I've done with every copy of Windows I've owned since Windows 2000.

Re:shutdown /a

[Nucleon500]

Does the worm work with Wine?

Re:shutdown /a

[inKubus]

Sorry to whore this out here, but has anyone actually looked at the patch? I mean, this affects a rather important part of the Windows operating system. RPC is used for interprocess communication, named pipes, etc. Couldn't the CIA or something put a bug in it that will forward everything you cut and paste, type, send, etc. to some other entity? And what better way to get the masses to install it than a little worm to exploit a hole they purposely left open?

Furthermore, Microsoft paid out $520M only yesterday due to patent infringement with a component in MSIE.

I mean, I'm all patched up, so I know I'm safe but.. oh shit.. the shutdown timer just popped up! Microsoft must be reading what I'm typing. If only I can do this thing quick enough. OH FUCK I have to wait 20 seconds from the time I hit the reply button til when I press submit and it's getting down near 1 nowwwww

Wrong link

[JPelzer]

Shouldn't the "Removal Tool" link point to a Linux ISO download site or something? I mean, this is slashdot... :-)

The Rise

[mao+che+minh]

DOOM-DOOM-DOOM-DOOM DOOM *PANG*
DOOM-DOOM-DOOM-DOOM DOOM * PANG*

At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.

OK this is getting old.....

Honest question

[lseltzer]

Dear all of you who are being hit by this attack:

Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.

Nasty little bugger

[snack]

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Cancelling this problem

[UnassumingLocalGuy]

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

Virus

If this thing wouldn't keep crashing computers, it would be spreading like greased wildfire.

It is not easy, one stop!

[Eric+Ass+Raymond]

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list.

also

[BigBir3d]

Internet Storm Center

Microsoft Bulletin

Note this is marked "Critical" now...

Re:Good timing...

[brejc8]

The removal tool takes several minutes to run.
Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
Then run the tool afterwards to ensure it has
gone.
The exact patch needed is here
http://www.microsoft.com/technet/treeview/de fault. asp?url=/technet/security/bulletin/MS03-026.asp

A little something they left out...

[EvilNight]

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

This thing hit our customers yesterday...

[Snarfangel]

I work at an ISP, and over half of our tech support calls yesterday were because of this worm. You wouldn't believe the number of people who thought we were somehow going into their computer and not only kicking them off the internet, but rebooting their computers. (Yes, sir, the tech support staff feels horribly underworked today, so we thought we'd make things more exciting and pi** off a few customers in the process.) I hope they find the person involved and perform medical experiments on him.

Just seen an ATM affected...

[mccalli]

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.

Then try, really, really hard to stop laughing...

Cheers,
Ian

You got the wrong security bulletin

[daun3507]

While you should have the MS03-010 patch installed, it is the wrong one for this worm. Make sure you use MS03-026. This is the patch that it links to in the removal tool link.

Precisely

[Overly+Critical+Guy]

There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.

All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...

to disable the forced shutdowns...(XP)

[j0se_p0inter0]

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

screenshots on msblast

[baxterux]

here are some nice screenshots i made on the msblast and the hidden message "I LOVE SAN"

Linux people: Rejoice!

[Eudial]

All the Linux users (and *BSD for that matter) are walking around with a big smile on their lips days like this.

To make this smile even bigger: Compile this and execute it as root (all ports below 1024 are restricted and needs root permission to be listened to)

Now you can actually *see* when the worm tries it's futile attack on your superior OS.

// begin mblaster_l.c
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define PORT 135

int main()
{
int sock_f;
struct sockaddr_in sockaddr_l;
socklen_t len_s;
struct sockaddr_in remote_a;
char buffer[4096];
int remote_p;

sock_f=socket(AF_INET,SOCK_STREAM,0);
if(sock_f<2) { printf("Error: %s \n","Could not create socket"); return 1; }

sockaddr_l.sin_family=AF_INET;
sockaddr_l.sin_port=htons(PORT);
sockaddr_l.sin_addr.s_addr=INADDR_ANY;
memset(&sockaddr_l.sin_zero,0,8);
if(bind(sock_f,(struct sockaddr*)&sockaddr_l,sizeof(struct sockaddr))==-1)
{ printf("Error: %s \n", "Could not bind socket"); return 1; }

if(listen(sock_f,30)==-1) { printf("Error: %s \n", "Could not listen to socket"); return 1; }
len_s=sizeof(struct sockaddr);
while(1)
{
if((remote_p=accept(sock_f,(struct sockaddr*)&remote_a,&len_s))==-1) continue;
if(recv(remote_p,&buffer,4096,0)==-1) continue;
printf("Received data from %s \n",inet_ntoa(remote_a.sin_addr));
printf("%s",buffer);
close(remote_p);
}
}

// end mblaster_l.c

THIS IS A SUREFIRE WAY TO STOP SHUTDOWNS

[kunsan]

I got the worm yesterday, and found that when the "shutdown" popup appears, just reset the system time... you have a full minute to that. I just pushed the data back one year, and the shutdown is postponed a year! then you can run a full system virus scan, and repair tools

Regards/
JP

Stop Blaming Users, Blame Microsoft

[mizidymizark]

I know this is Slashdot and all the Linux users need their daily affirmation that they are right, but guys, lay off the common user. To expect someone over dialup to have Windows XP patched with the 200 MB of updates since XP came out is rather harsh. I know this hits more broadband users, but working in tech support, we have seen a fair amount of dialup users get hit as well. So before telling the everyday user to switch to Linux for their home machine, maybe we should get Microsoft to check their product for problems before shipping it out.

