Results 1 to 18 of 18
  1. #1
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    The RPC security flaw which has been widely reported is now being exploited by a worm which is sreading radpidly. This will cause RPC service and svchost.exe errors on vulnerable PCs and will most likely infect the PC with a virus.

    The current report from the Internet Storm Center can be found here. Because the ISC is under a very heavy load, I quote the current report:

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Handlers Diary August 11th 2003
    Updated August 11th 2003 18:49 EDT
    RPC DCOM WORM (MSBLASTER)
    This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

    **********
    NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********


    Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

    In order to protect yourself, you need to :
    Close port 135 (if possible 135-139, 445 and 593)
    Apply Patches http://www.microsoft.com/technet/sec...n/MS03-026.asp


    Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network.

    The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.

    The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

    Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
    2. this causes a remote shell on port 4444 at the TARGET
    3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
    4. the target will now connect to the tftp server at the SOURCE.


    The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

    MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

    So far we found the following properties:

    - Scans sequentially for machines with open port 135, starting at a presumably random IP address
    - uses multiple TFTP servers to pull the binary
    - adds a registry key to start itself after reboot


    Name of registry key:
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

    Strings of interest:

    msblast.exe
    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!
    windowsupdate.com
    start %s
    tftp -i %s GET %s
    %d.%d.%d.%d
    %i.%i.%i.%i
    BILLY
    windows auto update
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

    Anti - Virus Vender Writeups and Other Information:

    https://tms.symantec.com/members/Ana...t-DCOMworm.pdf
    http://www.sarc.com/avcenter/venc/da...ster.worm.html
    http://www3.ca.com/virusinfo/virus.aspx?ID=36265
    http://www.datafellows.com/v-descs/msblast.shtml
    http://us.mcafee.com/virusInfo/defau...virus_k=100547
    http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A
    <HR></BLOCKQUOTE>

    ________
    All your commission are belong to us.
    Check out the latest Homeland Security press releases.

  2. #2
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    Thanks Moo,

    Just checked my router logs. My firewall has been blocking attempts to that port all afternoon.

    It's Your Money. You earned it. What are you going to do to make sure you get to keep it?

  3. #3
    ABW Veteran jc101's Avatar
    Join Date
    January 18th, 2005
    Location
    Santa Cruz, CA
    Posts
    4,597
    I was infected by that... Lucikly I caught it last week. And removed the infected files. and block access via zonealarm now.

    _________________________
    xtremeshopping inc. goal financial free by 4/6/2004 (my Birthday!)adorable,nice, sweet, committed member. :0)

  4. #4
    ABW Veteran Student Heyder's Avatar
    Join Date
    January 18th, 2005
    Posts
    5,482
    I'm not sure if it's the same worm or not but the same exploit started destroying computers this afternoon. It destroyed at least 30 computers in a two hour period before I left work. It shuts down windows and then it's all over but the crying.

  5. #5
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    ÄúsTrálíĺ
    Posts
    1,372
    Yep.
    One of my buddies got hit by it today.
    Also an 11 page thread at f'd companies about it.
    seems a lot are going to be affected by this one.

  6. #6
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    I ran around to many local accounts the last 2 weeks updating their anti-virus programs, installing Adware and zonealarm. Then comes the patches to Microsoft windows and the IE browser and Outlook. Those who didn't listen to the service call request might be toast by the morning.

    I'll not be volunteer to be the first to come to their aid if this happens. Let them get quotes and then beg me to come over and attempt a fix.

    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

  7. #7
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    1,403
    I use the mail client from Opera, and am not yet infected the last 2 years since I use it. Although I got a lot of infected mails. Of course I use Opera browser too.

    carneol

  8. #8
    Super Sh!t Stirrer SSanf's Avatar
    Join Date
    January 18th, 2005
    Posts
    9,944
    PSanf got it and I think it tried to get me, too.

    Something asked me if I wanted to update windows and I told it "No".

    So far, I am OK this morning. I am wondering what will happen when I re=boot. How can I be sure it ain't there? I searched for msblast.exe
    using the find feature and found nothing, yet.

    The Wolf Credo: Respect the elders. Teach the young. Cooperate with the pack. Play when you can. Hunt when you must. Rest in between. Share your affections. Voice your feelings. Leave your mark.

  9. #9
    Newbie
    Join Date
    January 18th, 2005
    Posts
    1,037
    I'm fairly sure I have this at home. Please pray/chant/meditate/send money/fast/feast for me.

    -patrice

  10. #10
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    1,447
    It is good to stay on top of your "Windows Update". I check every day for the "critical updates".

    -----------------------------
    Big Chuck
    www.webproconnect.com
    Almost there
    wish me luck

  11. #11
    ABW Veteran Student Heyder's Avatar
    Join Date
    January 18th, 2005
    Posts
    5,482
    This is easy to fix.

    Hit Ctrl + Alt + Delete and see if it's running.

