OT: RPC Service Shutdown = BLaster Worm

[cybersol]

Some of you already know this, but some may not.

This happened independently to my wife and myself yesterday and today. I also saw here on the forum that General Woundwort had this problem.

So I just wanted to let everyone know that if you see the RPC service is missing and that results in a system shutdown over and over, then you have the BLaster Worm.

To fix it, start with BLaster Worm removal tool from Symmatec. Then you will want to install an run Microsoft RPC Patch. With those two downloaded and run you should be stable enough to go to the windows update site and get all the other security updates just in case

Hope this helps someone,
cybersol

[ August 12, 2003, 21:24: Message edited by: cybersol ]

[Suicide Junkie]

A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.

[Thermodyne]

Not from the people in the PITA group

Most firewalls are set to let email atachments go by.

[Suicide Junkie]

The firewall would block the Remote Procedure Calls telling your NT-based OS to reboot in 60 seconds.

[Thermodyne]

This worm is a bit more nasty than was first reported. The Maryland DMV had a system wide crash from it today. Our part of the state network was not completely protected by the firewalls (3), or else a pita sneaker-net’d it in. It seems that our Citrix/ica network was not to it’s liking. There is a hot fix for XP and another for 2k at Microsoft. The normal updates do not address it at this time. It has the ability to port scan once executed, and while it was thought to only direct an attack against MS, this has proven to be wrong.

2K hot fix http://microsoft.com/downloads/detai...displaylang=en

XP hot fix http://microsoft.com/downloads/detai...displaylang=en

If you have it already, go here http://securityresponse.symantec.com...oval.tool.html

Seriously, this seems to be a bad one.

[cybersol]

Quote:

Originally posted by Suicide Junkie:
A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.

If the firewall had the following features active before initial infection then it would offer good protection:

Quote:

From the symantec site:
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

Obviously, if the firewall did not protect those ports then it wouldn't help. Also if the virus was introduced behind the firewall (wired laptop for instance) then the firewall wouldn't help. Finally, because of the future threat of copycat worms it is best to run the Microsoft security update that Thermodyne and I gave links to in order to close this particular buffer overun issue for good.

I for one am glad the end result of this worm is just rebooting (though that was very annoying at the time) and denial of service attacks. Only HD change was a single additional file and registry entry.

Also note that 2000 Users could have this worm and under default OS settings they would not have the constant re-booting behaivor that happens on XP. Updating your virus definitions and microsoft patches just in case could not hurt

[ August 13, 2003, 09:15: Message edited by: cybersol ]