Beware the MSBlaster Worm, it will get you

Discussion in 'rec.audio.pro' started by Luke Kaven, Aug 12, 2003.

  1. Luke Kaven

    Luke Kaven Guest

    The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
    you downtime and abundant headache without your doing anything to
    invite it. [I had such fun yesterday, all day] Hundreds of thousands
    of systems are being infected right now, and they are out looking for
    *you*!. If you run Windows2000/XP/NT, you want to download the listed
    patch (KB823980) immediately, and I do mean immediately. If you use
    Win2000, you need to be at least at Service Pack 2 to install this
    patch.

    Some of the early symptoms:

    * If you see a process running called "msblast.exe", you have it.
    * SVCHOST shuts down with errors
    * Drag and drop stops working
    * Add/Delete programs comes up blank with a "Cl&ose" button
    * File Search will fail to launch
    * Shift-Click in Internet Explorer (to launch in new window) does not
    work
    * Internet Explorer shows a blank version number (Help->About Internet
    Explorer)
    * Numerous programs (MS-Word/Excel, EZ-CDCreator, etc.), will not
    launch
    * Outlook Express will fail with (insufficient memory) if one tries to
    send a new message

    Here's hoping you have a worm-free day!

    Luke

    =====

    From a notice posted by Jerry Bryant in microsoft.public.security -

    SEVERITY: CRITICAL
    DATE: August 11, 2003
    PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
    Windows NT
    4.0, NT 4.0 Terminal Services Edition

    WHAT IS IT?
    The Microsoft Product Support Services Security Team is issuing this
    alert
    to inform customers about a new worm named W32.Blaster.Worm which is
    spreading in the wild. This virus is also known as: W32/Lovsan.worm
    (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
    Associates). Best practices, such as applying security patch MS03-026
    should
    prevent infection from this worm.

    Customers that have previously applied the security patch MS03-026
    before
    today are protected and no further action is required.

    IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine
    gets
    re-booted or has mblast.exe exists on customer's system.

    TECHNICAL DETAILS: This worm scans a random IP range to look for
    vulnerable
    systems on TCP port 135. The worm attempts to exploit the DCOM RPC
    vulnerability patched by MS03-026.

    Once the Exploit code is sent to a system, it downloads and executes
    the
    file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
    creates
    the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "windows
    auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

    Symptoms of the virus: Some customer may not notice any symptoms at
    all. A
    typical symptom is the system is rebooting every few minutes without
    user
    input. Customers may also see:
    - Presence of unusual TFTP* files
    - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

    To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
    directory or download the latest anti-virus software signature from
    your
    anti-virus vendor and scan your machine.

    For additional details on this worm from anti-virus software vendors
    participating in the Microsoft Virus Information Alliance (VIA) please
    visit
    the following links:

    Network Associates:
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

    Trend Micro:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

    Symantec:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

    For more information on Microsoft's Virus Information Alliance please
    visit
    this link: http://www.microsoft.com/technet/security/virus/via.asp

    Please contact your Antivirus Vendor for additional details on this
    virus.

    PREVENTION: Turn on Internet Connection Firewall (Windows XP or
    Windows
    Server 2003) or use a third party firewall to block TCP ports 135,
    139, 445
    and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for
    zombie bits
    download and TCP 4444 for remote command shell. To enable the Internet
    Connection Firewall in Windows:
    http://support.microsoft.com/?id=283673

    1. In Control Panel, double-click Networking and Internet Connections,
    and
    then click Network Connections.
    2. Right-click the connection on which you would like to enable ICF,
    and
    then click Properties.
    3. On the Advanced tab, click the box to select the option to Protect
    my
    computer or network.

    This worm utilizes a previously-announced vulnerability as part of its
    infection method. Because of this, customers must ensure that their
    computers are patched for the vulnerability that is identified in
    Microsoft
    Security Bulletin MS03-026.
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
    Install the
    patch MS03-026 from Windows Update http://windowsupdate.microsoft.com

    As always, please make sure to use the latest Anti-Virus detection
    from your
    Anti-Virus vendor to detect new viruses and their variants.

    RECOVERY: Security best practices suggest that previously compromised
    machine be wiped and rebuilt to eliminate any undiscovered exploits
    that can
    lead to a future compromise. See Cert Advisory:
    Steps for Recovering from a UNIX or NT System Compromise.
    http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

    For additional information on recovering from this attack please
    contact
    your preferred anti-virus vendor.

    RELATED MICROSOFT SECURITY BULLETINS:
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

    RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
    This article will be available within 24 hours.

    RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
    As always please make sure to use the latest Anti-Virus detection from
    your
    Anti-Virus vendor to detect new viruses and their variants.

    If you have any questions regarding this alert please contact your
    Microsoft
    representative or 1-866-727-2338 (1-866-PCSafety) within the US,
    outside of
    the US please contact your local Microsoft Subsidiary. Support for
    virus
    related issues can also be obtained from the Microsoft Virus Support
    Newsgroup which can be located by clicking on the following link
    news://msnews.microsoft.com/microsoft.public.security.virus.
  2. And here's a MacInTouch-provided link to an article about this damned
    worm:

    <http://news.com.com/2100-1002-5062364.html?tag=macintouch>

    This is a very nasty thing, people.

    Luke Kaven <luke@smallsrecords.com> wrote:

    > The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
    > you downtime and abundant headache without your doing anything to
    > invite it. [I had such fun yesterday, all day] Hundreds of thousands
    > of systems are being infected right now, and they are out looking for
    > *you*!. If you run Windows2000/XP/NT, you want to download the listed
    > patch (KB823980) immediately, and I do mean immediately. If you use
    > Win2000, you need to be at least at Service Pack 2 to install this
    > patch.
    >
    > Some of the early symptoms:
    >
    > * If you see a process running called "msblast.exe", you have it.
    > * SVCHOST shuts down with errors
    > * Drag and drop stops working
    > * Add/Delete programs comes up blank with a "Cl&ose" button
    > * File Search will fail to launch
    > * Shift-Click in Internet Explorer (to launch in new window) does not
    > work
    > * Internet Explorer shows a blank version number (Help->About Internet
    > Explorer)
    > * Numerous programs (MS-Word/Excel, EZ-CDCreator, etc.), will not
    > launch
    > * Outlook Express will fail with (insufficient memory) if one tries to
    > send a new message
    >
    > Here's hoping you have a worm-free day!
    >
    > Luke
    >
    > =====
    >
    > From a notice posted by Jerry Bryant in microsoft.public.security -
    >
    > SEVERITY: CRITICAL
    > DATE: August 11, 2003
    > PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
    > Windows NT
    > 4.0, NT 4.0 Terminal Services Edition
    >
    > WHAT IS IT?
    > The Microsoft Product Support Services Security Team is issuing this
    > alert
    > to inform customers about a new worm named W32.Blaster.Worm which is
    > spreading in the wild. This virus is also known as: W32/Lovsan.worm
    > (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
    > Associates). Best practices, such as applying security patch MS03-026
    > should
    > prevent infection from this worm.
    >
    > Customers that have previously applied the security patch MS03-026
    > before
    > today are protected and no further action is required.
    >
    > IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine
    > gets
    > re-booted or has mblast.exe exists on customer's system.
    >
    > TECHNICAL DETAILS: This worm scans a random IP range to look for
    > vulnerable
    > systems on TCP port 135. The worm attempts to exploit the DCOM RPC
    > vulnerability patched by MS03-026.
    >
    > Once the Exploit code is sent to a system, it downloads and executes
    > the
    > file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
    > creates
    > the registry key:
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > "windows
    > auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
    >
    > Symptoms of the virus: Some customer may not notice any symptoms at
    > all. A
    > typical symptom is the system is rebooting every few minutes without
    > user
    > input. Customers may also see:
    > - Presence of unusual TFTP* files
    > - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
    >
    > To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
    > directory or download the latest anti-virus software signature from
    > your
    > anti-virus vendor and scan your machine.
    >
    > For additional details on this worm from anti-virus software vendors
    > participating in the Microsoft Virus Information Alliance (VIA) please
    > visit
    > the following links:
    >
    > Network Associates:
    > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
    >
    > Trend Micro:
    > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
    >
    > Symantec:
    > http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    >
    > Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
    >
    > For more information on Microsoft's Virus Information Alliance please
    > visit
    > this link: http://www.microsoft.com/technet/security/virus/via.asp
    >
    > Please contact your Antivirus Vendor for additional details on this
    > virus.
    >
    > PREVENTION: Turn on Internet Connection Firewall (Windows XP or
    > Windows
    > Server 2003) or use a third party firewall to block TCP ports 135,
    > 139, 445
    > and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for
    > zombie bits
    > download and TCP 4444 for remote command shell. To enable the Internet
    > Connection Firewall in Windows:
    > http://support.microsoft.com/?id=283673
    >
    > 1. In Control Panel, double-click Networking and Internet Connections,
    > and
    > then click Network Connections.
    > 2. Right-click the connection on which you would like to enable ICF,
    > and
    > then click Properties.
    > 3. On the Advanced tab, click the box to select the option to Protect
    > my
    > computer or network.
    >
    > This worm utilizes a previously-announced vulnerability as part of its
    > infection method. Because of this, customers must ensure that their
    > computers are patched for the vulnerability that is identified in
    > Microsoft
    > Security Bulletin MS03-026.
    > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
    > Install the
    > patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
    >
    > As always, please make sure to use the latest Anti-Virus detection
    > from your
    > Anti-Virus vendor to detect new viruses and their variants.
    >
    > RECOVERY: Security best practices suggest that previously compromised
    > machine be wiped and rebuilt to eliminate any undiscovered exploits
    > that can
    > lead to a future compromise. See Cert Advisory:
    > Steps for Recovering from a UNIX or NT System Compromise.
    > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
    >
    > For additional information on recovering from this attack please
    > contact
    > your preferred anti-virus vendor.
    >
    > RELATED MICROSOFT SECURITY BULLETINS:
    > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
    >
    > RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
    > This article will be available within 24 hours.
    >
    > RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
    > As always please make sure to use the latest Anti-Virus detection from
    > your
    > Anti-Virus vendor to detect new viruses and their variants.
    >
    > If you have any questions regarding this alert please contact your
    > Microsoft
    > representative or 1-866-727-2338 (1-866-PCSafety) within the US,
    > outside of
    > the US please contact your local Microsoft Subsidiary. Support for
    > virus
    > related issues can also be obtained from the Microsoft Virus Support
    > Newsgroup which can be located by clicking on the following link
    > news://msnews.microsoft.com/microsoft.public.security.virus.


    --
    hank alrich * secret mountain
    audio recording * music production * sound reinforcement
    "If laughter is the best medicine let's take a double dose"
  3. Bob Smith

    Bob Smith Guest

    LeBaron & Alrich wrote:
    >
    > And here's a MacInTouch-provided link to an article about this damned
    > worm:
    >
    > <http://news.com.com/2100-1002-5062364.html?tag=macintouch>
    >
    > This is a very nasty thing, people.
    >
    > Luke Kaven <luke@smallsrecords.com> wrote:
    >
    > > The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
    > > you downtime and abundant headache without your doing anything to
    > > invite it. [I had such fun yesterday, all day] Hundreds of thousands


    It is indeed very active. My hardware firewall is currently logging
    hundreds of attacks per day on port 135.

    bobs

    Bob Smith
    BS Studios
    we organize chaos
    http://www.bsstudios.com
  4. I had this same problem yesterday, the way i came around this is:

    - Start > Run > regedit (on Windows XP Pro)
    - Edit > Find... (search for msbalster)
    - anything which has a value of msblaster, delete it

    NOTE: Would be nice to backup your windows registry first by File >
    Save as... in the Registry Editor.

    I had 2 keys with the values containing "msblaster".

    After you've done this, restart your computer and hopefully everything
    should be sorted.

    REASON: This worm is relatively new, and hence no (less)
    support/anti-virus is available for it. This worm tries to start
    itself on every restart through these registry values, so if u delete
    these values the worm doesn't startsup.

    A good thing to do would be download the windows updates from
    microsoft's website.

    HTH
    Abhishek VERMA
  5. Pat Sproule

    Pat Sproule Guest

    I would advise against just hacking the registry - just have a look at
    www.sarc.com - follow the link to the w32.blaster.worm. Symantec have a free
    and very simple tool that fixes the damage and then takes you to the update
    patch from Microsoft which fixes the v.vulnerability

    Our uni was struck last night - it ground the servers to a halt with the
    traffic and infected many of our 3000 computers.

    Regards - Pat
    www.patski.cjb.net


    "Abhishek VERMA" <abhishek@studylink.com.au> wrote in message
    news:82376f0f.0308122030.8585c82@posting.google.com...
    > I had this same problem yesterday, the way i came around this is:
    >
    > - Start > Run > regedit (on Windows XP Pro)
    > - Edit > Find... (search for msbalster)
    > - anything which has a value of msblaster, delete it
    >
    > NOTE: Would be nice to backup your windows registry first by File >
    > Save as... in the Registry Editor.
    >
    > I had 2 keys with the values containing "msblaster".
    >
    > After you've done this, restart your computer and hopefully everything
    > should be sorted.
    >
    > REASON: This worm is relatively new, and hence no (less)
    > support/anti-virus is available for it. This worm tries to start
    > itself on every restart through these registry values, so if u delete
    > these values the worm doesn't startsup.
    >
    > A good thing to do would be download the windows updates from
    > microsoft's website.
    >
    > HTH
    > Abhishek VERMA
  6. IanF

    IanF Guest

    Symantec have a free cleaup utility, and apart from the MS patch it
    might be worth using a personal firewall like ZoneAlarm. A friend of
    mine had his modem-connected PC infected yesterday, so that's no
    protection! He's a drummer though, so I guess it's not surprising.

    Ian

    abhishek@studylink.com.au (Abhishek VERMA) wrote in message <snip?
    >
    > REASON: This worm is relatively new, and hence no (less)
    > support/anti-virus is available for it. This worm tries to start
    > itself on every restart through these registry values, so if u delete
    > these values the worm doesn't startsup.
    >
    > A good thing to do would be download the windows updates from
    > microsoft's website.
    >
    > HTH
    > Abhishek VERMA
  7. Rob Adelman

    Rob Adelman Guest

    I think my computer at home is infected, but I haven't heard symtoms
    described like what it is doing. It keeps having a window pop up and
    says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"

    It then says "save all information as your computer will now be shutting
    down". Then a 60 second timer starts counting down and the computer
    shuts down. It automtically restarts only to have the window pop up
    again and start all over.

    Does anybody know if this is the worm?

