This is important - MAJOR Worm Warning

[railz]

I know this isn't the forum for it, but this seems to get the most views so I had to put this up. I got infected by this worm within 20 seconds of booting up both machines (Desktop running XP Pro and laptop running XP home) - it's VERY nasty and almost caused me to reinstall before I figured out what was happening:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Turn off auto system restore, install this patch, then go to:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Download the fix utility from this page and run it. Reboot, run it again then when it gives the all clear, turn on system restore again.

[CCM]

I spent an hour and a half at my friends house last night getting rid of that damn worm!  He just got his computer last week, and just got his internet access last Friday.  

I kept getting the NT Authority\system reboot in 1 minute message as soon as I would start to do anything!  So it took forever, it must have rebooted 15 times on me.  

My friend wasn't running any firewall software, but he did have McAfee that came with his computer (great job it did, I hate McAfee!).  What I ended up doing was installing zone alarm, then installed the patch from Microsoft, then I got rid of that piece of crap McAfee and installed Norton.  Then I followed symantec's instructions to get rid of the virus...

[railz]

To fix that, boot up without a connection to the net. Goto Control Panel - > Amin Tools - > Services and locate the RPC service - right click on it, select "properties" and on the "restore" tab, select "Do nothing" for all choices.

Reboot, connect and you can download the patch.

[Raleigh]

Great post, hopefully people will read this and will know what to do when/if this happens, or better yet apply the patch to prevent this from happening.

Last night that started happening to me and I was like WTF
It took about 20 minutes and several shutdowns/restarts but I figured it out and applied the patch.

[railz]

Even if you've applied the patch, check to see if you have been infected. Normally you can see this by either:

Press ctrl+alt+del - go to "processes" and look for msblast.exe
Goto start -> run -> msconfig [enter] - go to the startup tab and look for "msblast" to be run at startup from the registry

In other words, if you've installed the patch before, double check to make sure you've not been infected. Part of the worm tricks Windows Update into thinking it's already been applied.

The public service announcement brought to you by a classic arcade nut who can't afford a cab yet

[TheTick]

Almost everyone at work got infected this morning... as the auto updates were applied to our virus scanners. Just a minute too late I suppose.

Of course last night at 9pm, our deployment team was bugging me saying the terminal server was having trouble.   Guess we know the cause.

[Bill_S]

My brother just called me last night with this problem.

Thanks for the heads up, now I'll know how to fix it!

[tmasman]

yup...
My network @ work was attacked today... All 45 machines needed the patch & remover. My MIS manager still hasn't set us up with an automated instalation method, so I was stuck doing it 1 PC at a time... WHAT A PAIN!!!

I have to say I am embarassed that my network was hit and affected this badly by a virus though. This ought to be the kick in the @$$ my MIS manager needs to set up some automated software distrobution stuff.

Ug...

[Jakobud]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

[CCM]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

this is from symantec's site:

When W32.Blaster.Worm is executed, it does the following:


Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.


Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.

NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.


Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.


Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

NOTES:
This means the local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.


Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.


Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.


If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

[SirPoonga]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

[SirPoonga]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

1) Though not openning random emails and not using Outlook will prevent alot of worms, it doesn't prevent all of them.  That's not the only means of transportation of worms.  

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

[DeathMonk]

yup...
My network @ work was attacked today... All 45 machines needed the patch & remover. My MIS manager still hasn't set us up with an automated instalation method, so I was stuck doing it 1 PC at a time... WHAT A PAIN!!!

I have to say I am embarassed that my network was hit and affected this badly by a virus though. This ought to be the kick in the @$$ my MIS manager needs to set up some automated software distrobution stuff.

Ug...

From one network admin to another:  Tell your guy he's an idiot.

[CCM]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

the quote about billy gates is actually in the worm.. that wasn't my comment...

[SirPoonga]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

the quote about billy gates is actually in the worm.. that wasn't my comment...

sorry, my bad, I worded that incorrectly. I meant the worm writer, even though symantec report came after the worm was released.  I just like how how people put M$ down for their bugs which you can exploit but they do get fixed eventually.  Windows isn;t the only system like that, just the most popular out there so it's the prime target.

