PCA Forums

*Update*
w32.blaster.worm
http://securityresponse.symantec.com/av ... .worm.html

Removal tool:
http://securityresponse.symantec.com/av ... .tool.html


More info on the worm:
http://www.trendmicro.com/vinfo/virusen ... _MSBLAST.A

That link also has a removal tool and instructions if the others fails.
http://www.trendmicro.com/download/tsc.asp
Be sure to select the correct link, if you are a trend user or non user.

-----------------------------

This is the one they've been warning us about the past couple of weeks. It's happening now.

I've had 4 clients and my own laptop have this problem today (I patched all my home systems a month ago but I forgot to patch my laptop).

This is a security hole in all flavors of Windows EXCEPT 98 and 98. All of the systems affected were using Earthlink for their ISP so I suspect some infected system is port scanning all of Earthlink's IP addresses.

While under attack you will get an error message saying that the "RPC Service has been terminated unexpectedly" (if you check the Event log it shows up as an event ID 7031) and the computer will shut down in 15 seconds. The computer shuts down and reboots.

Here's what it looks like (thanks for the pic d_b):


This will happen while online (broadband or dialup) and if you have NOT installed the MS03-026 (Hotfix 823980) patch.

A mass mailing worm that already well established on thousands of infected systems is trying to use this exploit to hack into unpatched systems. The reboot apparently occurs because the worm is trying to disable your RPC service to hack into your computer and fails, causing the error.

If you haven't applied it yet, EVERYONE you MUST install the hotfix which you can get here:
http://www.microsoft.com/technet/treevi ... 03-026.asp

It's a 1.2Mb patch and will fit on a floppy. Carry it in your briefcase - your friends will all be having problems with this.

You may have a problem downloading the patch since if your system is under attack it will be rebooting every few minutes while online.

Easy workaround is to block port 135 if you're using a firewall, or just turn on WinXP's built in firewall temporarily (it apparently blocks port 135).

IT'S IMPORTANT YOU INSTALL THIS PATCH EVEN IF YOU HAVEN'T BEEN AFFECTED! This is a serious security exploit that can leave you system wide open to attack.

Those of you using routers may not be seeing any problems because your router is probably blocking port 135, but you should install the patch anyway.

fix the problem? I have some clients who have it and I'm heading to resolve the issue.. TIA eGo

Yes, the patch works fine.

Like I said you can also stop it be enabling the firewall, but that doesn't solve the problem.

The patch takes about 2 minutes to install.

For those interested, here's a long (and growing) thread on the problem from Computing.net's forums:
http://www.computing.net/hardware/wwwbo ... 15396.html

Ok.. well, I just installed the patch, and I'm up and running on the computer that it was happening to. How long should I hang around to see if this is done with? It's a dial-up connection, would that have anything to do with it?

Also, we don't use EarthLink.. heh.. Though that doesn't mean that the ISP we use doesn't share a connection with them though..

It seems to reboot after about 5 minutes online consistently. I let the systems I worked on today stay online for 20 minutes to make sure they were okay.

Yes, dialup is more prone because most people don't run a firewall on a dialup (normally no real need). A firewall or router blocks the attacks, but it's still a good idea to install the patch.

Thanks for the heads up FP, I installed mine, I wasnt showing any signs though, I am on earthlink though.

I have friends that work at Alienware - they say the helpdesk phones started ringing off the hook today because of this.

Windows Update has been mobbed and is responding very slowly if at all. You're better off using the linky I posted above which is a fast Microsoft FTP site.

If you do use Windows Update it's Hotfix 823980.

quick question FP

you mentioned that the file was 1.2mb...
but the file that is linked is 898kb

is it still the same one?

The one for XP is 1.2Mb, the one for 2K is around 890K.

NOTE: If the worm succeeds in hacking into you system it will shut down the RPC service and replace it with an infected copy. It will also disable the NAV service (dunno if it affects AVG or McAfee).

Saw this posted by an IT tech friend of mine at Red-Eye explaining how to tell if a system is infected:

Yeah we were hit Tuesday of last week. It seems educational institutions were targetted first as usual. Only 18 of our systems were hit which wasn't too bad considering it could have been worse if it had hit our Exchange or DC servers. Although we were able to disable the utilities they had installed on the systems we figured the systems were already comprimised and who knows what they could've installed. So we decided to re-install those 18 servers. That doesn't mean we didnt have clients hit. I don't deal with clients but from what the help desk manager told me they were recieving calls about it for the past few days.

A few things to look out for when figuring if the system was hit.

A. Look for Update.exe on the root of the OS drive. It seems that the person who gained access into our systems applied his own version of the RPC patch. Making it look like the system is protected. This left a residue of several files on the root of the drive include Update.exe.

B. If you have Norton Antivirus installed you'll notice that the service has been disabled.

C. Csrsrv.dll and/or csrss.exe will not be visible by the system. This will be evident when you try to install SP3+. When I mean not visible I mean the OS will NOT see it in any way. Not even in a command prompt. You will have to Load up the system in Recovery mode and use the command line interface.

D. The system will have erratic reboots in the log or will fall into a reboot cycle.

If by chance you need to bring the system back online temperoraly do the following.(If its in a reboot cycle.)

1. Loadup from the Windows 2k CD and run a Manual repair.
2. Then after the reboot Loadup from the Win2k CD and go into recovery mode.
3. Overwrite Csrsrv.dll and csrss.exe with the same files from a working 2k system.

Although to be completely safe I would suggest your reinstall the OS in question.

Hope this helps.

one thing I noticed.....is I have not had ANY spam in my AOL email account for the last 2 days....

so I guess the worm was good for something

Check this out from the Internet Storm Center: http://isc.sans.org/port_details.html?port=135

Shows you how port 135 attacks spiked today:

Hey FP, that long post about the RPC service being replaced? Is that just for 2k? I didn't notice that before I left my clients place of business. Do I need to check into that? The computer ran online for 25 minutes without any problems. Thanx again for all the info.. eGO

I just learned about that. If the attack succeeds then the RPC service will be compromised with an infected file. The infected system will then join the firestorm of computers trying to hack into other unprotected systems.

Quick fix is to block in and out going on port 135.

I suspect that the AV companies will release an official fix or repair tool in the next few days.

The givaway that you're infected is that NAV will be disabled (dunno about other AVs) and a file called Update.exe will be left on the root of the boot partition.

I'm going to go check my lappy right now to see if it's been compromised.

Boy am I glad I patched all my other systems a few weeks ago. I rarely apply security patches unless I think they're REALLY necessary anymore. Too often lately MS has cried wolf and made us install a patch that just caused problems and wasn't necessary unless you were running a server.

----------
EDIT
----------

Okay here's the first official news report with details on the worm: http://isc.sans.org/diary.html?date=2003-08-11

Yup, one of the systems I worked on today had a program called MSBLASTER.EXE running in the startup. I disabled it and it came back so I renamed the file and it stayed disabled.

I'll have to go back and clean it out when they release some more info.

lol - sitting here at the beach on my lappy reading fp's post - on dial up - and bingo! i get the message -



downloading patch now - we'll see


MORE: downloaded the patch - no msblaster.exe anywhere

enable firewall - xp home

downloading new stuff from grisoft avg - no norton on this machine

ok so far