.com.unity Forums
  The Official e-Store of Shrapnel Games

This Month's Specials

Raging Tiger- Save $9.00
winSPMBT: Main Battle Tank- Save $6.00

   







Go Back   .com.unity Forums > Shrapnel Community > Space Empires: IV & V

Reply
 
Thread Tools Display Modes
  #1  
Old August 12th, 2003, 10:07 PM
cybersol's Avatar

cybersol cybersol is offline
Corporal
 
Join Date: May 2003
Location: SF Bay Area, CA
Posts: 145
Thanks: 0
Thanked 0 Times in 0 Posts
cybersol is on a distinguished road
Default OT: RPC Service Shutdown = BLaster Worm

Some of you already know this, but some may not.

This happened independently to my wife and myself yesterday and today. I also saw here on the forum that General Woundwort had this problem.

So I just wanted to let everyone know that if you see the RPC service is missing and that results in a system shutdown over and over, then you have the BLaster Worm.

To fix it, start with BLaster Worm removal tool from Symmatec. Then you will want to install an run Microsoft RPC Patch. With those two downloaded and run you should be stable enough to go to the windows update site and get all the other security updates just in case

Hope this helps someone,
cybersol

[ August 12, 2003, 21:24: Message edited by: cybersol ]
Reply With Quote
  #2  
Old August 12th, 2003, 11:59 PM
Suicide Junkie's Avatar
Suicide Junkie Suicide Junkie is offline
Shrapnel Fanatic
 
Join Date: Feb 2001
Location: Waterloo, Ontario, Canada
Posts: 11,451
Thanks: 1
Thanked 4 Times in 4 Posts
Suicide Junkie is on a distinguished road
Default Re: OT: RPC Service Shutdown = BLaster Worm

A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.
Reply With Quote
  #3  
Old August 13th, 2003, 12:17 AM
Thermodyne's Avatar

Thermodyne Thermodyne is offline
Lieutenant Colonel
 
Join Date: Dec 2000
Location: DC Burbs USA
Posts: 1,460
Thanks: 0
Thanked 1 Time in 1 Post
Thermodyne is on a distinguished road
Default Re: OT: RPC Service Shutdown = BLaster Worm

Not from the people in the PITA group

Most firewalls are set to let email atachments go by.
__________________





Think about it
Reply With Quote
  #4  
Old August 13th, 2003, 12:33 AM
Suicide Junkie's Avatar
Suicide Junkie Suicide Junkie is offline
Shrapnel Fanatic
 
Join Date: Feb 2001
Location: Waterloo, Ontario, Canada
Posts: 11,451
Thanks: 1
Thanked 4 Times in 4 Posts
Suicide Junkie is on a distinguished road
Default Re: OT: RPC Service Shutdown = BLaster Worm

The firewall would block the Remote Procedure Calls telling your NT-based OS to reboot in 60 seconds.
Reply With Quote
  #5  
Old August 13th, 2003, 05:01 AM
Thermodyne's Avatar

Thermodyne Thermodyne is offline
Lieutenant Colonel
 
Join Date: Dec 2000
Location: DC Burbs USA
Posts: 1,460
Thanks: 0
Thanked 1 Time in 1 Post
Thermodyne is on a distinguished road
Default Re: OT: RPC Service Shutdown = BLaster Worm

This worm is a bit more nasty than was first reported. The Maryland DMV had a system wide crash from it today. Our part of the state network was not completely protected by the firewalls (3), or else a pita sneaker-net’d it in. It seems that our Citrix/ica network was not to it’s liking. There is a hot fix for XP and another for 2k at Microsoft. The normal updates do not address it at this time. It has the ability to port scan once executed, and while it was thought to only direct an attack against MS, this has proven to be wrong.

2K hot fix http://microsoft.com/downloads/detai...displaylang=en

XP hot fix http://microsoft.com/downloads/detai...displaylang=en

If you have it already, go here http://securityresponse.symantec.com...oval.tool.html

Seriously, this seems to be a bad one.
__________________





Think about it
Reply With Quote
  #6  
Old August 13th, 2003, 10:14 AM
cybersol's Avatar

cybersol cybersol is offline
Corporal
 
Join Date: May 2003
Location: SF Bay Area, CA
Posts: 145
Thanks: 0
Thanked 0 Times in 0 Posts
cybersol is on a distinguished road
Default Re: OT: RPC Service Shutdown = BLaster Worm

Quote:
Originally posted by Suicide Junkie:
A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.
If the firewall had the following features active before initial infection then it would offer good protection:

Quote:
From the symantec site:
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
Obviously, if the firewall did not protect those ports then it wouldn't help. Also if the virus was introduced behind the firewall (wired laptop for instance) then the firewall wouldn't help. Finally, because of the future threat of copycat worms it is best to run the Microsoft security update that Thermodyne and I gave links to in order to close this particular buffer overun issue for good.

I for one am glad the end result of this worm is just rebooting (though that was very annoying at the time) and denial of service attacks. Only HD change was a single additional file and registry entry.

Also note that 2000 Users could have this worm and under default OS settings they would not have the constant re-booting behaivor that happens on XP. Updating your virus definitions and microsoft patches just in case could not hurt

[ August 13, 2003, 09:15: Message edited by: cybersol ]
Reply With Quote
Reply

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 09:25 PM.


Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©1999 - 2024, Shrapnel Games, Inc. - All Rights Reserved.