Skinbase.org Skinbase.org

Attention, a new worm going around!

By adni18
968 views 17 replies
adni18 avatar
adni18
Member
OP
More info about it. <br /> <br />August 12th 2003 11:26 EDT <br /> <br />RPC DCOM WORM (MSBLASTER) <br />This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly. <br /> <br />Increase in port 135 activity: http://isc.sans.org/images/port135percent.png <br /> <br /> <br />********** <br />NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. <br />********** <br /> <br /> <br />Executive Summary: <br /> <br />A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and Incidents.org recommends the following Action Items: <br /> <br />* Close port 135/tcp (and if possible 135-139, 445 and 593) <br />* Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for activity related to this worm. <br />* Ensure that all available patches have been applied, especially the patches reported in Microsoft Security Bulletin MS03-026. <br />* This bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp <br />* Infected machines are recommended to be pulled from the network pending a complete rebuild of the system. <br /> <br /> <br />The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000, XP and potentially 2003. <br /> <br />The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to &acute;dcom.c&acute; and so far appears to use the &quot;universal Win2k&quot; offset only. <br /> <br /> <br />Detection: Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c <br /> <br /> <br />Removal and Eradication: <br /> <br /> <br />Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network. <br />If you can not do this and/or the computer resides on a protected or non-Internet connected network, then several Anti-Virus Venders have supplied tools to assist in removing the worm. However, these tools can not clean-up damage from other RPC DCOM malware such as the recent sdbot irc bots. This method of cleaning your system is _not_ recommended, but the URLs are presented below for completeness. <br /> <br />http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html <br />http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip <br /> <br /> <br /> <br /> <br /> <br />
grimspoon avatar
grimspoon
Member
Thanks for that Adni... I just want to point out that if your system is infected, do not panic because: <br /> <br />&quot;...The worm does not appear to erase files or create major damage other than duplicating itself to other e-mail addresses in a computer user&acute;s address book.&quot; <br /> <br />I have just removed it from my daughter&acute;s PC.
doreen avatar
doreen
Member
hehe <br />/me smacks dutchy and pulls his hair argh! <br />
craeonics avatar
craeonics
Member
/me thinks that had mroe to do with your choice in music. Them virii have feelings too, you know.
doreen avatar
doreen
Member
I don&acute;t really panic too much about virus&acute; but last time I got all big head about never having got one or Ph33ring one (like my dutchy bro over here) one got me and took out all my tunes in one shot! =(
craeonics avatar
craeonics
Member
Ha, bring it on, sis! <br /> <br />The horde can handle it: <br /> <br />/me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me /me
doreen avatar
doreen
Member
ah when my machine don&acute;t start up then I will panic until then life goes on... <br /> <br />/me goes to e-mail dutchy a nice virus right now *cough* *cough*
batoruco avatar
batoruco
Member
I caught the msblaster thing two days ago }:| It was a complete nightmare, first I thought it was because I had downloaded an update from Microsoft, which I never do. I was told to copy all the rpc related files from a non infected computer and I only ended fuckin up the whole system, I had to reinstall Windows XP, but it was still there, then I noticed a msblast.exe file on msconfig and found out it was a worm, so I deleted it in DOS by means of a startup disk. Still there, I downloaded the special tool from Symantec to get rid of it, and yes, it detected new copiues, but still my machine kept rebooting evry five minutes! It was only at 4:00 PM (I started the fight at (8:00 am) that I got the patch from Microsoft and the problem was over. Stupid guys! Both Microsoft and the virus makers!
craeonics avatar
craeonics
Member
I&acute;m glad I bought this here router with built-in firewall capabilities. I am now completely stealth and thus impervious to any net-based attack.
afi_daysofthephoenix avatar
afi_daysofthephoenix
Member
i cought that damn virus :finger its called the w32.balster.worm that fukin thing is so damn annoying but i fixed it it was kinda hard like a race agaist the clock type thing but i fixed if you need help IM me at my AIM s/n or my yahoo s/n }:|
adni18 avatar
adni18
Member
Other References: <br /> <br />http://www.cert.org/advisories/CA-2003-19.html <br />http://www.microsoft.com/technet/security/bulletin/MS03-026.asp <br /> <br />https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf <br />http://www3.ca.com/virusinfo/virus.aspx?ID=36265 <br />http://www.datafellows.com/v-descs/msblast.shtml <br />http://us.mcafee.com/virusInfo/default.asp?id=description&amp;virus_k=100547 <br />http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html <br />http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A <br />http://www.sophos.com/virusinfo/analyses/w32blastera.html <br />http://xforce.iss.net/xforce/alerts/id/150 <br />http://vil.nai.com/vil/content/v_100547.htm <br />http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=40369&amp;sind=0 <br /> <br />
apocalypse_67 avatar
apocalypse_67
Member
My port is now in &acute;stealth&acute; but the worm got thru my remote server, fortunately I got rid of it before it got to my main frame. <br />Thank you Adni for all this helpful information and instructions. <br /> :smile: <br />Thank you Jim for the suggestion. :)
adni18 avatar
adni18
Member
Yes Jim, that is correct! :) <br /> <br />I am also in a &quot;stealth&quot; mode, <br /> but I guess some other people may have problems :( <br />I hope this long message, will help, preventing and solving those problems.
jim373 avatar
jim373
Member
My Norton&acute;s Firewall puts all of my ports in &acute;stealth&acute; mode, but I installed the windows update anyway.... <br />Everyone should install this update!!
adni18 avatar
adni18
Member
Good for you Snow :)
snowman avatar
snowman
Member
Luckily my port 135 is in &acute;stealth&acute; mode :D :D
adni18 avatar
adni18
Member
If you have this worm in your computer here is one way to remove it: <br /> <br />If you are already infected, here is a step by step fix. <br /> <br />W32.Blaster.Worm fix <br /> <br />1.) Disconnect your Cable/DSL/Dial Up modem from your tower <br />2.) Press CTRL + ALT + DELETE and then click on the processes tab. <br />3.) Locate the MSBLAST.exe process <br />4.) Click Start | click Run | type in msconfig <br />5.) Click Services <br />6.) Locate the entry for msblast.exe <br />7.) Uncheck the box to the left of it <br />8.) Locate the entry for Messenger <br />9.) Click Apply | Close | Exit with out restarting Windows <br />10.) Click Start | Run <br />11.) Type in regedit and click Okay <br />12.) Hit the F3 key <br />13.) Type in mablast.exe and hit Enter <br />14.) When the registry editor finds an instance, it will show up in the right hand pane. Delete it <br />15.) Hit F3 again and delete the entries. Continue until the registry editor has finished searching the entire registry <br />16.) Click Start | Search | All Files and Folders <br />17.) Type in msblast.exe. you should find two instances of this file. Delete them both and empty the recycle bin <br />18.) Go into the control panel and open your Network Connections. <br />19.) Right click on the Local Area Connection and left click on Properties <br />20.) Click on the Advanced tab <br />21.) Check the box to enable the Internet Connection Firewall <br />22.) Click Okay, close all your windows and restart your system <br />23.) Reconnect your Internet connection <br />24.) Go to Microsoft Security Bulletin MS03-026 http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&amp;displaylang=en and download the patch. Don’t forget to save it to removable media <br />25.) Get yourself up to date with the necessary Windows updates <br />26.) Get an anti virus program ;) <br />
Sign in to post a reply.