[Minwah]

3 of my colleagues at work got this last night, and 2 more today.  I spent all day trying to fix it (it wasn't detected by Norton).

I thought just deleting c:\windows\system32\msblast.exe was sufficient enough (seems to be no problem now), but maybe I need to go through those steps more carefully tomorrow...

[Dave_K.]

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

Wow, who would have guessed running Lotus Notes as your main work email client was a good thing!  

[SirPoonga]

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

Wow, who would have guessed running Lotus Notes as your main work email client was a good thing!  

Oh god, I feel sorry for you!

[CCM]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

the quote about billy gates is actually in the worm.. that wasn't my comment...

sorry, my bad, I worded that incorrectly. I meant the worm writer, even though symantec report came after the worm was released.  I just like how how people put M$ down for their bugs which you can exploit but they do get fixed eventually.  Windows isn;t the only system like that, just the most popular out there so it's the prime target.

no problem, I just read it wrong...  anyway, you're right, just about all software has some kind of bugs and eventually needs patched and updated...

[Howard_Casto]

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

[jakejake28]

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

i agree and disagreee with yuo... windows is exploited because of it's popularity, not because it is an unsecure system. if nobody ran windows, people wouldn't do this. but i don't think that other os'es "suck", i run linux at my job, and it is fine for the purpose.

[bionicbadger]

If you run a Microsoft OS and your computer is connected to the net, you have to keep up to date on security patches.  The patch for this has been out for WEEKS.  If you haven't updated, then you have only yourself to blame.

If you have some kind of high speed connection, you should also have a hardware firewall, they are so cheap now that there isn't an excuse not to have one.  (And if you do get or have one, get it updated with the latest firmware patches and change the default password).

People whine and complain about getting hit with a virus or worm, but for some reason most of the problems mysteriously happen to stupid or lazy users who don't bother to get patches, don't use and update a virus scanner and/or firewall, or open e-mails and attachments from unexpected e-mails.

[jerryjanis]

This worm could have been a lot more destructive...  It's actually kind of a good thing because it will force Microsoft to repair a potentially devastating bug, and also to encourage people to protect themselves behind firewalls.   (Hmmm, I think I should probably use a firewall).

Ha ha...  Moments after I fixed the worm, I got this popup on my computer:



Another little reminder that a firewall is a good idea.

Can anybody recommend any good firewall software?  I'm running Windows XP Pro...

[CCM]

Can anybody recommend any good firewall software?  I'm running Windows XP Pro...

zone alarm works great and it's free...

http://www.zonelabs.com/store/content/home.jsp

[DeathMonk]

I heard zonealarm tracks your activity and sends all the info back to their servers..  So don't be downloading anything illegal, say, mame roms.

About the popuppadlock.com "popup" (irony anyone?) that is just adware.  download adaware and scan your system.

[SNAAAKE]

GRRR ! !  
I got one that looked similer in black dos box.
Also asked to click yes or no(can't remember).
This is some kind of virus ? ??  

[tmasman]

Those "Messagner Service" pop-ups are actually an exploit to use Windows Messanger service. It's not a "virus" per say, but it is another MS Exploit. Don't worry, It won't hurt you, it's just another annoying way for spammers to pop-up info in front of you.  If you want to make them go away for good disable your Windows Messanger service.

[railz]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

This worm doesn't require the end-user/victim to do anything, except have a computer connected to the net that has not had the patch applied and is running various versions of OS that use the NT kernel.

It uses a known bug that was discovered in July that allows a hacker to overflow the RPC service with a packet and allows them to run a TFTP command and execute the code it finds. (In other words, your computer instantly downloads and runs the worm if you want to or not without you doing anything).

[SirPoonga]

As said before, windows isn't the only OS with issues like this.  Unix went through this before.    In unix there is something also called RPC.  It's simular to Windows RPC but not quite the same.

