Using NT/2k/XP/2k3? Now is a good time to patch.

[Zedd]

A very nasty worm has been going around, causing system reboots.

Blatantly copied from www.sophos.com:

W32/Blaster-A is a worm that uses the internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service. The DCOM vulnerability was first reported by Microsoft in mid-July. This worm does not use email to spread.

Targeted computers include the following Microsoft operating systems:

Windows NT 4.0

Windows NT 4.0 Terminal Services Edition

Windows XP

Windows Server 2003

(On Windows XP the exploit can accidentally cause the remote RPC service to terminate. This causes the Windows XP machine to reboot).

Windows 95/98/Me computers, which don't run an RPC service or have a TFTP client (default setting), are not at risk.

On finding a vulnerable computer system, the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe in the Windows system folder.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from www.microsoft.com/technet...3-026.asp.

From 16 August 2003, one month after the security patch was posted, the worm is programmed to launch a distributed denial-of-service attack on windowsupdate.com, which may severely impact access to the website Microsoft uses to distribute security patches.

Additionally the worm creates the following registry entry so as to run on system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update

The worm contains the following text, which does not get displayed:

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!



Grab the patch from:

http://www.microsoft.com/technet/security/...in/MS03-026.asp

or, if you'd prefer a 3rd party download location:

http://wcts.whitman.edu/ms03-026.html

Sorry if this is spammish, but I figured some of ya might find use in this.

[pakman]

I have heard about this. I don't have to patch quite yet, seeing as my computer is not connected to the internet to get the worm, but I will dl it and patch it before I go back to school.

[Numsay]

I have this on one of my PCs. Get your windows update now!

[TaMeOlta]

I have this on one of my PCs.  Get your windows update now!

:o How do we know its really you , Numsay , and not a Numsay-Wannabe-Worm ?!? :ph34r:

[Nicodemus Phaulkon]

Symantec also has a nice little removal tool available

clicky

[Numsay]

How do we know its really you , Numsay , and not a Numsay-Wannabe-Worm ?!? 

Just to prove it's me, I'll let everyone in on the fact that you have three heads. :P

Symantec also has a nice little removal tool available

That tool seems to have defeated the evil worm for me. Hopefully it will not make a Diablo like comeback.

[Kevin]

The only problem with this is that this is a root level attack. Once infected you have no way of knowing just exactly what was done to the system.

I know of many institutions that will only trust a complete system rebuild before allowing the system back on the network after an infection.

I'm not saying the tool doesn't work, it removes the initial point of infection. I'm just saying that may not be enough.

This one is serious.

[Dozer]

People should be shot for not running windows update AT LEAST monthly. Or hacked.... oh wait, that's what happens :lol:

[Archon_Wing]

This has been out for quite a while. For those of you that haven't and are running windows, better update.

[Bob]

Windows 95/98/Me computers, which don't run an RPC service or have a TFTP client (default setting), are not at risk

I'm using W98, can someone unjargon that for me?

Thanks in advance

-Bob

[Rhydderch Hael]

It means that, without the wizbang gimmicks and gizmos found in the latest MS op systems, our beloved Win98 (mine too) don't have as great a risk of being infected, as oppossed to the "we'll do the thinking for ya', whether you like it or not " operating mentality of WinXP and 2000... ;)

[Ashkael]

This worm is driving me nuts.

I downloaded the removal tool from Symantec and ran it 5 times, and it didn't work. After that, I tried running a system scan with my antivirus software. After some failed tests due to the computer rebooting, I finally got the scan to run to completion and got the worm deleted.

There's one problem, though. The damn rebooting didn't go away.

After a few more rebootings, I ran the Symantec removal tool again and the antivirus detected the worm again. I've gone into the registry as Symantec suggests, and there are no references to the worm.

Regarding the patch, I recently got my PC formated and Windows XP installed on it, and haven't downloaded service pack 1 yet. Since the patch requires service pack 1, and the damn thing is 125 MB big, there's no way I will be able to download it before the computer reboots.

Does anyone have any suggestions? I could really use some help right now.

[Numsay]

Hi, yes this thing is a bear to get rid of. I got rid of it today (I think), it took me about six hours. This is what finally worked for me.
I'm assuming since you were infected you have no firewall running.
Step one, go out and get a firewall. I had one just sitting on my PC that I didn't even know about. Check your programs list.
Step two, install it, fire up the internet and block everything that tries to get in, other then explorer and your ISP.
Step three, get the patch downloaded and installed ASAP. Just the patch not the whole service pack.
Step four run the Symantec tool.
Step five get the windows update.

That's what worked for me, Good luck.

Numsay

PS they have some good info in this thread over at the AB.

[WarLocke]

Oh crap, I have this thing too. I thought it was just some hacker hitting random IP addresses and remotely rebooting computers. I turned on my firewall (after kicking myself for not having it on beforehand) and things have been hunky-dory (reboot-wise) since.

Gonna go look into the Symantec solution now. :(

[whyBish]

Infected most of our (300 or so) machines at work... I think I was about one of the only ones it didn't infect.

Our internal guys say that you should do the patch before you run that fix-blaster utility from symantec. (No idea why)

[Ashkael]

Thanks for the tips. With the firewall on, the accursed rebooting has been solved. However, when I try to install the patch I get an error message telling me that setup couldn't decompress the files.

Any ideas of what's going on?

[Destroy-Titus]

I caught that stupid worm the other day, I didnt update because my XP was not "legitimate" and I was afraid if I updated it, I would be blacklisted, so anyways I'm using my legitimate win 2000 copy (pro) will that worm affect 2000 (I guess my question is, is winME same as win2k pro?) either way I guess I should UD :lol:

[Jarulf]

Just wondering. IS the bug in the Windows such that one can get infected by just being connected to the net? Obviously the virus needs to get not only into your computer but also need to run. This means some part of WIndows (that is not obvious to a user and "on" by default) must be running and accepting input from the outside (and it has a bug of some sort that allows a specific type of data sent to actually run, buffer overflow?). Is that correct?

Not directly realted to the virus but is this service running needed or can it be turned of? IF it can't, why do it have to be running listening and accepting input from the outside. And most importantly, are there many other such things running? Yes, I know someone posted a good site for info on services and how to remove unwanted ones and such in another thread in reply to some question I had, that might have all the above answers :)

In my opinion, NOTHING should by default be "on" in your OS when you install it, that communicate from the outside, especially one that accept input from the outside. That is just asking for problem. The user should have to activate it manually (and of course make sure to take whatever precausiions possible to set it up properly and update it first (not that it help against unknown bugs). Oh well.

[BOB2]

Just wondering. IS the bug in the Windows such that one can get infected by just being connected to the net?

Actually yes. After looking at it, it moves from computer to computer in a semi random way. So every time you are connected you are able to be aimed to received a new version of it.

Anyway firewalling every access to your computer will prevent from an incoming arrival of the worm.

Just a little advice: go into your services, select properties for the RPC service, deselect the automatic reboot and replace it by do nothing. By this way you will be able to follow all the steps you want to ( and eventually downloading patch or removal tools)

To reply to your questions: RPC is really nice when you get more than one comp, so it is hardly difficult to turn it off. One other thing most of us can do is turning of distributed com services.

I totally agree with you everything should be off on a system by default, by this not the way it is. If it were on a commercial OS, there will be to many complaints from customer arguing your OS do nothing, everytime I want to do something, I am stucked ...

[Jarulf]

>Actually yes. After looking at it, it moves from computer to computer
>in a semi random way. So every time you are connected you are able
>to be aimed to received a new version of it.

This certainly is bad since it means that there is no way to easilly avoid getting a virus. It used to be that you actually had to do some active thing, like running a file sent or so to get a virus. Now, you can get one without actively doing anything. That is definately bad.


>Anyway firewalling every access to your computer will prevent from
>an incoming arrival of the worm.

I am personally very sceptical to firewalls. If the computer is set up properly, there should be no need for a firewall to start with. That is like claiming it is good to put a big cage arround your house to prevent people from entering (or leaving) since there are those big gaping wholes in the walls. The proper way is of course to make sure the holes have proper windows and doors that are locked, then there is no need for the cage.

The "best" reason for me to get a firewall (although I have not yet) have so far been to prevent programs I actually want to use to have some hidden malicious part that wants to connect OUT of my computer, such as spyware and such. Still, I prefer to make sure rpograms I use doesn't have such parts to start with though.

>To reply to your questions: RPC is really nice when you get more
>than one comp, so it is hardly difficult to turn it off. One other thing
>most of us can do is turning of distributed com services.

I would argue that most people at home doesn't run multiple computers in networks hence no need for that feature to be on, especially not for Windows Home Edition. Those that want to run multiple computers, and know enough to actually use the features of RPC, can surely cope with having to activate it. 95% of the people that doesn't have multiple computers doesn't even have a clue there is something called RPC, let alone know what it do so why is it there? :)

My question would be, is it OK for me to turn it (RPC) off completely then? And/Or remove it, since I only have one computer?

By the way, I had allready patched myself some time ago, so have not had any problem with this worm.