Help with computer shutdown

Vanity | August 11, 2003 | Self

[Timesink]

See this thread:

New Virus hitting hard and furious!

[brbethke]

Is this a known error or virus?

Yes.

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

[expatguy]

The worm has turned for you.

This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.

*********NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup. **********

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, msblast.exe.

Infection Length: 6,176 bytes

Systems Affected: Microsoft IIS, Windows 2000, Windows NT, Windows XP

Systems Not Affected: Linux, Macintosh, OS/2, UNIX

Increase in port 135 activity:

http://isc.sans.org/images/port135percent.png

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

Infection sequence as follows:

1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET

2. this causes a remote shell on port 4444 at the TARGET

3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444.

4. the target will now connect to the tftp server at the SOURCE.

The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11k byte unpacked, and 6k bytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we found the following properties:

- Scans sequentially for machines with open port 135, starting at a random IP address - uses multiple TFTP servers to pull the binary - adds a registry key to start itself after reboot

Name of registry key:

SOFTWAREMicrosoftWindowsCurrentVersionRun, name: 'windows auto update'

Strings of interest:

msblast.exe I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com start %s tftp -i %s GET %s %d.%d.%d.%d %i.%i.%i.%i BILLY windows auto update SOFTWAREMicrosoftWindowsCurrentVersionRun Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c

-------------------------------------------------------------------------------------------- http://isc.sans.org/diary.html?date=2003-08-11

[Mr. Blond]

I had the same problem today. Download and install the new XP security patch. You may need to boot up in Safe Mode to install it.

[Eva]

Go here and download the first item. MicrosoftWindows XP forum> Bookmark the site first, in case the computer shuts off, and then continue the download. If your computer shuts down, just wait and start it back up, and go quickly to the bookmark and continue the download, as many times as it takes to complete it. Then shut down your computer and restart.

[xrp]

You're being attacked. You need a personal firewall/intrusion prevention system software for your PC.

[WIladyconservative]

It's ugly. My son's computer got it today because he doesn't keep his virus dat files up to date. We're networked together with another machine and those two were up to date and weren't hit.

Everytime your virus programs tell you to update, do it!

[Lx]

You don't mention whether it's Windows 2000 or XP. Nevertheless, ensure you have the latest Service Pack, SP4 for Windows 2000 Pro, and SP1 for XP Pro and more importantly, the RPC buffer overrun patch. I've supplied links for all. We applied SP4 and this patch to over 120 servers last Saturday and the only problem was with one NT4 machine that we only applied the patch to. The RPC problem is a massive security hole.

For Win 2k Pro:
http://www.microsoft.com/Windows2000/downloads/servicepacks/sp4/

For XP Pro:
http://www.microsoft.com/WindowsXP/sp1/default.asp

Here's where to get the RPC buffer patch MS03-026 to protect yourself. If your computer stays up when it's offline, you might be getting hit with the worm mentioned in the second posting.

Here's the link for that patch.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

You can apply the patch without applying the latest service pack and since it's only around 1mb in size, you might have better luck applying it, then apply the latest service pack. Even though Win 2K and XP use a DLL cache that is supposed to make re-applying service packs after every software install unnecessary, I'm pretty sure you have to re-apply the RPC patch AFTER the service pack.

Good luck, let us know how you're doing.

[Eva]

I was extremely annoyed with the problem, but once I got the Microsoft site, I managed just fine. They did the fix for me.

[Cold Heat]

You got the bug!

[WIladyconservative]

I forgot to mention - we are all BEHIND a hardware firewall!

[solitas]

Tsk, oh you windows people! :D

[Old Professer]

MSN, Call Home!

Sounds like a temp version done expired.

[weeder]

I recently wrestled with a mean little motha' named "BUGBEAR", a nasty little worm. In the process of removing this thing, (with the fine guidance of those saints at Symantec), I became aware that if you have a RESTORE function on your system, (to take you back to a point in data/time before your woes began), you might have to DISABLE that function temporarily while you affect the repairs. Apparently, RESTORE's files are inaccessible when it's enabled (for obvious reasons!), and a worm or virus that is in that older data can easily re-infect your system. Symantec walks you through the procedure in such a way, that even idiots like me can do it. This might explain your recurrence of the problem. Just a thought.....hope I help more than confuse with this message.

[cake_crumb]

Another one. Go here for the patch

If your computer keeps rebooting, try Safe mode.

Use the Find utility to delete this file: "Exploit-DcomRpc" in C:/windows/system32/msblast.exe

After installing ALL the latest MS patches for your operating system, install a good firewall and an anti-virus program.

[dfwgator]

I have ZoneAlarm on my PC, should that protect me from the virus?

[cake_crumb]

Another thing you can do if your computer keeps rebooting before you can download the patch is to right click on your connection icon, left click on Properties, click the Advanced Tab, and place a checkmark next to "Internet Connection Firewall."

You should then be able to download the patch.

[TheBattman]

Systems Not Affected: Linux, Macintosh, OS/2, UNIX

Glad of my choice of platforms....

[TheBigB]

My PC got hit tonight, but if you go to the symantec site and follow their directions, you can get rid of it. Took a while, but I got it done.