    Thanks -Rob


    Luke Kaven wrote:

    > The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
    > you downtime and abundant headache without your doing anything to
    > invite it. [I had such fun yesterday, all day] Hundreds of thousands
    > of systems are being infected right now, and they are out looking for
    > *you*!. If you run Windows2000/XP/NT, you want to download the listed
    > patch (KB823980) immediately, and I do mean immediately. If you use
    > Win2000, you need to be at least at Service Pack 2 to install this
    > patch.
    >
    > Some of the early symptoms:
    >
    > * If you see a process running called "msblast.exe", you have it.
    > * SVCHOST shuts down with errors
    > * Drag and drop stops working
    > * Add/Delete programs comes up blank with a "Cl&ose" button
    > * File Search will fail to launch
    > * Shift-Click in Internet Explorer (to launch in new window) does not
    > work
    > * Internet Explorer shows a blank version number (Help->About Internet
    > Explorer)
    > * Numerous programs (MS-Word/Excel, EZ-CDCreator, etc.), will not
    > launch
    > * Outlook Express will fail with (insufficient memory) if one tries to
    > send a new message
    >
    > Here's hoping you have a worm-free day!
    >
    > Luke
    >
    > =====
    >
    > From a notice posted by Jerry Bryant in microsoft.public.security -
    >
    > SEVERITY: CRITICAL
    > DATE: August 11, 2003
    > PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
    > Windows NT
    > 4.0, NT 4.0 Terminal Services Edition
    >
    > WHAT IS IT?
    > The Microsoft Product Support Services Security Team is issuing this
    > alert
    > to inform customers about a new worm named W32.Blaster.Worm which is
    > spreading in the wild. This virus is also known as: W32/Lovsan.worm
    > (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
    > Associates). Best practices, such as applying security patch MS03-026
    > should
    > prevent infection from this worm.
    >
    > Customers that have previously applied the security patch MS03-026
    > before
    > today are protected and no further action is required.
    >
    > IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine
    > gets
    > re-booted or has mblast.exe exists on customer's system.
    >
    > TECHNICAL DETAILS: This worm scans a random IP range to look for
    > vulnerable
    > systems on TCP port 135. The worm attempts to exploit the DCOM RPC
    > vulnerability patched by MS03-026.
    >
    > Once the Exploit code is sent to a system, it downloads and executes
    > the
    > file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
    > creates
    > the registry key:
    > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    > "windows
    > auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
    >
    > Symptoms of the virus: Some customer may not notice any symptoms at
    > all. A
    > typical symptom is the system is rebooting every few minutes without
    > user
    > input. Customers may also see:
    > - Presence of unusual TFTP* files
    > - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
    >
    > To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
    > directory or download the latest anti-virus software signature from
    > your
    > anti-virus vendor and scan your machine.
    >
    > For additional details on this worm from anti-virus software vendors
    > participating in the Microsoft Virus Information Alliance (VIA) please
    > visit
    > the following links:
    >
    > Network Associates:
    > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
    >
    > Trend Micro:
    > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
    >
    > Symantec:
    > http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    >
    > Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
    >
    > For more information on Microsoft's Virus Information Alliance please
    > visit
    > this link: http://www.microsoft.com/technet/security/virus/via.asp
    >
    > Please contact your Antivirus Vendor for additional details on this
    > virus.
    >
    > PREVENTION: Turn on Internet Connection Firewall (Windows XP or
    > Windows
    > Server 2003) or use a third party firewall to block TCP ports 135,
    > 139, 445
    > and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for
    > zombie bits
    > download and TCP 4444 for remote command shell. To enable the Internet
    > Connection Firewall in Windows:
    > http://support.microsoft.com/?id=283673
    >
    > 1. In Control Panel, double-click Networking and Internet Connections,
    > and
    > then click Network Connections.
    > 2. Right-click the connection on which you would like to enable ICF,
    > and
    > then click Properties.
    > 3. On the Advanced tab, click the box to select the option to Protect
    > my
    > computer or network.
    >
    > This worm utilizes a previously-announced vulnerability as part of its
    > infection method. Because of this, customers must ensure that their
    > computers are patched for the vulnerability that is identified in
    > Microsoft
    > Security Bulletin MS03-026.
    > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
    > Install the
    > patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
    >
    > As always, please make sure to use the latest Anti-Virus detection
    > from your
    > Anti-Virus vendor to detect new viruses and their variants.
    >
    > RECOVERY: Security best practices suggest that previously compromised
    > machine be wiped and rebuilt to eliminate any undiscovered exploits
    > that can
    > lead to a future compromise. See Cert Advisory:
    > Steps for Recovering from a UNIX or NT System Compromise.
    > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
    >
    > For additional information on recovering from this attack please
    > contact
    > your preferred anti-virus vendor.
    >
    > RELATED MICROSOFT SECURITY BULLETINS:
    > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
    >
    > RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
    > This article will be available within 24 hours.
    >
    > RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
    > As always please make sure to use the latest Anti-Virus detection from
    > your
    > Anti-Virus vendor to detect new viruses and their variants.
    >
    > If you have any questions regarding this alert please contact your
    > Microsoft
    > representative or 1-866-727-2338 (1-866-PCSafety) within the US,
    > outside of
    > the US please contact your local Microsoft Subsidiary. Support for
    > virus
    > related issues can also be obtained from the Microsoft Virus Support
    > Newsgroup which can be located by clicking on the following link
    > news://msnews.microsoft.com/microsoft.public.security.virus.
    >
    >
  8. I believe it is. Or a related one.

