The NEW Build Your Own Arcade Controls

Main => Everything Else => Topic started by: shmokes on September 21, 2005, 12:53:33 pm

Title: Blaster Worm-like activity
Post by: shmokes on September 21, 2005, 12:53:33 pm

Is anyone haven't that 60 second count-down thing happening?  I suddenly have two computers, both 2000 pro machines, repeatedly popping up the RPC error message where you get 60 seconds before a forced reboot.

My up-to-date McAfee gives it a clean bill of health.  I also downloaded and installed AVG antivirus, Microsoft's blaster-worm patch, and ran symantec's Blaster/Nebiwo removal tool and McAfee's Stinger.

According to anything I throw at the computers they are clean, but it's got to be a virus.  Two computers in two offices developed the problem at exactly the same time.  It's killing me.  Anyone?

Title: Re: Blaster Worm-like activity
Post by: Havok on September 21, 2005, 12:58:57 pm

Try the msrt - it's updated every month:

http://www.microsoft.com/downloads/details.aspx?FamilyID=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

One other thing: do you use SMS?

Title: Re: Blaster Worm-like activity
Post by: missioncontrol on September 21, 2005, 04:12:03 pm

I'm running 2000 pro and not having any problems here.....

Title: Re: Blaster Worm-like activity
Post by: ChadTower on September 21, 2005, 04:13:01 pm

Could be the problem is on a controlling server and not local.  forced reboots happen at the command of a network controller.

Title: Re: Blaster Worm-like activity
Post by: mrhowell on September 22, 2005, 09:15:28 am

Go to control panel. Run adminstrative tools. Run services.  Find Remote Procedure Call (RPC) and double click.  Under the recovery tab, set all three to take no action if they are set to restart.  The blaster fix I use has always worked,  if you need it, send me a message and I will email it too you.

Title: Re: Blaster Worm-like activity
Post by: ChadTower on September 22, 2005, 09:19:52 am

If it is a work machine, he is not likely a local admin.  He probably can't do what you're describing.

Title: Re: Blaster Worm-like activity
Post by: abrannan on September 22, 2005, 09:24:41 am

Wow, that's old stuff.  That's LSASS exploit activity (MS04-011 patch).  The same vulnerability that gave rise to the Sasser worm April 2004.  The 60 second countdown thing occurs when you overflow the buffer in the LSASS process.  It could be that your AV is protecting you from the actual virus code being run on your system, but you're still rebooting from the vulnerability being exploited.  Get the patch installed, and (if you have the appropriate rights) get windump and watch port 445 traffic on your NIC.  You'll probably see something hitting you fairly frequently that shouldn't be (Something that's not a Domain controller, file server, or helpdesk PC).  That's probably the Sasser infected system. 

Title: Re: Blaster Worm-like activity
Post by: ChadTower on September 22, 2005, 09:27:51 am

Ask if you're the only one getting it.  If everyone is, then it may actually BE the domain controller.

Of course, this isn't your job.  Nice network admins you have there.