I might not be speaking for everyone, but I say:

[burgburgburg]

I welcome our new Skynet Overlords.

Calling it what it is: A "Windows" virus

[FunWithHeadlines]

I heard about this latest virus scare on the radio, and I noticed it was called a "Windows virus" this time, and not the usual "computer virus." It seems even non-techies are finally catching on that these are Windows problems being exploited, and if you run non-Windows machines you are unaffected.

Yes, yes, I know, this is /. and we all know this. My point is that the mainstream press is starting to make the distinction now.

Re:Echoes

[fishbert42]

'You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail.'

Actually, in my hotmail spam repository account I already do get tons of messages saying things like that. But, I don't think they're talking about computer security. =)

Honest answer

[djembe2k]

OK, maybe I'm not really who you are aiming this question at, but probably those folks aren't going to answer, or give the serious and honest answer you're looking for, so I'm what you are going to get.

I patched my home machines probably within 24 hours of the patch being available. I've got a couple of machines, and nobody is depending on their uptime to make a living or maintain a professional corporate image. If only the real world were that easy.

My company lives in the real world. We were hit by this, but pretty lightly, a couple of machines and we were lucky enough to pull the plug on them and cut it off before it spread, mostly because I was monitoring slashdot, and I knew the symptoms of the infection the first time it came up internally.

Our firewall wasn't breached so much as apparently circumvented by a laptop belonging to a user that never accepted the patch -- he got the virus at home, then came to work and plugged in. I assume that just about any company with a firewall at all isn't allowing incoming TCP 135, so I'm guessing that hard-hit companies generally got it this way.

We had identified this patch as critical, even relative to all the other less-critical critical patches. That still meant we had to test it outside of production, which took some time, and we also had to keep an ear to the ground to find out if any of the (many) folks out there who apply patches without testing first had been burned by this one.

When we were satisfied at that point, we had made it available internally to all workstations via SUS -- worst case scenario here if the patch is bad is a lot of re-imaging, but no loss of data, no loss of critical network services, etc. We don't have workstations set to auto-install the patches, so that requires the user to click an install button to complete the process. In many cases, the users had done that. In some, they hadn't.

At that point we started pushing it out to machines via SMS, workstations first, and then starting to patch the servers. (I wish I could give you a timeline for each step here.) Again, we proceeded conservatively, not getting every box at once, and not letting SMS force our servers to reboot after the patch installation, but instead asking various sysadmins to schedule reboots for servers at an acceptable time as soon as possible after the patch was applied.

So, some servers were patched by yesterday. Probably half were not, especially if you count those that were patched but not yet rebooted, which you have to count as not patched, I guess. To my knowledge at this point, we cut this off before any servers were infected, which was really just luck once it was inside the firewall. It could have been worse, but at the same time, many of our boxes were safe by the time yesterday came.

Now, of course, we are frantically patching and rebooting. And if we had been a little more frantic beforehand, we could have easily had it done before yesterday. But little else is getting done today. We've got over 100 Windows servers to deal with here, production, development, testing, IIS, SQL, SMS, DCs, Citrix, physical machines, virtual machines, you name it. It is not trivial to get this job done. And doing it in a hurry is dangerous as well.

And we're lucky. All our boxes are at one location. I'm looking back at how we handled this, and I think that a little more focus and emphasis and we could have patched everything by now, but the attack could just as easily have come a week sooner, and we'd still be having this conversation.

The difficult truth is that, in many cases, it is possible to develop an exploit for a vulnerability more quickly than it is possible to adequate test and deploy a patch in a large and complicated corporate environment. You patch as quickly as you safely can while still getting everything else done, and you also take all the other steps you can to mitigate the damage if you get hit. That's the real world.

Re:Sad really

[b-baggins]

Now, this being modded as funny is REALLY sad.

Apple's versioning is as follows: .x = new release = full price .xy = maintenance upgrade = free.

So, 10.1 was full price. 10.1.1 was free. 10.2 was full price. 10.2.6 was free. 10.3 is full price. 10.3.x will be free. 10.4 will be full price, etc.

Apple does not sell upgrade CDs. You buy a full install. This means you don't need to have any previous version of OS X on the machine. So compate the right things. So let's put this in terms the Microsoft Marketing Influenced(TM) can understand.

I paid $129 for the full version of OS X. You paid $299 for the full version of Windows2000 Professional.

I paid $129 for the full version of Jaguar. You paid $399 for the full version of WindowsXP Professional.

I will pay $129 for the full version of Panther. You will pay >$399 for the full version of Longhorn Professional.

Now who should we laugh at?

For all the ranting slashdotters do on how stupid the non-tech/geek person is, I find it hilarious that such a logical, programmer-centric versioning system totally confuses said slashdotter.

I guess MS was pretty smart to call Winnt 5 Windows 2000, and Winnt 5.1 Windows XP, or you'd all be screaming about that $399 "upgrade" as well.