Web Worm Attacks Windows Spreads Fast Experts Say

Discussion in 'Industry News' started by Dyre Straits, Aug 12, 2003.

  1. zerodamage

    zerodamage New Member

    Joined:
    May 16, 2003
    Messages:
    3,478
    Likes Received:
    0
    Trophy Points:
    0
    well...

    This is what happens when people do not update their OS regularly. The patch for this has been out for a month. It also helps if you use a firewall, preferably hardware if using broadband. Tiny Personal Firewall or Zonealarm if on dial up because MANY people are also getting that have dial up. No one has anyone to blame but themselves.
     
  2. HsuGotaQ

    HsuGotaQ Hydrogenated Dumbass

    Joined:
    May 12, 2002
    Messages:
    755
    Likes Received:
    0
    Trophy Points:
    0
    Yeouch... That means your RPC service is not running. Therefore you cannot apply the patch (way to go MS for there great intelligence). You've got to re-enable the service in order to apply the patch. Your best chance is to put the XP cd and choose to update your system (therefore downgrading to revision 2600 if you don't have a slipstreamed version of SP1). Then apply the patch...

    damn this worm is really doing some hefty damage. I've gotten about 35 calls this morning from friends and relatives all connected with Videotron Cable internet and all infected with the same worm (here in Quebec). Thank god I re-ghost my machine every 2 months.
     
  3. HsuGotaQ

    HsuGotaQ Hydrogenated Dumbass

    Joined:
    May 12, 2002
    Messages:
    755
    Likes Received:
    0
    Trophy Points:
    0
    Re: well...

    Kinda, but considering how the Windows operating system has been punctured recently, I'm starting to believe that a Lada or a Pinto has less holes than this OS. I think I'll be going to the dark side after this if I like the new G5 my sister has ordered.
     
  4. krazy1

    krazy1 Live from the Dungeon

    Joined:
    May 13, 2003
    Messages:
    1,395
    Likes Received:
    1
    Trophy Points:
    0
    I got this when I installed this patch on all my systems a few weeks ago. Reboot your system and make sure you log in as admin or a user that has admin rights and then it should install fine. Just make sure the first thing you do when the system finishes booting is install the patch.
     
  5. Dyre Straits

    Dyre Straits 10 Grandkids -2 Great-grandsons

    Joined:
    May 13, 2002
    Messages:
    19,685
    Likes Received:
    2,714
    Trophy Points:
    153
    Let's reiterate and update:

    1. I have kept my XP Home up-to-date via the Updates and especially the security patches;
    2. My LAN is behind a router connected to Comcast Broadband Cable;
    3. My McAfee is set to automatically update;
    4. My serious problems started when I followed the above 'solution' to Disable RPC Services;
    5. I'm the only user on my XP Home -- therefore I have Adminstrative Rights;
    6. I could NOT restore functionality of RPC or Cryptograhic Services no matter how I tried;
    7. I attempted to do a Windows XP Home Update from the CD and the Setup Failed due to 'unable to install catalogs'.....'signature invalid' (The Setup attempts to restart on each reboot and fails for the same reason);
    8. Attempting to boot from the Windows XP CD fails due to 'NTLDR not found' (I have tried setting the BIOS only to boot from CDROM....it won't do it);
    9. Attempting ro reboot from a 98SE Startup Floppy works, but it fails to recognize my NTFS drive.
    10. Attempting to boot from my Seagate HD Install CD simply causes the Windows Setup to try to restart again.
    11. The saga continues.......
     
  6. krazy1

    krazy1 Live from the Dungeon

    Joined:
    May 13, 2003
    Messages:
    1,395
    Likes Received:
    1
    Trophy Points:
    0
    Sounds like it is time to format and redo your system......
     
  7. Luck

    Luck I like to whinge

    Joined:
    Jul 24, 2003
    Messages:
    820
    Likes Received:
    0
    Trophy Points:
    0
    Whoa, isn't Longhorn the new operating system for Windows?
     
  8. Lock

    Lock New Member

    Joined:
    Nov 14, 2002
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    0
    Double click on Administrative Tools and double click on Services.
    Note: Some people may find it quicker to start the Services tool by clicking on Start > Run. Typing services.msc and pressing Enter.
    Double click on the service called Remote Procedure Call (RPC) and click on the Recovery tab.
    Within the recovery tab is three sections, these will all say 'Restart the computer'
    Each one of these must be changed using the drop down box to say 'Take No Action'

    Once done, immediately click on Apply followed by OK. Your computer may restart anyway at this point. Once it has completed restarting, continue with the rest of these instructions.

    Disable System Restore. To do this click Start followed by right clicking on My Computer. Choose Properties, then the System Restore tab. Put a tick into the box 'Turn off System Restore'. (If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.)

    Open Internet Explorer and connect to the Internet in your normal manner.

    Download Microsoft patch (http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe).
    Download the following patch - http://securityresponse.symantec.com/avcenter/FixBlast.exe
     
  9. OnDborder

    OnDborder New Member

    Joined:
    Jun 19, 2002
    Messages:
    223
    Likes Received:
    2
    Trophy Points:
    0
    How does this worm invade your computers??
     
  10. Desert_Siege

    Desert_Siege Professional Slacker

    Joined:
    Jun 29, 2002
    Messages:
    274
    Likes Received:
    0
    Trophy Points:
    0
    You better double check that dude...heh.

    I had also applied that patch from MS, as I went to download it again last night and it said the file already existed and I was hit with this thing last night. When booting I got the message from Zonealarm that "msblast.exe" was trying to access the internet and upon clicking "more info" Zonealarms page gave me the entire spill on denying it, restricting it and the name of the worm. So apparently the patch doesn't always work. Symatec had very easy instructions for removing it right on their front page, but unfortunately their virus definitions didn't detect it properly until yesterday. I have to reason that I picked up this worm some time Sunday night, as I turn off Zonealarm to play BF1942 online and thats probably when someones machine generated my "lucky" IP address and infected my machine. As near as I can tell, I downloaded this patch last Friday night and yet still got hit with the worm 2 days later. I had received no warnings from Zonealarm until Monday night, but did experieince the "RPC error message" twice.

    TO GET RID OF IT:

    I just disabled the MSblast.exe process, disabled system restore completely deleting all restore points.

    Deleted its reg entry in HKLM/software/microsoft/windows/currentversion/run and in the right pane you will see an entry relating to windows auto update and msblast.exe. Delete it.

    Update your AV signatures, download and install the patch from MS.

    Reboot and run the virus scanner and it should find and delete msblast.exe.

    It worked for me and that Stinger program from McAffee and Nortons both report clean.

    NOTE: My machine had NOT gotten to the point that it was totally unusable as Zonealarm runs at startup and gave me the option of blocking access to the internet for msblast.exe. Had it not, I would still be banging my head trying to figure it out. Do yourself a favor and install a decent firewall. Had i not disabled the firewall to play online games, I probably would never have gotten it to start with, but I have corrected that issue :)
     
    Last edited: Aug 12, 2003
  11. krazy1

    krazy1 Live from the Dungeon

    Joined:
    May 13, 2003
    Messages:
    1,395
    Likes Received:
    1
    Trophy Points:
    0
    Through open ports:
    69
    135
    445
    4444
     
  12. BiGBrOwNPimpsta

    BiGBrOwNPimpsta HH's #1 Hustla and Pimp

    Joined:
    Jan 3, 2003
    Messages:
    7,753
    Likes Received:
    62
    Trophy Points:
    58
    OMG ive been getting calls up the ass! man i messed
     
  13. ztride

    ztride New Member

    Joined:
    Jun 27, 2002
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    0
    Re: You better double check that dude...heh.

    This is should be the problem most people are having. Though, I didn't get it, the other computer and bunch of other people I know had it. But really, the issue isn't that big, I mean it's pretty obvious when you get hit by a virus or some sort, and manually taking it out with some knowledge about it isn't that bad.
     
  14. BiGBrOwNPimpsta

    BiGBrOwNPimpsta HH's #1 Hustla and Pimp

    Joined:
    Jan 3, 2003
    Messages:
    7,753
    Likes Received:
    62
    Trophy Points:
    58
    Ok guys how do i reenable the RPC service?!?! plz tell me! cause i did it to my friends now they cannot get their comps working and are pissed at me cause thats what i found as a possible solution
     
  15. Dyre Straits

    Dyre Straits 10 Grandkids -2 Great-grandsons

    Joined:
    May 13, 2002
    Messages:
    19,685
    Likes Received:
    2,714
    Trophy Points:
    153
    This was the beginning of my own troubles. Nothing short of reinstalling Windows 98SE and upgrading to XP Home has worked.

    That's been my ONLY option....after a complete reformat....

    I only just now got XP Home finished installing and will now proceed to do the updates.
     
  16. Dyre Straits

    Dyre Straits 10 Grandkids -2 Great-grandsons

    Joined:
    May 13, 2002
    Messages:
    19,685
    Likes Received:
    2,714
    Trophy Points:
    153
    AND NOW.....I'm getting the System Shutdown Warning......
     
  17. BiGBrOwNPimpsta

    BiGBrOwNPimpsta HH's #1 Hustla and Pimp

    Joined:
    Jan 3, 2003
    Messages:
    7,753
    Likes Received:
    62
    Trophy Points:
    58
    Now use my solution that will temporarily stop it! but this is not a FIX to stopping the rebooting issue
     
  18. BiGBrOwNPimpsta

    BiGBrOwNPimpsta HH's #1 Hustla and Pimp

    Joined:
    Jan 3, 2003
    Messages:
    7,753
    Likes Received:
    62
    Trophy Points:
    58
    sorry adding it, it will stop the reboot but if u do restart u will not be able to load anything because RPC is disabled apply the patch THEN reenable the RPC to stop it
     
  19. Dyre Straits

    Dyre Straits 10 Grandkids -2 Great-grandsons

    Joined:
    May 13, 2002
    Messages:
    19,685
    Likes Received:
    2,714
    Trophy Points:
    153
    OK...things are starting to return to normal here.

    No more MBLAST.exe on the system....nor in the Registry.

    I've gotten the patches and been able to reset the firewall.


    To get that RPC component functional again, I had to go through the Components option...rather than a straightforward approach in Services. I was able to get to the Services from the Components app. If it helps any, just realize that this worm slows things down a LOT. It took a few moments for the Services list to show up in the Standard tab.
     
  20. BiGBrOwNPimpsta

    BiGBrOwNPimpsta HH's #1 Hustla and Pimp

    Joined:
    Jan 3, 2003
    Messages:
    7,753
    Likes Received:
    62
    Trophy Points:
    58
    can u give a better descript of how to get it work step by step dyre?
     

Share This Page

visited