W32.Blaster.Worm - RPC vulnerability causes reboots in Windows NT, 2K, and XP.

Toggle sidebar Toggle sidebar
A

AnandTech Moderator

Staff member
Oct 12, 1999
5,704
2
0
Info:

http://www.cert.org/advisories/CA-2003-19.html
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

This worm hits your TCP port 135, and it is the cause of the reboot problems many have posted about in Windows NT, 2K, and XP. Firewalls like Zone Alarm, etc. appear to trap the port hits.

If you use Windows NT, 2K or XP, visit the Windows Update site. This worm does NOT attack Windows 98 or ME, but your firewall may report
hundreds of port probes per hour.

Symantec's site says, if you find MSBLAST.EXE on your system, you have been infected.
 
M

MournSanity

Diamond Member
Feb 24, 2002
3,126
0
0
OMFG I never thought this would happen, but a Norton window opened up and said I have the worm! Whenever I click on ok to close the window, it just comes back. WTF I can't even open up Windows Update. This si crazy beause I just saw this thread and now it's on my computer argh!
 
W

wetcat007

Diamond Member
Nov 5, 2002
3,502
0
0
lol ive known bout this forever, it's amazingly easy to reboot computers with that port open...
 
M

Mitzi

Diamond Member
Aug 22, 2001
3,775
1
76
A friend of mine called me last night asking why his PC was rebooting with the error message 'RPC terminated abormally' (or something along those lines). I had the feeling it was a virus, now I know for sure.

Cheers!
 
M

Macro2

Diamond Member
May 20, 2000
4,874
0
0
Worm with teeth could infect 10s of millions of Windows machines

And aims to down windowsupdate server


By Mike Magee: Tuesday 12 August 2003, 10:09

A WORLDWIDE ALERT was issued today about an RPC worm which is likely to cause large scale infections on Windows 2000 and XP systems.
The worm exploits the RPC/DOM first discovered on the 16th of July, according to Mikko Hypponen, a director at F-Secure, and it has started to proliferate.

The firm said the worm, known as Lovsan or Msblast is expected to attack windowsupdate.com on the 16th of August.

It spreads in a 6176 byte exe file called MSBLAST.EXE to Windows XP and 2000 systems unless the most recent security patches are installed, said F-Secure.

It scans addresses on the Interweb to find vulnerable Windows machines and when it find them, it copies and modifies the system, said F-Secure, and executes on restarts as well as replicating from infected machines.

Said Hyponnen: "On the 16th of August, the worm will start a distributed denial of service attack against the windowsupdate.com server".

He anticipates that if the worm continues to spread as fast as it's currently doing, the attack could down the whole Windows Update service".

F-Secure says it first saw samples yesterday night. The worm attacks TCP port 135 and infects it remotely, without users being aware of it.

Microsoft has a patch to close the hole, which you can find here.

F-Secure estimates it could potentially infect tens of millions of machines. µ


 
W

Wiktor

Member
Feb 21, 2003
151
0
0
Just visited microsoft.public.windowsxp.security_admin forums, this seems to be really wide spread haven't seen anything like that yet.
 
C

Curley

Senior member
Oct 30, 1999
368
3
76
Mod,

I run 4 systems on a KVM switch and Linksys router with basic WAN hardware firewall.

Do you think this has protected me from receiving this worm????

I still applied the patch from microsoft to protect from this infection, and my norton is auto updated.

Thanks,

Curley
 
M

Mitzi

Diamond Member
Aug 22, 2001
3,775
1
76
Originally posted by: Curley
Mod,

I run 4 systems on a KVM switch and Linksys router with basic WAN hardware firewall.

Do you think this has protected me from receiving this worm????

I still applied the patch from microsoft to protect from this infection, and my norton is auto updated.

Thanks,

Curley
Click to expand...

As long as your router blocks TCP port 125 you'll be fine.

Edit: Actually just TCP port 125 isn't enough, SANS also recommend...

* Close port 135/tcp (and if possible 135-139, 445 and 593)
* Monitor TCP Port 4444 and UDP Port 69 (tftp) which are also used by the worm
 
P

ProviaFan

Lifer
Mar 17, 2001
14,993
1
0
ICF protected my unpatched posterior until last night, at which time I installed every available security update on Windows Update. Hopefully I managed to get the one that actually matters. :eek: :)
 
S

sharkeeper

Lifer
Jan 13, 2001
10,886
2
0
lol ive known bout this forever, it's amazingly easy to reboot computers with that port open...
Click to expand...

