Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Windows Operating Systems Software Security

RPC DCOM Worm On The Loose 604

Posted by simoniker
from the uh-oh-spaghettios dept.
GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."
This discussion has been archived. No new comments can be posted.

RPC DCOM Worm On The Loose

Comments Filter:
  • Great (Score:5, Funny)

    by mjmalone (677326) * on Monday August 11, 2003 @03:58PM (#6669245) Homepage
    The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!

    Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?
    • Re:Great (Score:5, Funny)

      by rylin (688457) on Monday August 11, 2003 @04:00PM (#6669271)
      I have a copy! You can fetch from 212.192.128.76:4444 ;)
      • Re:Great (Score:3, Funny)

        by Frymaster (171343)
        in case the above gets slashdotted, the code is:

        An error occured while loading http://212.192.128.76:4444:
        Could not connect to host 212.192.128.76 (port 4444)

    • Re:Great (Score:4, Funny)

      by dieMSdie (24109) on Monday August 11, 2003 @04:05PM (#6669324)
      Sure!

      Open all your ports and I'll see what I can do!

    • Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?


      It will at least slow it down, one hopes.

      Also block 4444 since the worm is centrally propagating and uses that port to transmit itself.

      Fortunately the virus is easy to remove. However, I don't know what its security ramifications are.
    • Re:Great (Score:5, Insightful)

      by ciroknight (601098) on Monday August 11, 2003 @04:15PM (#6669446)
      Yes it will work, I know from experience. My community here in berea has been pretty slammed by this worm, and I've been telling everyone to just firewall off all the ports they dont use. It seems the virus can only connect on ports 135/445 though, so still no worries here. I've been running zonealarm, a great firewall for windows users, to help solve my problem.
    • by billstewart (78916) on Monday August 11, 2003 @06:24PM (#6670740) Journal
      Blocking the various Microsoft ports will help prevent infections, but you should also block 4444 (the port the worm uses to communicate with other worms and the WormMaster) and (if it won't disrupt too much of your other activities, which it shouldn't) block tftp (which the worm uses to download attack code after getting infected.)

      That's not generic advice for the DCOM bug - for that you'll need to catch whichever of the MS ports are being abused this week. But it's guesswork advice for this particular instantiation of a worm that's exploiting it so you can at least slow down this one and isolate damage, and work on patching the actual holes in Windows so that you can prevent next week's worm that uses the same bug but some other inter-worm communication path from getting in.

      At least on the couple of machines I've looked at, TCP 4444 isn't used for anything (there's a UDP 4444 used for Kerberos 4-to-5 conversion or something.) TFTP gets used for things like uploading operating system versions to diskless PCs and routers, and still isn't something you should be accepting from the outside world, and for the most part (YMMV) is only used by administrators who are better off stomping worms first and upgrading routerware later. The Microsoft ports are used by all kinds of Microsoft applications - you almost certainly should be blocking them to and from the outside world, but whether to block them inside your internal nets, and where, is a decision you'll need to make based on how much of which MS network products you're actually using. (e.g. you don't want to kill all your thin-client PCs by killing off their mounts of the file servers - but you also don't want them infecting each other.)

    • Re:Great (Score:3, Insightful)

      by Bartmoss (16109)
      It will work until some idiotic user connetcs his company-owned notebook computer to your network - since it's unpatched, he got infected last night at home.
  • by Znonymous Coward (615009) on Monday August 11, 2003 @04:01PM (#6669274) Journal
    It's called a firewall. It's proteced me from Nimda, Code Red, etc.
  • Balmer (Score:2, Funny)

    by Anonymous Coward
    Developers developers developers..

    erm...

    security security security... erm ...

    um...

    somebody get me more cocain!
  • users being hit hard (Score:5, Informative)

    by towaz (445789) * on Monday August 11, 2003 @04:01PM (#6669280)
    the call centre here is off the scale with people ringing in with rpc problems...
    all xp users though
    • by Sorthum (123064) on Monday August 11, 2003 @04:11PM (#6669396) Homepage
      Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.
      • The silly thing is that most people called back when it was announced, (thanks evening news doomsayers...), with the fear of the "hackers" all through them. Now they're acting miffed when I say "a security issue that was announced on july, has not been patched on your system"... some guy even angrily took down the long distance # for ms support, because his pirate xp wouldn't auto update...
  • Credit... (Score:5, Informative)

    by chill (34294) on Monday August 11, 2003 @04:01PM (#6669285) Journal
    At least Microsoft was nice enough to credit LSD in the tech note.
    • by Dom2 (838)
      Once again proving that they are doing little more than deriving from Unix:
      There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
      -- Jeremy S. Anderson

      From your local neighbourhood fortune cookie file.

      -Dom

      • Re:Credit... (Score:3, Informative)

        by jandrese (485) *
        You know, that joke is even funnier when it's told correctly:
        There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence.

        -- Jeremy S. Anderson
    • by GnomeKing (564248) on Monday August 11, 2003 @04:35PM (#6669642)
      At least Microsoft was nice enough to credit LSD in the tech note.

      Is that what they were taking when they wrote the code?
  • this vunerability... (Score:5, Interesting)

    by garcia (6573) * on Monday August 11, 2003 @04:01PM (#6669286)
    if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.

    It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).

    It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?

    Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.
  • by Kappelmeister (464986) on Monday August 11, 2003 @04:02PM (#6669289)
    Developers: RPC DCOM Worm On The Loose

    Shouldn't that be:

    Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose
  • I was *just* surfing D-Shield [dshield.org] and was reading a notice about a captured worm. Sure enough, as soon as this article appeared.. the site is DOWN.. that really is something to see, even I get shocked every now and again.
  • Security Advisory (Score:5, Informative)

    by Blangopolis (695958) on Monday August 11, 2003 @04:03PM (#6669301)
    The security advisory can be found here [secunia.com].

    After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

  • Effects (Score:5, Informative)

    by Papa Legba (192550) on Monday August 11, 2003 @04:05PM (#6669320)
    This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

    Cagliostro
    • Re:Effects (Score:3, Funny)

      by PolyDwarf (156355)
      Diagnose their systems this very minute? Screw the systems, there's /. to read!!
    • The worm isn't buggy...Windows is. (well, they both have issues, but your machine going down isn't necessarily the worm coder's fault.)

      Apparently there are two problems with RPC: one is a DCOM overflow, which this worm is exploiting...the other is a DoS, which shuts RPC down. Once RPC goes down, Windows wants to reboot. Microsoft has not yet offered a patch for the DoS yet, which means this worm is going to suck.
  • by Anonymous Coward on Monday August 11, 2003 @04:05PM (#6669321)

    UNC-Chapel Hill South Campus [Medicine, Pharmacy, Nursing, etc] has been slammed by this thing.

    The tragic part is that Microsoft posted the patch almost a month ago:

  • by wondergeek (220755) on Monday August 11, 2003 @04:05PM (#6669322)
    I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.

    Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!

    Here I am thinking that I just screwed up their machine with the new apps somehow.

    Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn :)
  • Virus Worm Out (Score:2, Informative)

    by Anonymous Coward
    Hello everyone ..

    I work for a small ISP ... Seems a worm has been released. We have received a number of calls about peoples systems shutting down with the following error: NT Authority System .. ect ect.

    And the computer restarts.. This happens about every 40-60 Seconds making it "almost" impossible to Patch the Computer. Just a heads up for ANY IT Guys out there :)
    • How to patch (Score:3, Informative)

      by einhverfr (238914)
      Enable Internet Connection Firewall, apply patch, remove virus :-)

      The first is necessary because it is the buffer overrun which reboots the computer.

  • by Anonymous Coward on Monday August 11, 2003 @04:06PM (#6669339)
    This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

    57,003 1200 to 1230
    75,317 1230
    59,321 1300
    52,642 1330
    130,932 1400
    202,996 1430
    277,183 1500
    247,682 1530
    320,919 1600
    361,504 1630 to 1700

    milspec
    • We're seeing a steady upward trend in 135 reqs too. Much worse from our backup ISP than our primary. We've got our firewalls flicking these off at the doorstep but then again they were never allowed in in the first place.
  • go ME! (Score:5, Funny)

    by StevenHallman76 (455545) on Monday August 11, 2003 @04:06PM (#6669340)
    Affected Software:

    * Microsoft Windows NT(R) 4.0
    * Microsoft Windows NT 4.0 Terminal Services Edition
    * Microsoft Windows 2000
    * Microsoft Windows XP
    * Microsoft Windows Server(TM) 2003

    Not Affected Software:

    * Microsoft Windows Millennium Edition


    finally! all these years of running Win ME have paid off! so long suckers!
  • OMG (Score:5, Funny)

    by stephenry (648792) on Monday August 11, 2003 @04:07PM (#6669352)
    OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!
  • by Anonymous Coward on Monday August 11, 2003 @04:07PM (#6669354)
    I've been digging around the web, and I can't seem to find out how to protect myself. I can't seem to find anything that prevents this virus from attacking my linux or as/400 servers. Help!
  • Erkk (Score:3, Informative)

    by Anonymous Coward on Monday August 11, 2003 @04:07PM (#6669358)
    Got hit by this earlier today, I'm not normally a slouch with these things but this one really hit me hard, took me 4 restarts to find out what was going on. (As every time I connected to the net I was immediatly given 60 seconds before another auto restart) I can see how non-techies are gonna be totally screwed by this.

    All I can say is change the properties of your RPC service repair functions. Start -> Administrative Tools -> Component Services -> Services (local). this will at least give you time to go online and download the MS patch, which we should have done weeks ago I know :)
  • Not quite safe: (Score:5, Informative)

    by Telastyn (206146) on Monday August 11, 2003 @04:09PM (#6669370)
    http://www.kb.cert.org/vuls/id/326746

    win2k machines are still vulnerable to a dos; even patched.

    Thanks microsoft...
  • My JBoss server was listening on port 4444, so I got a call from the IS guys who thought my PC was compromised.
  • by venom600 (527627) on Monday August 11, 2003 @04:12PM (#6669414) Homepage Journal
    Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.
  • I'm safe (Score:5, Funny)

    by teamhasnoi (554944) * <teamhasnoi@@@yahoo...com> on Monday August 11, 2003 @04:16PM (#6669455) Homepage Journal
    I've rolled a saving throw against remote infection and I have +3 Fireproof armor, however I am still vulnerable to hot wood elves.

    You did say this was a RPG worm, right?

  • It looks like the worm affects svchost.exe (the Generic Host Process), and keeps restarting the computer. At first I thought that some of my hardware was failing, but after reading dozens of posts on Usenet about similar problems, I wasn't really sure. So I researched a bit on Google, and found the MS security bulletin. After patching my system, the problems seem to have gone. I guess I should have followed more closely Microsoft's security announcements.

    So, if you have strange issues with the RPC, or are
    • > It looks like the worm affects svchost.exe (the Generic Host Process),

      "Uh, WTF is SVCHOST.EXE, and why the fuck does it always bind itself to 445, and how can I make it stop doing that? I don't know what it's listening for, but I know that for what I'm using this box for, I don't need it, so why can't I disable the offending process?"
      - Me, the first time I played with a W2K box.

      "So SVCHOST does too much stuff to just kill it, but how can I at least stop it from binding to 445? I know I'm not

  • SP3? (Score:4, Interesting)

    by poptones (653660) on Monday August 11, 2003 @04:17PM (#6669465) Journal
    Are there really that many win2k systems not even running SP3? That's not the only fix, but I have a box here that has had zero patches except SP3 and DCOM is disabled by default - which pretty much makes this "buffer overflow" a non issue. Doesn't XP also install (by default) DCOM disabled? So where is all this traffic coming from? People too nervous to install SP3? People too stubborn to stop using NT4?
  • WINE? (Score:2, Funny)

    by Anonymous Coward
    Does anyone know if WINE supports this worm yet? I would like to test it out but I don't have Windows on my desktop.

    Thanks.
  • by Speed Racer (9074) on Monday August 11, 2003 @04:20PM (#6669493)
    A friend of mine called me about 3 hours ago saying that her brand new Windows XP notebook kept rebooting with some strange message about RPC. I had her download the free version of ZoneAlarm [zonelabs.com] and that blocked the worm and let her stay online long enough to download the patch. If you know somebody that's getting hammered, have them give ZoneAlarm a shot.
  • More diagnoses info (Score:5, Informative)

    by Papa Legba (192550) on Monday August 11, 2003 @04:20PM (#6669496)
    On XP you are getting two error codes.
    The first is a system shutdown window tellign you that the RPC service must be restarted,. This gives you 30 seconds before reboot. Iniated by NT Authority\system. This is a succesful XP infection

    The other is Windows cannot open this file:

    File: TFTp784

    This appears to be an unsuccesful try.

    For windows 2000 it crashes svchost trying to get in it appears. Just apply the patch to stop the crashes. It does not appear to get into the system in this case

    Hope this helps everyone

    Cagliostro
  • by brandonY (575282) on Monday August 11, 2003 @04:23PM (#6669518)
    My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!
  • by hey (83763) on Monday August 11, 2003 @04:25PM (#6669540) Journal
    Sure there's a bug now. But Microsoft picking DCE RPC for DCOM was a nice thing for the open source community since its a documented protocol. There's a project supporting it on Linux: freedce [sourceforge.net]. I have used freedce to communicate between Linux and Windows. It's nice.
  • by drgroove (631550) on Monday August 11, 2003 @04:26PM (#6669555)
    At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".

    Odd, I thought. I *am* the administrator.

    I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.

    Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.

    The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a .dll file, delete them.

    The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.

    Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.

    Hope that helps someone out there!
    • by Spy Hunter (317220) on Tuesday August 12, 2003 @12:36AM (#6672846) Journal
      Actually, that's a different worm. I should know, I've been infected by both of these in the last week :-) I've been running an unpatched XP install on my desktop. I don't have any antivirus software installed (the only really successful worms are the ones that aren't stopped by antivirus software, what's the point?) so I have to defeat viruses myself in open combat ;-)

      Anyway, the one thing I found that killed them both is Notepad. Just open up the executable in Notepad, type a few random characters here and there, erase some things, mess up the file header, and then save right over the virus! They're never expecting that. Make sure to kill the virus processes first, of course, or else you'll get the infamous "access violation". (In the case of msconfig32.exe, you must use the command-line tools 'tasklist' and 'taskkill') The viruses might restore themselves if you remove them from the registry, or delete the file, but they're not expecting you to corrupt the executable. If Windows, in its infinite stupidity, tries to run the virus again, it will fail harmlessly.

      P.S. I know, I know, you're wondering why I'm running an unpatched XP install on my desktop. Well, I just reinstalled, and only have dialup, and I'm going back to college in a month where there's super-broadband. Downloading 30+ MB (conservative estimate) of service packs, patches, hotfixes, and updates over dialup (not even 56k, more like 28.8) seems pointless. Besides, it's interesting seeing actual virus infections happen and fixing them myself. If anything goes horribly wrong, I have my XP cd right here to reinstall again. I'll be reinstalling and patching when I get back to a real internet connection.

  • by Anonymous Coward on Monday August 11, 2003 @04:30PM (#6669589)
    Stanford has been hit pretty hard [stanford.edu] by this. 2,400 of their 20,000 machines compromised!

    And Cal(Berkeley) is blocking their network from outside access [theargusonline.com] starting today for four days. Makes me wonder how many other large networks have been compromised, but don't know it.

    I'm glad I don't work at Stanford.....don't envy them having to wipe 2,400 machines and sort through files that need to be replaced.....trying to avoid trojans, etc

  • The fun begins... (Score:3, Informative)

    by PhoenixFlare (319467) on Monday August 11, 2003 @04:32PM (#6669613) Journal
    ~50 hits on my router in just the last half-hour or so, 90% of them from Rochester and NYC RoadRunner addresses.

    I have a feeling this worm will hit especially hard on home broadband users that never touch Windows Update.
    • Re:The fun begins... (Score:3, Informative)

      by k-hell (458178)
      Yep, you got that one right. I just helped a friend of mine here in Boston getting rid of the worm. He's on AT&T broadband and hasn't been using Windows Update in a couple of months.

      He called me because he got this "strange error message" when he logged in, saying that there was "something wrong" with RPC, and that he had 1 minute to save his files before the machine rebooted. I thought "riiight, RPC.. I guess we need to check your running processes and your registry here..". And of course, msblast.exe
  • Quick-Fix (Score:4, Informative)

    by Chaymus (697182) on Monday August 11, 2003 @04:34PM (#6669635)
    So i load up my /. as my homepage, take a look at the first headline, RP-What? Read up a bit, go: "Huh, that's interesting" and head off to my email site. Bam! i get pegged with this worm and my computer shuts down. For anyone else in the same boat as me, you can still download the patch using the infected computer by typing: services.msc there will be two services listed that are directly linked to this worm under the Remote Procedure Call heading, just look threw the list in the standard tab. You can by pass it by going into teh properties and changing the crash executions do "Do nothing" instead of restarting your computer. I was able to download the patch via the website and am now looking for a way to rid myself of this worm. Firewalls eh? I've heard of them, but then what else am I going to do in my spare time?
  • Egress Filtering (Score:4, Insightful)

    by ThatDamnMurphyGuy (109869) on Monday August 11, 2003 @04:36PM (#6669649) Homepage
    I've said it before, and I'll say it again.

    While there is no excuse for not updating your systems, some people can't do so because of business policy reasons (non-tested patches against business critical systems).

    EVERYONE with a server on the internet should also have Egress filtering in place. 486 mahcines are cheap. Unix/Linux firewalls are free. On the off chance you do get the M$ IS$ Worm of the week, at least your server can't initiate an outgoing connection to download more code and move on to the next system.

  • Yawn.... (Score:3, Funny)

    by dfn5 (524972) on Monday August 11, 2003 @04:49PM (#6669764) Journal
    They did this already last week on Stargate SG1 with that virus that spread from gate to gate and took down the whole network in 2+ hours. Can't these virus writers ever come up with something original?
  • ISC Advisory (Score:5, Informative)

    by Dynamoo (527749) on Monday August 11, 2003 @04:50PM (#6669776) Homepage
    Internet Storm Center is getting hammered, so I attach their analysis.

    NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.

    I count about 1 scan every 10 seconds at present.

    --x8 Cut here ----

    This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

    **********
    NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********

    Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

    The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.

    The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

    Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
    2. this causes a remote shell on port 4444 at the TARGET
    3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
    4. the target will now connect to the tftp server at the SOURCE.

    The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

    MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

    So far we found the following properties:

    - Scans sequentially for machines with open port 135, starting at a presumably random IP address
    - uses multiple TFTP servers to pull the binary
    - adds a registry key to start itself after reboot

    Name of registry key:
    SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n, name: 'windows auto update'

    Strings of interest:

    msblast.exe
    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!
    windowsupdate.com
    start %s
    tftp -i %s GET %s
    %d.%d.%d.%d
    %i.%i.%i.%i
    BILLY
    windows auto update
    SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

    Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

  • by ironicsky (569792) on Monday August 11, 2003 @04:55PM (#6669851) Journal
    Step 1. Shut down PC
    Step 2. Unplug Cable Modem.
    Step 3. Start up PC
    Step 4. Click Start -> Settings -> Control Panel
    Step 5. Double Click Network Connections
    Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
    Step 7. Select Properties
    Step 8. Click the Advanced Tab
    Step 9. Enable the Windows XP Firewall
    Step 10. Click OK, Close out of open windows.
    Step 11. Plug in the Cable Modem.
    Step 12. Ensure Block Sync is established.
    Step 13. Open Internet Explorer
    Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp
    Step 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
    Step 16. Scroll Down Page about half way to Patch Availability
    Step 17. Click Windows XP 32 bit Edition
    Step 18. Click Download in the upper right of the screen.
    Step 19. Save the file to the desktop
    Step 20. Run the downloaded file.
    Step 21. The patch will install and prompt the customer to reboot.
    Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled
  • Bug/Feature?? (Score:4, Interesting)

    by RonnyJ (651856) on Monday August 11, 2003 @05:15PM (#6670086)
    A lot of people seem to think the executable is bugged, crashing the RPC service and causing Windows to shutdown. Seems like a good payload to me. In my example, my computer shut down within a few minutes. This makes it exceedingly hard for people to find information and download a patch to fix it, yet at the same time, the trojan is scanning and infecting others while you're trying to fix it. I was struggling to download the patch on modem, took about 5 shutdowns until I had it. Also, at this moment, the main cable provider in the UK seems swamped with this problem, and I don't think it'll go away fast.
  • by pclminion (145572) on Monday August 11, 2003 @05:59PM (#6670536)
    My /var/log/iptables_input_reject.log file is now a list of exploitable hosts ;-)

    I'm only KIDDING, jeez!

  • Catch-22 cleanup (Score:3, Informative)

    by mosschops (413617) on Monday August 11, 2003 @06:24PM (#6670741)
    This worm seems particularly nasty because it prevents you getting online long enough to download the patch. If you go online you're likely to get hit again, and the reboots continue.

    Here's a work-around I've been talking some of my relatived through tonight. It's not something I'd normally want to expose them to, but it certainly saves me a visit to do it myself!
    If you're on a LAN, disconnect the machine from the network before you boot up, to prevent other infected machines from rebooting you again.

    Right-click on My Computer, select Manage, then under the Services and Applications branch pick Services.

    Right-click on Remote Procedure Call (RPC) in the list on the right, and select Properties. On the Recovery tab, change the 3 combo boxes from "Restart the computer" to "Take no action". Click OK to close the dialog.

    You're still vulnerable but your machine won't reboot, giving you time to go online and get the patch. Reconnect your network cable, or establish your normal dial-up connection.

    Go to http://support.microsoft.com/?kbid=823980 to grab the patch for your machine. As soon as you've got it, disconnect your network connection/cable, and run the patch. BUT don't reboot when prompted!

    Open RegEdit and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the "windows auto update" value, which starts the worm when Windows starts. Now restart Windows and you should be free of the worm.

    To finish the cleaning process, delete C:\WINDOWS\SYSTEM32\MSBLAST.EXE
  • DSL Users beware... (Score:5, Interesting)

    by Lodragandraoidh (639696) on Monday August 11, 2003 @08:11PM (#6671514) Journal
    Just bought my wife a new XP machine - because she has been having issues with the crappy linux boxes I have given her [300mhz should be fast enough for anyone...](all of my machines are Linux - daughter has an old win98 and a linux box on kvm).

    She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.

    So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.

    So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and ...BAM! again... This time its an 'RPC' call error - 'shutting system down' message. Crap. I shut the system down and pull it completely off the network.

    I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.

    I reset everything, and up comes my network - thats when I browse on over to /. and see this post about the worm. I do a little forensics and find the c:\winnt\system32\msblast.exe, and c:\winnt\system32\pre[a-Z*]\msblast.exe.23oiu4i734 - I assume the pftp scratch file. Son-of-a-bitch.

    I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)

    I want to know:
    1. how to clean this up?
    2. how the hell did this thing ZAP my Linksys with all the ports disabled?
    3. where the hell can I get my $99 back for this bogus operating system?
  • by TheBoostedBrain (622439) on Monday August 11, 2003 @08:56PM (#6671766) Homepage Journal
    Trend Micro says [trendmicro.com] that this worm performs a DDoS to Windows Update Site, I'm not really sure about removing it...
  • by SailorBob (146385) on Tuesday August 12, 2003 @05:50AM (#6673712) Homepage Journal
    Here's the homepage [symantec.com] for Symantec's tool which removes this worm.

"'Tis true, 'tis pity, and pity 'tis 'tis true." -- Poloniouius, in Willie the Shake's _Hamlet, Prince of Darkness_

Working...