    Log off. Check the Task Manager Processes window for msblast and kill the
    process. Then find msblast.exe on your hard drive and delete it.

    Then log on and install the Microsoft update. I did these things yesterday, and
    that was the end of that.


    > I think my computer at home is infected, but I haven't heard symtoms
    > described like what it is doing. It keeps having a window pop up and
    > says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"


    > It then says "save all information as your computer will now be shutting
    > down". Then a 60 second timer starts counting down and the computer
    > shuts down. It automtically restarts only to have the window pop up
    > again and start all over.


    > Does anybody know if this is the worm?
  9. Rob Adelman

    Rob Adelman Guest

    Thank, I'll try that tonight.
    -Rob

    William Sommerwerck wrote:

    > I believe it is. Or a related one.
    >
    > Log off. Check the Task Manager Processes window for msblast and kill the
    > process. Then find msblast.exe on your hard drive and delete it.
    >
    > Then log on and install the Microsoft update. I did these things yesterday, and
    > that was the end of that.
    >
    >
    >
    >>I think my computer at home is infected, but I haven't heard symtoms
    >>described like what it is doing. It keeps having a window pop up and
    >>says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"

    >
    >
    >>It then says "save all information as your computer will now be shutting
    >>down". Then a 60 second timer starts counting down and the computer
    >>shuts down. It automtically restarts only to have the window pop up
    >>again and start all over.

    >
    >
    >>Does anybody know if this is the worm?

    >
    >
  10. GeeMima

    GeeMima Guest

    I'm running Windows 98 SE, which I don't believe is vulnerable to the
    MSBlaster attack. However, I just did a search using regedit and an
    msblaster line showed up in Windows/Microsoft/Explorer. Should I delete
    this key? My computer is running normally. Also, I ran task manager and at
    the top of the list is a line reading: "Re: Beware the MSblaster Worm, it
    will get you." Now, I'm freaking...


    "William Sommerwerck" <williams@nwlink.com> wrote in message
    news:vjkgvd61dorj96@corp.supernews.com...
    > I believe it is. Or a related one.
    >
    > Log off. Check the Task Manager Processes window for msblast and kill the
    > process. Then find msblast.exe on your hard drive and delete it.
    >
    > Then log on and install the Microsoft update. I did these things

    yesterday, and
    > that was the end of that.
    >
    >
    > > I think my computer at home is infected, but I haven't heard symtoms
    > > described like what it is doing. It keeps having a window pop up and
    > > says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"

    >
    > > It then says "save all information as your computer will now be shutting
    > > down". Then a 60 second timer starts counting down and the computer
    > > shuts down. It automtically restarts only to have the window pop up
    > > again and start all over.

    >
    > > Does anybody know if this is the worm?

    >
  11. GeeMima

    GeeMima Guest

    "GeeMima" <NOTggmedia@tyler.net> wrote in message
    news:vjkhm7pj2pca40@corp.supernews.com...
    > I'm running Windows 98 SE, which I don't believe is vulnerable to the
    > MSBlaster attack. However, I just did a search using regedit and an
    > msblaster line showed up in Windows/Microsoft/Explorer. Should I delete
    > this key? My computer is running normally. Also, I ran task manager and

    at
    > the top of the list is a line reading: "Re: Beware the MSblaster Worm, it
    > will get you." Now, I'm freaking...


    Okay, forget the task manager listing. It showed up because this NG message
    was open in the background. Freak off...


    >
    > "William Sommerwerck" <williams@nwlink.com> wrote in message
    > news:vjkgvd61dorj96@corp.supernews.com...
    > > I believe it is. Or a related one.
    > >
    > > Log off. Check the Task Manager Processes window for msblast and kill

    the
    > > process. Then find msblast.exe on your hard drive and delete it.
    > >
    > > Then log on and install the Microsoft update. I did these things

    > yesterday, and
    > > that was the end of that.
    > >
    > >
    > > > I think my computer at home is infected, but I haven't heard symtoms
    > > > described like what it is doing. It keeps having a window pop up and
    > > > says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"

    > >
    > > > It then says "save all information as your computer will now be

    shutting
    > > > down". Then a 60 second timer starts counting down and the computer
    > > > shuts down. It automtically restarts only to have the window pop up
    > > > again and start all over.

    > >
    > > > Does anybody know if this is the worm?

    > >

    >
    >
  12. Arny Krueger

    Arny Krueger Guest

    "Rob Adelman" <radelman@mn.rr.com> wrote in message
    news:bhdfji$vvot0$1@ID-75267.news.uni-berlin.de
    > I think my computer at home is infected, but I haven't heard symtoms
    > described like what it is doing. It keeps having a window pop up and
    > says "NTAUTHORITY\SYSTEM - Remote Procedure Call (RPC)"
    >
    > It then says "save all information as your computer will now be
    > shutting down". Then a 60 second timer starts counting down and the
    > computer shuts down. It automtically restarts only to have the window
    > pop up again and start all over.
    >
    > Does anybody know if this is the worm?


    For sure.

    How did you catch it?
  13. Arny Krueger

    Arny Krueger Guest

    "Luke Kaven" <luke@smallsrecords.com> wrote in message
    news:0s4ijv81vmjcigs7s0mrk4p0jkhqcc6j9p@4ax.com

    > The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
    > you downtime and abundant headache without your doing anything to
    > invite it. [I had such fun yesterday, all day]


    The short answer for disabling this virus are:

    (0) remove any network or modem cables attached to the machine.
    (1) Bring your machine up in "Safe Mode" by pressing F5 while re-booting.
    The virus will give you ample opportunities to do this.
    (2) Go to My Computer
    (3) Open up your "C" drive
    (4) Open up the "Windows" folder
    (5) Open up the "System32" folder in the "Windows" folder
    (6) Delete the MSBLAST.EXE file.

    You can avoid reinfection the next time you go online by downloading and
    applying the (now) well-known fix from MS. The obvious challenge is getting
    the fix before you get re-infected.

    I'd like to know how people are catching this virus as a matter of fact. I
    hear about bum email attachments, but it appears that it can be caught by
    simply being online without adequate protection.
  14. Rob Adelman

    Rob Adelman Guest

    Arny Krueger wrote:

    >>Does anybody know if this is the worm?

    >
    >
    > For sure.
    >
    > How did you catch it?


    No idea. Thanks for the fix though, going to try that tonight.

