WORM - MS rpc bug -- See the OT and Operating Systems Stickies. AT Moderator

[spidey07]

It shuts down your computer and spreads like wild fire. Damn.

Disconnect from a net or firewall your machine or patch.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

---

OT sticky with info

Operating Systems sticky with info

 

[spidey07]

Bump.

 

[iamme]

i just read a thread about it on ATOT, and a friend just called me today asking "WTF is wrong w/ my PC?". I helped him patch his PC and then blamed him for downloading too much porn

 

[Kilrsat]

The CERT advisory was originally issued on July 16th, and then updated on July 31st when the current exploit started being observed. This should be old news, but unfortunately there are too many non-patched, non-firewalled machines out there.

 

[n0cmonkey]

Another one?

 

[MrBond]

Originally posted by: n0cmonkey
Another one?

Not really, the hole was made public a while ago, not surprisingly few people updated their windows installs, so this is going to be much more of a problem then it really should be.

Edit - mods can we get a sticky?

 

[Kilrsat]

http://www.cert.org/advisories/CA-2003-19.html

Its more fun than most of the normal RPC shutdown abuses, so at least they're getting more creative

 

[T3C]

this is hitting a lot of people fast, phones have been going wild for a while now

 

[BG4533]

I work in a public computer lab at Ohio State and we are getting pretty hard here. I just had to close the lab here because of this thing. A few departments are also completely screwed up here. It is sad how far behind people are.

 

[T3C]

Originally posted by: BG4533
I work in a public computer lab at Ohio State and we are getting pretty hard here. I just had to close the lab here because of this thing. A few departments are also completely screwed up here. It is sad how far behind people are.

im mostly just getting calls from users that didnt update

 

[MrBond]

Does this affect 95/98/SE installs? The MS bulliten doesn't seem to act like it does, but trendlabs shows a fix for those systems.

I was going to download the patch and host it for my parents, MS's site scares them with it's complexity , but if there's no issue on those systems, they'll be fine

 

[dbwillis]

Getting hammered here at work as well..
Im seeing mostly XP and 2000 machines getting hit with it...even remote users on VPN get it...

 

[lowtech1]

Originally posted by: dbwillis
Getting hammered here at work as well..
Im seeing mostly XP and 2000 machines getting hit with it...even remote users on VPN get it...

Why are you & your user are getting hit with it?
Shouldn't you guys have it patch by now?
MS release the patch on july 16, 2003.

Shouldn't you have a firewall of some kind that block all ports, unless you left it open for using....yike!....MS VPN?

Why are the users alow to surf & have install rights to their desktop machine?

 

[spidey07]

lowtech.

This is a worm that will infest a global private network very quickly. The only way to not get hit is to have the RPC patch installed.

From the sniffer traces it simply blasts through a class B address range propogating itself.

 

[Aceshigh]

Yep, it nailed me this afternoon. Id start up my pc and about 2 minutes later get the popup box saying it was going to restart in 60 seconds. Every time I went to Windows Update to get the patches, my machine would reboot before I could finish downloading the patch.

Finally had to disconnect my cable modem and log into dial up, strangly enough when I was on dial up it never did reboot. Took me awhile to download the patches but I did, back on my cable modem and everything seems fine now. Anyone else experience this today?

 

[Nocturnal]

Does anyone have the patch? My other kiosk's computer has been hit. He called me and asked about this but I had no clue. HELP!

 

[loup garou]

Originally posted by: lowtech

Originally posted by: dbwillis
Getting hammered here at work as well..
Im seeing mostly XP and 2000 machines getting hit with it...even remote users on VPN get it...

Why are you & your user are getting hit with it?
Shouldn't you guys have it patch by now?
MS release the patch on july 16, 2003.

Shouldn't you have a firewall of some kind that block all ports, unless you left it open for using....yike!....MS VPN?

Why are the users alow to surf & have install rights to their desktop machine?

 

[Aceshigh]

I'm not sure which patch it is that fixed it, I downloaded the one in Windows Update which mentioned RCP first, but that didnt seem to do the trick, so I downloaded all the available critical updates and it fixed it.

 

[Rogue]

Here's my opinion both as a 'net user and a Systems Administrator. I think people who fail to update their systems and contribute to problems like this should be fined. Naturally, I think some type of nation wide system should be established to notify people of these problems, but something has to be done. As soon as this was available I downloaded it. I make sure to check at least twice weekly and once on the weekend for security updates on Microsoft's site. I have no sympathy for you. I am angry though that you're causing my bandwidth on my cable modem to be robbed (those of you that don't update regularly!)

 

[spidey07]

Originally posted by: Rogue
Here's my opinion both as a 'net user and a Systems Administrator. I think people who fail to update their systems and contribute to problems like this should be fined. Naturally, I think some type of nation wide system should be established to notify people of these problems, but something has to be done. As soon as this was available I downloaded it. I make sure to check at least twice weekly and once on the weekend for security updates on Microsoft's site. I have no sympathy for you. I am angry though that you're causing my bandwidth on my cable modem to be robbed (those of you that don't update regularly!)

Alright smarty pants. When you have 30000 machines that break because of the patch then you might change you mind.

Been there, done that, don't want to do it again.

 

[lowtech1]

Originally posted by: spidey07
lowtech.

This is a worm that will infest a global private network very quickly. The only way to not get hit is to have the RPC patch installed.

From the sniffer traces it simply blasts through a class B address range propogating itself.

You are right, but you can disable & audit the tftp.exe file to stop it.
I haven't test to see if net stop tftpd command would stop it while the thing is runing yet. But, I belive that it should work then disable/adit the tftp.exe file. I think the patch only needed if you are runing an IIS server and want to use the tftp service (don't quote me on this).

My network is not affected in any way, because the users don't have the rights to download/intall software & is behind a firewall. Our email server was exchange a year a go, and now both webserver & mail server are runing under linux.

 

[spidey07]

Lowtech,

Maybe you don't see what is going on here. This is a self propogating worm. Very similar to NIMDA.

If you have NT,2000,XP (they all listen on TCP 135 which is RPC) without the July 16th patch you are vulernable and it spreads like wildfire. It took less than half an hour for all 30000 pcs (and about 2000 servers) to become infected.

This is very serious guys.

 

[AmdInside]

My company got hit. For the last 5 1/2 hours, I haven't been able to do any work. Doesn't mean today will be easy. Waiting for network to come back up and then I gotta finish work. This is what happens when you are salary. Can't stand a$$holes who create viruses.

 

[Entity]

I know at least a thousand boxes have been hacked on our campus. We have all our boxes set to auto-update, so it hasn't been a problem here, but it's crazy seeing the chaos it's creating.

Rob

 

[lowtech1]

Originally posted by: spidey07
Lowtech,

Maybe you don't see what is going on here. This is a self propogating worm. Very similar to NIMDA.

If you have NT,2000,XP (they all listen on TCP 135 which is RPC) without the July 16th patch you are vulernable and it spreads like wildfire. It took less than half an hour for all 30000 pcs (and about 2000 servers) to become infected.

This is very serious guys.

I don?t doubt the severity of this virus, but man people never learn. I guest that why I have a job.