W32.Blaster.Worm - RPC vulnerability causes reboots in Windows NT, 2K, and XP.

[RoyalTenenbaum]

Here are some good questions. Any ideas/comments are appreciated!

I just built my new PC a couple weeks back. I keep dialing in to the net through my school's network, but IE always say "page not found" no matter where I try to go. I have no idea what to do about that. But if I get that fixed, should I enable the XP firewall right away and try and download the Microsoft update? And also, my mobo disc came with Norton Internet Security. I'm not sure if that's different from regular Norton Antivirus, but if I do get the worm, will that be able to detect it?

Thanks!

 

[David101]

Originally posted by: RoyalTenenbaum
Here are some good questions. Any ideas/comments are appreciated!

I just built my new PC a couple weeks back. I keep dialing in to the net through my school's network, but IE always say "page not found" no matter where I try to go. I have no idea what to do about that. But if I get that fixed, should I enable the XP firewall right away and try and download the Microsoft update? And also, my mobo disc came with Norton Internet Security. I'm not sure if that's different from regular Norton Antivirus, but if I do get the worm, will that be able to detect it?

Thanks!

to prevent ur comp form rebooting do the following:

go into run, then type services.msc

scroll down to rpc

go into it

click on recovery

and u see where it says restart, click take no action for all 3 of them. if it wants to reboot ur comp, then it wont. change this after u get patched up though. i dont think itd necessary, but u really should

 

[David101]

how do i delete this lol sorry triple posted

 

[David101]

hwo do i delete this lol tripe posted

 

[RoyalTenenbaum]

should i enable the XP Firewall?

I have Norton Internet Security, which I've come to find out how its own firewall. I'm just having a heck of a time installing it. ARGH

 

[Wiktor]

No, Internet Security is enough (it's main purpose is to run as a firewall)

 

[brettjrob]

I was also infected by this worm somehow... haven't opened any attachments or anything recently, don't know how the hell it got there. I've never had any type of worm before. But anyhow... this is how I got rid of it (after installing the security patch):

*Go to TASK MANAGER, then PROCESSES, and under "Image Name" find "msblast.exe" and end that process.

*Use Windows Explorer to browse to C:\WINDOWS\system32, and under that directory find "msblast.exe" and delete it.

*Go to the Registry Editor, find this key...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
...and delete the value that says something about "windows update" (can't remember the exact name). Then you're all set and it's gone.

Good luck getting all this done in the 60 seconds, it took me a few tries on one of the two systems in my house that was infected :|

 

[sharkeeper]

Why? It's Bill Gates (Microsoft), which needs to fix this problem! It seems that every month a new exploit for Windows it coming off the production line. I never ever hear of Apple computers being attacked.

If you were a perpetrator (read: virus "author") you would target Wintel also. What fun would it be to have an attack that affects just two computers?!

-DAK-

 

[T9D]

..

 

[ahsia]

Here is what I've done, and told several of my friends to do:

1. Go to Symantec's site to download fixblaster.exe (tool to remove the virus/worm):

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Run the tool, it will scan your hard drive for the virus/worm, and remove it.

2. Go to Microsoft's site to download the patch for the RPC vulnerability:

http://support.microsoft.com/default.aspx?scid=kb;en-us;823980

Apply the patch. Reboot your machine. For Windows 2000 users, you must have at least SP3 installed.

3. Update your virus definitions for you anti-virus software.

4. Run a full system scan to ensure you are virus-free.

Good luck!

 

[tiap]

Thanks Anand and users. I read your forum shortly after you posted about Mblast. My main hdrive rebooted every 2 min so I stuck in another hdrive (I use removeable trays) and went straight to Windows update for the patch and Trend micro for the fix and I'm all set. Tested all my systems at grc.com and got a clean bill of health.
Thanks to everyone for averting a disaster here.

 

[BFG10K]

should i enable the XP Firewall?

Of course you should and in fact you should never disable it. If you enable it then you can't get the worm as the firewall blocks all of the ports that the exploit needs in order to download the executable.

That goes to all Windows XP and 2003 users - turn on the Windows firewall for all of you network connections and KEEP IT ON. That way you won't be able to get the worm even if you haven't patched your box yet.

If windows security patch is installed AFTER the machine is infected with this worm. Then is the computer safe now?

No, it isn't. The patch will stop future attacks but it won't stop the executable that's already running on your machine. You'll have to remove it either manually or with an anti-virus program.

 

[GTaudiophile]

How is thing transmitted exactly?

 

[Cogman]

Originally posted by: NOX

Originally posted by: dexvx
Instead of wasting money putting a bounty on Saddamn, they should start putting bounties on these scrum who make the worms.

Why? It's Bill Gates (Microsoft), which needs to fix this problem! It seems that every month a new exploit for Windows it coming off the production line. I never ever hear of Apple computers being attacked.

Bill Gates continues to make all his billions while his b1tches (Windows users) continue to get screwed!

better then going to a mac (Gahh..... Yuck I hate the Idea) You could get a linux Machine unlike windows linux does not leave these ports open to just download whatever they like modify the registry, and reboot (LOL people at microsoft did not relize this might be a security issue.....)

 

[RoyalTenenbaum]

I use Norton Internet Security (which is Norton Antivirus and Norton Firewall). I would imagine the Norton Firewall would block this, too? I downloaded the updates for Antivirus last night and I scanned and it didn't find anything. I just need to download the Windows XP Updates when I get a chance. But the Norton Firewall should block it, too, right?

Thanks!

 

[RagingGuardian]

I turned off Norton Internet Security for a few hours to download some files and game back from work to an infected computer. Did a reinstall of XP Pro and can't even get on the Windows Update site because it's crawling right now:frown: Not a happy camper...

 

[Jadow]

OMG, I was rebooting unexpectedly the other day, and figured my lamo VIA mobo was dying on me!

 

[Lyfer]

Yay, im not infected, thanx Zonealarm and Norton AV!

 

[brigden]

So, if the file is not found, your PC is uninfected?

I can't find the file on any of the three PCs on our home network, but we've been getting a pretty flakey cable internet connection lately. Quite often I'll be disconnected from a game of BF1942. I suppose it could be the host machine's connection failing and not mine...

 

[PrinceXizor]

Originally posted by: GTaudiophile
How is thing transmitted exactly?

It's explained in the Symantec site...brief summary...

Once an infected computer has it running and is connected to the internet....it randomly generates an IP subnet and then counts up, port scanning each computer at the IP's it calculates. If the target computer has the open port not blocked (i.e no firewall), it tries to send the worm code in a buffer overun of the DCOM RPC. If the computer has this vulnerability it is then infected. Even if it doesn't have this vulnerability, having that port unblocked and the subsequent infection attempt may cause the computer to generate the DCOM RPC error and subsequent forced reboot.

A properly configured firewall will thus block the initial port scan and effectively kill off any reboots or infection attempts.

However, even a patched system can still experience forced reboots when an infected machine tries to infect the patched machine on the open port. Thus, both patching your OS and installing a properly configured firewall will cure all the problems.

P-X

 

[notoriousformula]

hello all..i'm new to the forum..here is an update:

KASPERSKY LABS claimed this afternoon that there's already a new version of the Blaster/Lovesan worm on the loose.
And it says that's likely to mean a repeat of the outbreak we've seen during this week. The new variety of Lovesan/Blaster exploits the same vulnerability.

Kaspersky says that the number of infected systems is around the 300,000 mark, and the new variety may double this number.

"In the worst case, the world community can face a global Internet slow down and regional disruption... to the World Wide Web," said Eugene Kaspersky, head of the labs.

The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE, different code compression, and different signatures in the body of the worm.

Source:
http://www.theinquirer.net/?article=11018

 

[r6ashih]

our server at work got the worm and now logging into and out of my computer takes FOREVER. some programs dont function properly either, like network neighborhood, the search function on the start menu, xcel documents open then close right away.
Can anyone help me fix this?

alex

 

[dmw16]

Has issue been addressed in a WinXP windowsupdate security fix already? I havent been online since August 7th, but as of then I was totally up to date. Am I still at risk? Also, I have never had remote assitant activated on my computer. I think I may actually have never installed that particular client (that is, removed it from the list of things that were installed when i put XP on my system).
thanks,
-doug

 

[ProviaFan]

Originally posted by: r6ashih
our server at work got the worm and now logging into and out of my computer takes FOREVER. some programs dont function properly either, like network neighborhood, the search function on the start menu, xcel documents open then close right away.
Can anyone help me fix this?

alex

Sounds like it got into the Domain Controller or something along those lines (that would explain the logging in and possibly the documents part). Just make sure you're patched up, and hope the people at your work get the server fixed soon.

 

[owensdj]

One question I have about this worm is if a computer is being rebooted by it because it's connected to the Internet, does that mean the computer itself is infected by the worm or does it mean the operating system just needs the security patch?