    If it's running disable it.

    Then go to windows update and download the patch.

    (1) patch download
    (2) install patch
    (3) ctrl+alt+del and then click processes
    (4) disable the one titled (msblast.exe).....(this will keep the machine running and prevent the restarts)
    (5) click start
    (6) click run
    (7) type regedit......press enter

    (8) goto the following key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    (9) delete the key that says "windows auto update"="msblast.exe"

    http://securityresponse.symantec.com...ster.worm.html

    [This message was edited by Heyder on August 12, 2003 at 10:51 AM.]

  12. #12
    Full Member garystarling's Avatar
    Join Date
    January 18th, 2005
    Posts
    277
    Lokking at my zone alarm logs I have had 12 attempts at port 135 in the last 10 mins!

    'I am not young enough to know everything.'
    - Oscar Wilde

  13. #13
    Defender of Truth, Justice and the Affiliate Way
    Join Date
    January 18th, 2005
    Location
    The Swamp
    Posts
    7,503
    I'm actually seeing a decrease in the number of probes to port 135 from last night. I was getting 4 or 5 a minute. Now only about 10 or 12 an hour.

    Anyone who is connected to the Internet by cable or DSL should be running a firewall. Personally, I run a hardware firewall and ZoneAlarm. Yep, I'm paranoid. But then, I've had hundreds of attempts to infect my computer since yesteray and have not been infected. I still checked for the msblast file and of course updated windows. Well, becaues I'm paranoid.

    It's Your Money. You earned it. What are you going to do to make sure you get to keep it?

  14. #14
    Full Member
    Join Date
    January 18th, 2005
    Posts
    439
    No probes to my port 135 in the last 24 hrs.... because Comcast "high-speed" internet has been down for the past 24 hrs

    Of course the technical support number gives no information and wont actually let you talk to someone in technical support and the customer support people just say they dont know what the problem is and there is no ETA.

    Forgotten how slow dial-up is

    Mark Mitford
    RevShares.com
    Solutions for Affiliate Program Managers

  15. #15
    Web Ho - Design B!tch ~Michelle's Avatar
    Join Date
    January 18th, 2005
    Location
    Michigan
    Posts
    2,040
    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Originally posted by carneol:
    I use the mail client from Opera, and am not yet infected the last 2 years since I use it. Although I got a lot of infected mails. Of course I use Opera browser too.

    carneol<HR></BLOCKQUOTE>

    This isn't spread through email. Windows XP and NT2000 (I believe) are the vunerable machines.

    It is an exploit of a windows weakness.

    ~Michelle

    ****************************
    "All I ask is a chance to prove that money can't make me happy."

    "Work to become, not to acquire." -- Confucius

  16. #16
    Full Member
    Join Date
    January 18th, 2005
    Posts
    305
    well i just recovered from three days of this *&&^(*Y!!!!!!!!!!!!!!!

    not only did i get msblast but some nasty keylogger virus as well...

    then something hit my server and all spamming hell broke loose....

    norton does NOT save you or delete it or even quarantine it.

  17. #17
    Newbie
    Join Date
    January 18th, 2005
    Posts
    25
    ok, im at my wits end with this idiot box. every time i try to patch the stupid things gives me "Setup could not verify the integrity of the fild Update.inf. Make sure the Cryptographic service is running on this computer."
    DOES ANYBODY KNOW HOW TO FIX THIS?!?!?!?!
    im getting ready to throw this dumb box out the window

    A day without light, is like... night.

  18. #18
    ABW Ambassador Doc Sawyer's Avatar
    Join Date
    January 18th, 2005
    Location
    Southern California Desert
    Posts
    567
    I don't know if this is old news but I really like this page at MicroSoft:

    MicroSoft Scan for Updates

    You push the "Scan" button and Bill Gates comes to your office to look under the hood and recommend which free critical updates you need.

    Select what you want and push the download button.

    I find it easier than the other update pages at microsoft.

    Doc

    "An Optimist Can Never be Pleasantly Surprised" - Murphy

  19. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. New Worm Going Around..
    By Bob Lawrence in forum Virtual Family and Off-Topic
    Replies: 4
    Last Post: December 7th, 2008, 11:27 AM
  2. Storm worm batters Internet...
    By Geno Prussakov in forum Midnight Cafe'
    Replies: 6
    Last Post: January 20th, 2007, 06:26 PM
  3. New Worm
    By bob95603 in forum Midnight Cafe'
    Replies: 2
    Last Post: March 1st, 2004, 05:07 PM
  4. Another Worm On The Loose?
    By Trust in forum Midnight Cafe'
    Replies: 5
    Last Post: September 6th, 2003, 05:34 PM
  5. A new Internet worm emerged today...
    By ellen-s4y in forum Midnight Cafe'
    Replies: 8
    Last Post: August 18th, 2003, 01:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •