924Board.org

Phogphire1 · Joined: 05 Apr 2003 Posts: 293 Location: Portland, OR

It appears that a new worm (for now we're calling it msblast after its executable, msblast.exe) has surfaced today. It attacks port 135/tcp (that's Netbios), creates lots of RPC noise - some users report random machine shutdowns and reboots - and once it takes up residence in your computer, it proceeds to scan a random IP range and propagate itself to unprotected machines. Since this worm is brand, spanking new it may not be detected by (even recently updated) anti-virus software.. so get that firewall up and secured!

_http://msn.com.com/4520-6600_16-5062407.html?part=msn&subj=ns&tag=msn_home

_http://isc.sans.org/diary.html?date=2003-08-11

_http://news.com.com/2100-1002_3-5062364.html?tag=fd_top

_http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

_http://vil.nai.com/vil/content/v_100547.htm

You can also apply this patch from MS

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074

PC SHUTDOWN PROBLEMS - RPC EXPLOIT/REMOTELY RESTARTING

IDENTIFIED AS THE W32.Blaster.Worm VIRUS

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, msblast.exe

------------------------------------------------------------------------------------------------

TO CANCEL THE SHUTDOWN GO TO START -> RUN -> TYPE CMD TO ACCESS CMD PROMPT AND
TYPE (SHUTDOWN -A) TO CANCEL IT.

DO CTRL+ALT+DELETE AND KILL MSBLAST.EXE FROM THE PROCESSES LIST

GO TO C:\WINDOWS\SYSTEM32 AND FIND MSBLAST.EXE AND RENAME IT TO BLASTMS.BAK (DON'T DELETE IT SINCE I DON'T KNOW IF IT IS AN IMPORTANT FILE, IF ITS A VIRUS IT WILL NOT
BE ABLE TO START IF U RENAME IT, RENDERING IT USELESS.)

NOW GO TO C:\WINDOWS\PREFETCH AND DELETE THE FILE THAT HAS MSBLAST.EXE IN ITS NAME.
(IT STARTS WITH MSBLAST.EXE IN ITS FILENAME)

THE VIRUS ADDS A REGISTRY VALUE TO AUTO LOAD WHEN WINDOWS STARTS UP, YOU MUST DELETE THE REGISTRY KEY.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

3. Then click OK. (The Registry Editor opens.)

4. Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

5. In the right pane, delete the value:

"windows auto update"="msblast.exe"

6. Exit the Registry Editor.

INSTALL THE PATCH FOR YOUR SYSTEM FROM THE LINKS BELOW

NON SP1 USERS =
.http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

SP1 USERS = .http://securityresponse.symantec.com/avcenter/security/Content/8205.html
_________________
Extremism in the defense of liberty is no vice. And moderation in the pursuit of justice is no virtue.

Life, Liberty and the Pursuit of thoose that dare screw with it.

Minus000 · Joined: 29 May 2003 Posts: 363 Location: Sidney, B.C.

oww jeez. I actually got it. Thanks. I was able to fix the crashing myself but I thought that it was just crashing, I didn't relize it was a worm and also still sending out information. I think this is the first time iv heard off a virus on the news that iv had.

5150 · Posted: Tue Aug 12, 2003 5:25 pm Post subject:

Also known as Win32/Poza and Lovsan. Doesnt appear to infect win95 or 98 though, only NT, 2000 and XP...

Neil924 · Joined: 18 Mar 2003 Posts: 4225 Location: Canada

Look out for: TFTPxxx (xxx being a number) showing up during their computer restart process.

These files appear to be either temporary or marker files left behind by a Trojan running the TFTPD.EXE Windows application (this is a valid Windows file being used by the Trojan; likely to attempt file sharing between systems). This is an exploit of a new Windows vulnerability. The following Windows vulnerability...

http://support.microsoft.com/?kbid=823980

...has been announced and various Anti-virus makers report an increasing amount of traffic attempting to probe that vulnerability in Windows.

These attacks will only increase over time unless people IMMEDIATELY download and install the Windows patch described above. You can further help yourself by installing a firewall of some sort between you and the Internet. There are a number of free software firewalls that work just fine. Two, in particular, are often mentioned...

Sygate Personal Firewall - http://www.sygate.com/
Zone Alarm by ZoneLabs - http://www.zonelabs.com/

FILExt takes no position on which one of these (or others) you should use. It's your choice but you should make the choice and use something. If you have a continuous connection to the Internet instead of dial-up you should strongly consider getting a hardware firewall.

The TFTPxxx files appear to be in the Startup Group in Windows. You should be able to see them in the directory...

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\TFTPxxxx

...or by choosing Start | Program Files | Startup

Delete these files (they may be read only and, if so, you may have to right click the file, select Properties, and uncheck the ReadOnly attribute).

That should solve the immediate TFTPxxx file showing up at system start problem.

Now comes the worse part...getting rid of whatever caused the problem. For this you really should have updated anti-virus software. By scanning your system it should find and handle the appropriate files for you. Again, FILExt makes no specific recommendation if you don't have any. A list of the major anti-virus software vendors can be found here...

http://www.cknow.com/vtutor/vtavsoftware.htm

So far, two different things have been identified as coming through the RPC vulnerability: Trojan/Autoroot and W32.Spybot.Worm. (Note: It's possible these are the same thing as different companies call the same malware by different names at times. It takes awhile for the various companies to update their listings with all the different names.)

In addition to the TFTPxxx files, the following file name have also been implicated in this incident and related to Spybot.Worm:

C:\WINDOWS\system32\ijexwcessr.exe
C:\WINDOWS\pss\webdav.exeCommon Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\pss\TFTPxxxCommon Startup
C:\WINDOWS\System32\MSCONFIG32.EXE

(In all cases the "xxx" is some number.)

In the Trojan/Autoroot case the following file names appear:

RPC.EXE, RPCTEST.EXE, TFTPD.EXE, WORM.EXE, LOLX.EXE and DCOMX.EXE (WORM.EXE and is an SFXArchive that contains the three files RPC.EXE, RPCTEST.EXE and TFTPD.EXE.)

Finally, some folks have found a program named like TFTP.EXE-2FB50BCA.pf (the number may vary). This program also seems related to this incident and should probably be copied off to disk (so you can recover it if it turns out to be a red herring and not related to this incident).

So, in short, be certain to get that patch whatever you do. The more patched systems, the less the new exploits will spread to others. Then, be certain to scan your system with updated anti-virus software and keep it up to date on a daily basis as the AV companies are fighting this thing as I write this.

Phogphire1 · Joined: 05 Apr 2003 Posts: 293 Location: Portland, OR

BUMP
_________________
Extremism in the defense of liberty is no vice. And moderation in the pursuit of justice is no virtue.

Life, Liberty and the Pursuit of thoose that dare screw with it.

Stu2j · Posted: Wed Aug 13, 2003 1:10 am Post subject:

Join the 21st century.

A hardware firewall eliminates these problems.

Are folks still using dial up services?
_________________
-Stu
924 owner since 1988
924S owner since 2002
Click here to view them:

Neil924 · Joined: 18 Mar 2003 Posts: 4225 Location: Canada

I'm not on dial up and I don't have a firewall

Lizard · Posted: Wed Aug 13, 2003 8:01 am Post subject:

to stop comp from restarting right click my computer and go into manage, then click on services and aplications, then click services, and look through the list for remote procedure call there will be 2 (1 will have locator beside it u dont want this one) open the 1 that doesn't list locator and u will see 3 drop down boxes, set them all to take no action click ok then update virus softrware
_________________
3 928s,

Neil924 · Joined: 18 Mar 2003 Posts: 4225 Location: Canada

My computer is done. I'm saving 35 GB of info then restoring the system. I had 30 files infected and 28 erased, 2 worms are still present so I'm cleaning house. 1 win32blaster worm and 2 win32spybot worm. ANYone know what these are???

Lizard · Posted: Wed Aug 13, 2003 9:37 am Post subject:

yah they are the worms that are causing your comp to restart, if you follow the steps in my last post then get your norton AV updated you should be able to fix it instead of restarting the comp
_________________
3 928s,

jamez · Joined: 03 Nov 2002 Posts: 401 Location: Chehalis, Wa

wow, I had it to.. thanks you saved my day

Phogphire1 · Joined: 05 Apr 2003 Posts: 293 Location: Portland, OR

http://download.nai.com/products/mcafee-avert/stinger.exe

Is also a repairer. I have'nt tried it.
_________________
Extremism in the defense of liberty is no vice. And moderation in the pursuit of justice is no virtue.

Life, Liberty and the Pursuit of thoose that dare screw with it.

Phogphire1 · Joined: 05 Apr 2003 Posts: 293 Location: Portland, OR

78porsche924 · Posted: Wed Aug 13, 2003 11:56 am Post subject:

I was wondering wtf was up with my comp. Apparently my subscription to norton ran out. Thanks for the heads up, i have the random restarts with the network server file(dunno what it is called, i forgot) and i always get this can't open file tftp1507 whenever i start my comp.

Thanks again guys.
_________________
90 944 S2
78 924 NA <---now sold and killed by new owner
snailshell trans
Bae turbo kit
to check out my 944 S2 http://www.cardomain.com/member_pages/view_page.pl?page_id=388139

Phogphire1 · Joined: 05 Apr 2003 Posts: 293 Location: Portland, OR