RPC DCOM Worm On The Loose

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

users being hit hard

[towaz]

the call centre here is off the scale with people ringing in with rpc problems...
all xp users though

Credit...

[chill]

At least Microsoft was nice enough to credit LSD in the tech note.

ISP call center is hammered

[Anonymous Coward]

I work at one of the nation largest ISP tech support call centers. Our call volume is going through the roof today.

Security Advisory

[Blangopolis]

The security advisory can be found here [secunia.com].

After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

Effects

[Papa Legba]

This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

Cagliostro

UNC-Chapel Hill South Campus Hit Hard

[Anonymous Coward]

UNC-Chapel Hill South Campus [Medicine, Pharmacy, Nursing, etc] has been slammed by this thing.

The tragic part is that Microsoft posted the patch almost a month ago:

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/ms03-026.asp [microsoft.com]

Virus Worm Out

[Anonymous Coward]

Hello everyone ..

I work for a small ISP ... Seems a worm has been released. We have received a number of calls about peoples systems shutting down with the following error: NT Authority System .. ect ect.

And the computer restarts.. This happens about every 40-60 Seconds making it "almost" impossible to Patch the Computer. Just a heads up for ANY IT Guys out there :)

Increase in TCP 135 Activity

[Anonymous Coward]

This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

milspec

Re:Port 4444

[venom600]

Both. It is opening a shell on port 4444 and contacting a tftp server (using the shell) to download a file which is the worm code itself.

Erkk

[Anonymous Coward]

Got hit by this earlier today, I'm not normally a slouch with these things but this one really hit me hard, took me 4 restarts to find out what was going on. (As every time I connected to the net I was immediatly given 60 seconds before another auto restart) I can see how non-techies are gonna be totally screwed by this.

All I can say is change the properties of your RPC service repair functions. Start -> Administrative Tools -> Component Services -> Services (local). this will at least give you time to go online and download the MS patch, which we should have done weeks ago I know :)

Not quite safe:

[Telastyn]

http://www.kb.cert.org/vuls/id/326746

win2k machines are still vulnerable to a dos; even patched.

Thanks microsoft...

Re:Port 4444

[Anonymous Coward]

Shell is on 4444. TFTP is on standard port. Random scanner? SHA-1 of packed worm is BED8E439F28A1A0D3876366CBD76A43CDCCF60FA. It'll lookup windowsupdate.com and flood on the 16th. Filename is msblast.exe, length 6176 bytes. Partial string "to say LOVE YOU SAN!!" appears even in the packed version (UPX 1.22). More detailed stuff to follow...

Windows XP Symptoms

[Titanium Angel]

It looks like the worm affects svchost.exe (the Generic Host Process), and keeps restarting the computer. At first I thought that some of my hardware was failing, but after reading dozens of posts on Usenet about similar problems, I wasn't really sure. So I researched a bit on Google, and found the MS security bulletin. After patching my system, the problems seem to have gone. I guess I should have followed more closely Microsoft's security announcements.

So, if you have strange issues with the RPC, or are experiencing similar symptoms as I have, patch up now!

Where was this story 3 hours ago?

[Speed Racer]

A friend of mine called me about 3 hours ago saying that her brand new Windows XP notebook kept rebooting with some strange message about RPC. I had her download the free version of ZoneAlarm [zonelabs.com] and that blocked the worm and let her stay online long enough to download the patch. If you know somebody that's getting hammered, have them give ZoneAlarm a shot.

More diagnoses info

[Papa Legba]

On XP you are getting two error codes.
The first is a system shutdown window tellign you that the RPC service must be restarted,. This gives you 30 seconds before reboot. Iniated by NT Authority\system. This is a succesful XP infection

The other is Windows cannot open this file:

File: TFTp784

This appears to be an unsuccesful try.

For windows 2000 it crashes svchost trying to get in it appears. Just apply the patch to stop the crashes. It does not appear to get into the system in this case

Hope this helps everyone

Cagliostro

I had the worm already today...

[itsmeddc]

This is my first post - I'm just posting to say, that at about 1:00am today, I already found MSBlast.exe on my computer after a series of RPC errors. I patched using a file you can find in MS database: http://www.microsoft.com/technet/treeview/?url=/te chnet/security/bulletin/MS03-026.asp And after cleansing my computer (and loading up Tiny Firewall 5.0) the problem is fixed. Also a helpful hint in case you need it: If you recieve an RPC error and a countdown is started to shut your computer down, then go to start>run and type "shutdown /a" and that will stop the countdown. Hope this helps someone at least.

First? Not even close

[MoosePirate]

First worm? Nope. Second? Not even. I work at a university and we have been running around for a week now patching systems and fixing worms that started last week. They have hit NT 4 and 2000 machines. We found them by chance, but they are installing all sorts of things. Trojan.stealther is the one that hit hardest, on all unpatched 2000 machines. So this is not the first worm at all. They have been out in the wild for at least a week now, and we are now patching and fixing all the many hacked or vulnerable systems.

How to patch

[einhverfr]

Enable Internet Connection Firewall, apply patch, remove virus :-)

The first is necessary because it is the buffer overrun which reboots the computer.

Solution

[bwdunn]

Another comment was right - poorly configured firewalls will result in a HUGE problem. Here's the fix:

Control-Alt-Delete to get to Task Manager. Look for a process msblast. Kill that process. Using Task Manager, start a new process called regedit. Using regedit, navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and take out msblast there. Then run the patch from this site:

http://download.microsoft.com/download/9/8/b/98b cf ad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980 -x86-ENU.exe

Restart. That should do it.

I was *nailed* by this thing over the weekend

[drgroove]

At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".

Odd, I thought. I *am* the administrator.

I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.

Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.

The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a .dll file, delete them.

The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.

Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.

Hope that helps someone out there!

Stanford and Cal hit hard by RPC exploit!

[Anonymous Coward]

Stanford has been hit pretty hard [stanford.edu] by this. 2,400 of their 20,000 machines compromised!

And Cal(Berkeley) is blocking their network from outside access [theargusonline.com] starting today for four days. Makes me wonder how many other large networks have been compromised, but don't know it.

I'm glad I don't work at Stanford.....don't envy them having to wipe 2,400 machines and sort through files that need to be replaced.....trying to avoid trojans, etc

The fun begins...

[PhoenixFlare]

~50 hits on my router in just the last half-hour or so, 90% of them from Rochester and NYC RoadRunner addresses.

I have a feeling this worm will hit especially hard on home broadband users that never touch Windows Update.

Quick-Fix

[Chaymus]

So i load up my /. as my homepage, take a look at the first headline, RP-What? Read up a bit, go: "Huh, that's interesting" and head off to my email site. Bam! i get pegged with this worm and my computer shuts down. For anyone else in the same boat as me, you can still download the patch using the infected computer by typing: services.msc there will be two services listed that are directly linked to this worm under the Remote Procedure Call heading, just look threw the list in the standard tab. You can by pass it by going into teh properties and changing the crash executions do "Do nothing" instead of restarting your computer. I was able to download the patch via the website and am now looking for a way to rid myself of this worm. Firewalls eh? I've heard of them, but then what else am I going to do in my spare time?

Re:The fun begins...

[k-hell]

Yep, you got that one right. I just helped a friend of mine here in Boston getting rid of the worm. He's on AT&T broadband and hasn't been using Windows Update in a couple of months.

He called me because he got this "strange error message" when he logged in, saying that there was "something wrong" with RPC, and that he had 1 minute to save his files before the machine rebooted. I thought "riiight, RPC.. I guess we need to check your running processes and your registry here..". And of course, msblast.exe was running. He wasn't using Windows XP's built in firewall either. A portscan using GRC.com Shield's UP! revealed the story: His machine was wide open. No we're patching, patching and even more patching.

Re:Effects

[gclef]

So how do you fix an infected machine?

1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\windows auto update" . That key should contain the "msblast.exe" process, and is what starts it up again on reboot.
3) Patch DCOM, or you'll just get this again.

Confirmed some details

[RobertB-DC]

Just FYI, I've confirmed on my system that at least some of the parent's information is true. I got hit around 2pm Dallas time, and I've now got a file called msblast.exe in c:\winnt\system32 with a file length of 6176 bytes.

After the "to say LOVE YOU SAN!!" string, I find these words: bill gates you make hi possi. And before it, it looks like it says "I ju wan to say" (with control characters that may or may not be of interest).

Sure enough, Symantec [symantec.com] has some info now, too (just sent by someone in my co.).

Timing sucks on this one -- I'm right in the middle of coding for 3rd quarter tax changes. Crap!

Re:Great

[databoing]

Here's the source, don't mind them. DO MIND GOOGLE AND FIND IT YOURSELF NEXT TIME!

http://www.k-otik.com/exploits/07.30.dcom48.c

Re:users being hit hard

[E-Rock]

Well, then I guess you need to step in the ol' time machine and patch, patch, patch, patch, patch. ;)

I found that the msblast.exe has a mechanism to restore itself if removed from the registry. Have to wait for the rest of the analysis before you can even start to clean up the machines.
(which you may want to mention to management is a hell of a lot more time consuming and expensive than patching would have been)

ISC Advisory

[Dynamoo]

Internet Storm Center is getting hammered, so I attach their analysis.

NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.

I count about 1 scan every 10 seconds at present.

--x8 Cut here ----

This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********

Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot

Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n, name: 'windows auto update'

Strings of interest:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

Re:This is just sick.

[red floyd]

They *DID* put it on Windows Update. On 16 July.

Fix We use at our internet provider for WinXP

[ironicsky]

Step 1. Shut down PC Step 2. Disconnect Network Step 3. Start up PC Step 4. Click Start -> Settings -> Control Panel Step 5. Double Click Network Connections Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1 Step 7. Select Properties Step 8. Click the Advanced Tab Step 9. Enable the Windows XP Firewall Step 10. Click OK, Close out of open windows. Step 11. Plug in the network again. Step 12. Ensure Connection is stable Step 13. Open Internet Explorer Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp Step 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately Step 16. Scroll Down Page about half way to Patch Availability Step 17. Click Windows XP 32 bit Edition Step 18. Click Download in the upper right of the screen. Step 19. Save the file to the desktop Step 20. Run the downloaded file. Step 21. The patch will install and prompt the customer to reboot. Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled and the customer can surf normally.

Internet Connection Firewall

[yarisbandit]

Hate to say it, but the built in internet connection firewall in XP was dead handy - I couldn't stay online long enough to download the patch without being restarted, so i turned it on before connecting, and no problems since...

Darn, I really need to configure wingate properly, thought i had it tight...

Win NT4?

[panic911]

According to this slashdot post it says Win2k - Win2k3 is affected. Microsoft's page says the exploit is available in NT4.

More Information

[epsilonzero]

SecurityFocus has an analysis for the worm here [symantec.com].

Re:Where was this story 3 hours ago?

[linhux]

The same happened to a friend of mine, who called me for assistance. He just killed the msblast.exe process, enabled the built-in Windows XP Firewall, and went on downloading the patch. Thus, the built-in Windows Firewall seemed to block stuff well enough.

Catch-22 cleanup

[mosschops]

This worm seems particularly nasty because it prevents you getting online long enough to download the patch. If you go online you're likely to get hit again, and the reboots continue.

Here's a work-around I've been talking some of my relatived through tonight. It's not something I'd normally want to expose them to, but it certainly saves me a visit to do it myself!

If you're on a LAN, disconnect the machine from the network before you boot up, to prevent other infected machines from rebooting you again.

Right-click on My Computer, select Manage, then under the Services and Applications branch pick Services.

Right-click on Remote Procedure Call (RPC) in the list on the right, and select Properties. On the Recovery tab, change the 3 combo boxes from "Restart the computer" to "Take no action". Click OK to close the dialog.

You're still vulnerable but your machine won't reboot, giving you time to go online and get the patch. Reconnect your network cable, or establish your normal dial-up connection.

Go to http://support.microsoft.com/?kbid=823980 to grab the patch for your machine. As soon as you've got it, disconnect your network connection/cable, and run the patch. BUT don't reboot when prompted!

Open RegEdit and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the "windows auto update" value, which starts the worm when Windows starts. Now restart Windows and you should be free of the worm.

To finish the cleaning process, delete C:\WINDOWS\SYSTEM32\MSBLAST.EXE

Re:On the way?

[jafiwam]

While it is true that people should be patched; this worm can still damage stuff on patched servers.

If the server is not firewalled, but it is patched, the msbash.exe worm probing can crash the RPC service. Which then crashes Exchange, Some AD stuff, some windows explorer stuff, and other things (including windows update). It can still bring the DMZ servers to their knees EVEN IF THEY ARE PATCHED.

You are only fully protected if you are both patched AND the 135/445 ports are shut off from the internet. (No naked DMZ stuff.)

I personally patched all the DMZ servers with the hotfix the day it came out, then some other servers with SP4 that included the exploit fix Only the SP4 ones are unaffected.

Note, I am talking about services available, none of the boxes in question actually got infected. The infection attempt caused the problem.

Naked un-firewalled computers are going to get this thing, and get it bad.

It will be interesting to see if that August 16th date pans out to be a dDOS or what...

[Note, auto update is fine for PCs, but is fucking dangerous for production servers. Sometimes the updates do not play nice with whatever is there, if it happens when so-and-so is on vacation there could be real trouble. Do what you gotta do, but I am never going to let MS put anything on my stuff. You'll probably see when someone figures out how to spoof that and gets all 375 of your boxes rooted due to Windows Update.]

Patching an infected system online solved.

[Anonymous Coward]

In order to patch an infected system while
connected to the net do the above steps look for both MSBLAST and msblast in the registry.

Also create a /windows/system/msblast.exe file and then keep it open with word. The file lock kept the msblast.exe from restarting on my system when connected to the net.
!joatlanta@@yahoo.com

Re:SP3?

[MoosePirate]

Doesn't XP(and 2000) install by default with DCOM turned off? Nope. At least not any time I've installed it. Unless I'm turning it on without knowing it, but I doubt that. SP3 is just as vulnerable as with no service pack at all. And guess what, you want to know the machines that have been hit the least by the numerous worms so far? NT4. Yep, we've had lots of troubles with 2000 and XP but only a few of our NT4 machines(a large part of our install base) have been hit.

Re: To Delete msblast: 1st End Process "msblast"

[CFrankBernard]

To delete the msblast file, you may have to first open Task Manager, click the Processes tab, highlight the "msblast" process and hit the "End Process" button...then try to delete the file.

Re:Already Patched!

[Penguin Follower]

Apache (running on my aforementioned patched win2k server) keeps logging a bunch of http requests matching that of code red... appearantly even that one is still floating around.

"I guess I wonder why windows can't make it more difficult for people to create self spreading virus ? Linux, BSD, and UNIX don't SEEM have these self spreading virus. Don't you ever wonder why MS with all is billions of spare dollars, can't prevent this?"

Actually, Linux has some known (nasty) worms out there, too. I should know, one of my linux servers was hit by a nasty one a couple years ago. Now, had I kept up with security notices & patched my systems more regularly as I do now that wouldn't have been a problem. These days I am on the CERT advisory mailing list, and a few others as well.

W32.Blaster.Worm Removal Tool

[SailorBob]

Here's the homepage [symantec.com] for Symantec's tool which removes this worm.

Re:Effects

[smeenz]

just a a couple of extra points -

1. you should KILL the msblast process first, otherwise you won't be able to delete the file as it will be held open.

2. The file msblast.exe is marked as read-only. This generally won't be a problem, but can be a gottcha if you try and delete it from a CMD shell without running attrib -r msblast.exe first.

3. You should patch the system and reboot before attempting to remove the virus, otherwise you're open to reinfection from the moment you kill the msblast process.

4. This thing causes odd behaviour on different systems. When svchost.exe gets killed on w2k pro, that stops cut and paste working. If you're running office, word will behave VERY oddly. If you're browsing your hard drive, some directories may appear to have no files in them, when in fact they really do, and lastly, IE may fail to draw some of the images on some web sites.

Re:Credit...

[jandrese]

You know, that joke is even funnier when it's told correctly:

There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence.

-- Jeremy S. Anderson