Yep! Windows XP machines even have the shutdown command available too!

Usage: shutdown [-i | -l | -s | -r | -a] [-f] [-m \\computername] [-t xx] [-c "c
omment"] [-d up:xx:yy]

No args Display this message (same as -?)
-i Display GUI interface, must be the first option
-l Log off (cannot be used with -m option)
-s Shutdown the computer
-r Shutdown and restart the computer
-a Abort a system shutdown
-m \\computername Remote computer to shutdown/restart/abort
-t xx Set timeout for shutdown to xx seconds
-c "comment" Shutdown comment (maximum of 127 characters)
-f Forces running applications to close without warning
-d [p]:xx:yy The reason code for the shutdown
u is the user code
p is a planned shutdown code
xx is the major reason code (positive integer less than 256)
yy is the minor reason code (positive integer less than 65536)

There are small applications available for earlier operating systems as well. Using the correct switches, you can shut someone down (not just reboot), give them 0 seconds to save anything and no explanation as to why they're being punished! :Q

-DAK-
 
J

jose

Platinum Member
Oct 11, 1999
2,078
2
81
If your on the Internet you need to have a firewall & to update your virus defs. frequently.

This at least forces users to be responsible for maintaining their own computers. It could be worst, people are just
lucky the worm doesn't format their hard drives, or delete mp3's , jpegs , etc. ..

Personally I hope the US Gov. doesn't use Windows as the implications are evident.

Regards,
Jose

 
PrinceXizor

PrinceXizor

Platinum Member
Oct 4, 2002
2,188
99
91
The funny thing is...I got hit with this on my brand new XP machine...I was going to windows update to get all the security patches...when WHAM I already got hit...5 whole minutes on-line and I already got pegged...

P-X
 
D

dexvx

Diamond Member
Feb 2, 2000
3,899
0
0
Instead of wasting money putting a bounty on Saddamn, they should start putting bounties on these scrum who make the worms.
 
M

MAMAFUFU

Senior member
Oct 9, 1999
415
0
76
I have a question.

If windows security patch is installed AFTER the machine is infected with this worm.

Then is the computer safe now?

I have patched over a dozen INFECTED computers (for my friends) today and all of them reported normal internet connection after installing the patch.

The patch that I have installed is WindowsXP-KB823980-x86-CHT.exe
 
P

ProviaFan

Lifer
Mar 17, 2001
14,993
1
0
Originally posted by: MAMAFUFU
I have a question.

If windows security patch is installed AFTER the machine is infected with this worm.

Then is the computer safe now?

I have patched over a dozen INFECTED computers (for my friends) today and all of them reported normal internet connection after installing the patch.

The patch that I have installed is WindowsXP-KB823980-x86-CHT.exe
Click to expand...
I would think that the executable would still exist on the computer, ready to infect others and launch a DDOS attack on the Windows Update site on the 16th. In other words, you still need to clean the system after installing the patch.
 
M

MAMAFUFU

Senior member
Oct 9, 1999
415
0
76
I downloaded this file from a Taiwan university server.
It is for Chinese Traditional version of WinXP.
 
B

BZ

Member
Jan 9, 2003
160
0
0
this is a security site that will test your firewall and find any open ports. From reading around on their forums it seems like zonealarm is pretty secure.

GRC
go to "shields up" and let it check "common ports" or "all service ports"

The site is slow today....

 
N

NOX

Diamond Member
Oct 11, 1999
4,077
0
0
Originally posted by: dexvx
Instead of wasting money putting a bounty on Saddamn, they should start putting bounties on these scrum who make the worms.
Click to expand...
Why? It's Bill Gates (Microsoft), which needs to fix this problem! It seems that every month a new exploit for Windows it coming off the production line. I never ever hear of Apple computers being attacked.

Bill Gates continues to make all his billions while his b1tches (Windows users) continue to get screwed!
 
S

seismik

Senior member
May 9, 2003
232
0
0
How would you go about doing that?
Click to expand...

That being clean off the msblast.exe, or other infected files. First you may have to stop the msblast service should it be running (I did this last night, can't remember if it was actually called msblast or not, but something along those lines as I was able to tell what it was). Stop it. Try to delete the file. If that doesn't work, reboot, tap F8 after your BIOS screen but before the Windows boot screen and you'll get the boot menu. Boot to safe mode, run your virus scan again -- you'll be able to delete them now.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom