OT: RPC Service Shutdown = BLaster Worm

[cybersol]

Some of you already know this, but some may not.

This happened independently to my wife and myself yesterday and today. I also saw here on the forum that General Woundwort had this problem.

So I just wanted to let everyone know that if you see the RPC service is missing and that results in a system shutdown over and over, then you have the BLaster Worm.

To fix it, start with BLaster Worm removal tool from Symmatec. Then you will want to install an run Microsoft RPC Patch. With those two downloaded and run you should be stable enough to go to the windows update site and get all the other security updates just in case

Hope this helps someone,
cybersol

[ August 12, 2003, 21:24: Message edited by: cybersol ]

[Suicide Junkie]

A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.

[Thermodyne]

Not from the people in the PITA group

Most firewalls are set to let email atachments go by.

[Suicide Junkie]

The firewall would block the Remote Procedure Calls telling your NT-based OS to reboot in 60 seconds.

[Thermodyne]

This worm is a bit more nasty than was first reported. The Maryland DMV had a system wide crash from it today. Our part of the state network was not completely protected by the firewalls (3), or else a pita sneaker-net’d it in. It seems that our Citrix/ica network was not to it’s liking. There is a hot fix for XP and another for 2k at Microsoft. The normal updates do not address it at this time. It has the ability to port scan once executed, and while it was thought to only direct an attack against MS, this has proven to be wrong.

2K hot fix http://microsoft.com/downloads/detai...displaylang=en

XP hot fix http://microsoft.com/downloads/detai...displaylang=en

If you have it already, go here http://securityresponse.symantec.com...oval.tool.html

Seriously, this seems to be a bad one.

[cybersol]

Quote:

Originally posted by Suicide Junkie:
A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.

If the firewall had the following features active before initial infection then it would offer good protection:

Quote:

From the symantec site:
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

Obviously, if the firewall did not protect those ports then it wouldn't help. Also if the virus was introduced behind the firewall (wired laptop for instance) then the firewall wouldn't help. Finally, because of the future threat of copycat worms it is best to run the Microsoft security update that Thermodyne and I gave links to in order to close this particular buffer overun issue for good.

I for one am glad the end result of this worm is just rebooting (though that was very annoying at the time) and denial of service attacks. Only HD change was a single additional file and registry entry.

Also note that 2000 Users could have this worm and under default OS settings they would not have the constant re-booting behaivor that happens on XP. Updating your virus definitions and microsoft patches just in case could not hurt

[ August 13, 2003, 09:15: Message edited by: cybersol ]

[Richard]

Quote:

Originally posted by cybersol:

quote:

---

Originally posted by Suicide Junkie:
A firewall or router would have protected you, as well.

Or, just NOT having windows NT/2000/XP installed would work too.

If the firewall had the following features active before initial infection then it would offer good protection:

Quote:

From the symantec site:
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

Obviously, if the firewall did not protect those ports then it wouldn't help. Also if the virus was introduced behind the firewall (wired laptop for instance) then the firewall wouldn't help. Finally, because of the future threat of copycat worms it is best to run the Microsoft security update that Thermodyne and I gave links to in order to close this particular buffer overun issue for good.

I for one am glad the end result of this worm is just rebooting (though that was very annoying at the time) and denial of service attacks. Only HD change was a single additional file and registry entry.

Also note that 2000 Users could have this worm and under default OS settings they would not have the constant re-booting behaivor that happens on XP. Updating your virus definitions and microsoft patches just in case could not hurt

---

Actually most end user firewalls should protect them out of the box, unless they opened something manually.

[Thermodyne]

OK, here is a little update. It looks like it got set loose by hacking a backbone switch. And uses a port that is usually open on firewalls.

_______________________________________________

BLaster worm continues to cause Microsoft Windows havoc

Thing continues to proliferate

By INQUIRER staff: Wednesday 13 August 2003, 10:52

NO-ONE IS entirely sure how many Windows 2000 and XP machines have been infected by the backdoor BLaster/LovScan worm since it emerged at the start of the week but estimates range in the hundreds of thousands so far.
But one senior US support technician, speaking to the INQ on terms of anonymity, said that the extent of the problem is greater than virus firms have so far estimated.

Despite being described by Symantec and other anti-virus firms as being "badly written", he told us today: "Whoever made this thing deserves a pat on the back. It completely goes around most forms of existing Windows security".

It does appear to have affected individuals and small businesses, rather than large corporations, mostly because many people are unaware of the type of things you need to do these days to protect yourself.

Not only do we have viruses and worms, machines can be affected and slowed down by spyware, by Messenger-inspired pop-ups. And then there's spam.

While Microsoft did notify that a security hole in its software should be patched on July 16th, it seems many people didn't bother to do so. The problem is that Microsoft regularly issues so many patches that inexperienced Users may not realise they need to download them.

It's not just inexperienced Users, however. Many large corporations and organisations have policies about patches, recognising that it's unrealistic to upgrade or "patch" hundreds or perhaps thousands of machines. Even large ISPs failed to patch a gaping hole exploited by SQL Slammer earlier this year, causing widespread downtime further down the line.

The technician claimed that someone had hacked a high level internet switch at Genuity, a large backbone provider in the USA.

The worm, he said, spreads using Remote Administration. Windows 2000 and Windows XP automatically accepts remote administration commands from switches, routers and hubs. He claimed that in his office, also located in the USA, got 12,000 calls from XP Users in California alone – an extra 40 calls per agent per shift.

The worm itself is relatively easy to destroy, once Users have figured out what the problem is. But it doesn't always show the same symptoms to the same user, meaning that it can take a while for Users to realise that it's an infection, and not just a problem with the operating system itself. µ