[DZuroff]

According to Symantec this worm is distributed through ports TCP 135, TCP 4444, and UDP 69.  I have a a good firewall at work so none of my servers were infected.  It was kinda funny though because for now I am on a dialup connection on my home PC and I use Norton Anti-Virus 2003.  The virus infected my PC while norton Anti-Virus was in the process of downloading the 8/11/2003 definition file update.  Even though Windows XP has been VERY stable for me for the past 1.5 years, when the reboot timer popped up the second time I was quick to blame the unstability of Windows.  <Grin>  I did find that if you get infected, once you end the "MSBLAST.EXE" process your system won't crash giving you the time you need to apply the patch and do a full virus scan.  Don't forget to remove the registry entry as well!  Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="mblast.exe"

[CCM]

Norton released a removal tool for this worm... It deletes the msblast.exe file and also fixes the registry...  

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

[soslo]

Can anyone else open the registry using regedit post-worm removal? How about msconfig? Mine will pop open for about one second and then shut down...odd.

BTW, just diasble the messenger service and you won't get those 'pop-ups'

[teef two]

Makes you glad to still be running Win 98SE doesn't it  

[ErikRuud]

AdAware is good, but Spybot search & Destroy has some additional features that I really like.  I use them both, but Spybot can "Immunise" your system against many types of exploits.

[Bill_S]

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

Wow, who would have guessed running Lotus Notes as your main work email client was a good thing!  

Here I thought I was the only one stuck with this at work

[anthony691]

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

But HC; I would asume about 75% of Linux users know how to code as opposed to probably 5% of Windows users. I think that there is a brotherhood of Linux. You can't even compare the two. And saying Linux sucks is very ignorant! Where would we be without Apache? And where will you be in M$'s world of the future (longhorn et cetera) with Paladium and DRM up the wazoo?

Just sayin...

[MrBond]

Can anyone else open the registry using regedit post-worm removal? How about msconfig? Mine will pop open for about one second and then shut down...odd.

BTW, just diasble the messenger service and you won't get those 'pop-ups'

I don't know if this is what you have, but it sounds just like it:  I just got/removed a virus that is called W32/Spybot-B.  What it does exactly what you have stated.  It won't allow you to use:
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe
It also records every keystroke you have made since the time the worm infects your computer, and then sends it via IRC protocal.  You can't end the task (which is TESTING.EXE) in your taskmgr (ctrl-alt-del).  You must download a thrid party task manager, such as Process Explorer from SysInternals which can be downloaded freely from this site: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml (at the bottom)

Hope this helps  

[AlanS17]

My mom's PC got it and so did my brother's. None of the computers at work got it, but we have a pretty good firewall. Got new virus definitions, but I don't know if that's enough. Gonna be working those updates, too. It's just really hard to connect to MS servers right now. They're overloaded with traffic!

[soslo]

MrBond - you are the man! Thanks! That is exactly what I needed!

[ThePaul]

Brotherhood of Linux, Linux is better, blahh blahh blahh .... Same old same old ... If you are an elitist and want a system to do what you want it to do (or be able to change it to do what you want it to do) while not caring about any software that the real world operates on then *nix is for you.

But in the real world, open source and anti MS sentament does not make any sense (or cents). While we are in the habbit of pulling stats out of thin air ... allow me.. I "venture to guess" that .005% of office secretaries use *nix and .005% of executives use *nix based systems as their work station pc.

You can parade your penguin and protest MS every day all you want, but it will not change the fact that Windows and MS Products are what real world business is built on.

As for how many people "know how to code" ... who cares? The vast majority of software is written for productivity related environments. Now.. being a "coder" .. doesn't it make sense to develop for the "vast majority" ? Maybe not if you don't care about making money... but again my post is based on the real world where making money is the purpose for everything.

Every time there is a new worm/virus that effects MS products the *nix and Mac crowd come out of the woodwork to flame the rest of us. Of course if the user base for *nix or Mac was higher we all know that there would be viruses/worms that effected them. Lets be honest though, the reason there are no worms effecting Linux or Macs today is the same reason there are no retail software titles for these OS either.

So be the black sheep (penguin) if you want to be. But don't think you are better because you are different.

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

But HC; I would asume about 75% of Linux users know how to code as opposed to probably 5% of Windows users. I think that there is a brotherhood of Linux. You can't even compare the two. And saying Linux sucks is very ignorant! Where would we be without Apache? And where will you be in M$'s world of the future (longhorn et cetera) with Paladium and DRM up the wazoo?

Just sayin...