    -Rob
  15. Luke Kaven

    Luke Kaven Guest

    "Arny Krueger" <arnyk@hotpop.com> wrote:
    >"Luke Kaven" <luke@smallsrecords.com> wrote
    >> The Blaster/Posa/Lovsan worm will hunt you down and find you and cause
    >> you downtime and abundant headache without your doing anything to
    >> invite it. [I had such fun yesterday, all day]

    >
    >The short answer for disabling this virus are:
    >
    >(0) remove any network or modem cables attached to the machine.
    >(1) Bring your machine up in "Safe Mode" by pressing F5 while re-booting.
    >The virus will give you ample opportunities to do this.
    >(2) Go to My Computer
    >(3) Open up your "C" drive
    >(4) Open up the "Windows" folder
    >(5) Open up the "System32" folder in the "Windows" folder
    >(6) Delete the MSBLAST.EXE file.
    >
    >You can avoid reinfection the next time you go online by downloading and
    >applying the (now) well-known fix from MS. The obvious challenge is getting
    >the fix before you get re-infected.
    >
    >I'd like to know how people are catching this virus as a matter of fact. I
    >hear about bum email attachments, but it appears that it can be caught by
    >simply being online without adequate protection.


    The virus scans IP addresses sequentially starting from a
    pseudo-random address until it finds a machine with the vulnerability
    (could be you!). Someone else can give a better explanation of the
    process, but it seems the virus is able to connect to your Remote
    Procedure Call (RPC) service from outside, though a standard port. It
    plants a call on your machine that downloads the virus from the
    source, runs it, and sets the registry to run it at each startup. I
    think it is able to exploit a buffer overrun condition that was left
    unchecked to bypass the normal authentication; how the hack works, I
    don't know. So the short answer is that you don't have to do
    anything. It comes to you through a standard network service
    undetected, unless you have a firewall watching the ports in question.

    By the way -- expect more clever and insidious versions of this virus
    to come. By all means, download the OS patch immediately.

    Luke
  16. >> You can avoid reinfection the next time you go online by downloading
    >> and applying the (now) well-known fix from MS. The obvious challenge
    >> is getting the fix before you get re-infected.


    This is the trick. I had to reboot several times before the download and
    installation were performed without msblast sneaking in again. On the third try,
    it got through just as the installation was successfully completing!
  17. Rob Adelman

    Rob Adelman Guest

    William Sommerwerck wrote:

    > I believe it is. Or a related one.
    >
    > Log off. Check the Task Manager Processes window for msblast and kill the
    > process. Then find msblast.exe on your hard drive and delete it.
    >
    > Then log on and install the Microsoft update. I did these things yesterday, and
    > that was the end of that.



    I did it, and here I am! Worked like a charm.

    -Rob
  18. Vladan

    Vladan Guest

  19. Vladan

    Vladan Guest

    On Wed, 13 Aug 2003 09:13:10 -0500, "GeeMima" <NOTggmedia@tyler.net>
    wrote:

    >I'm running Windows 98 SE, which I don't believe is vulnerable to the
    >MSBlaster attack. However, I just did a search using regedit and an
    >msblaster line showed up in Windows/Microsoft/Explorer. Should I delete
    >this key? My computer is running normally. Also, I ran task manager and at
    >the top of the list is a line reading: "Re: Beware the MSblaster Worm, it
    >will get you." Now, I'm freaking...


    Unless this was a joke, relax. What you see are references to reading
    this thread.
    Vladan
    www.geocities.com/vla_dan_l
    www.mp3.com/lesly , www.mp3.com/shook , www.mp3.com/lesly2
    www.kunsttick.com/artists/vuskovic/indexdat.htm
  20. Rob Adelman

    Rob Adelman Guest

    Vladan wrote:
    > Is it really that dangerous.


    Umm, no.


    > I have just XP bundled firewall service,
    > and got nothing.


    Not the case for me. I got worms and I wasn't even going fishin'

    > I have all remote and sharing services dissabled (not
    > installed/ allowed).


    Me too.

    >What's the deal?


    Dunno, Glad the worm is gone though. Hope it doesn't come back.

Share This Page