The long-predicted worm which uses a flaw present in all Microsoft operating systems has already spread to Europe.
The Blaster worm, also know as Lovesan, MSBlaster or Poza, attacks via a flaw for which a patch has been available since 16 July.

And, after 15 August, infected computers will be used to launch a denial of service attack against windowsupdate.com, where the patch for the vulnerability can be found.

Infections have already spread in the US and cases started appearing in Europe as the working day started.

"The lion's share of infections are in the US. Now people are waking up we've got infections popping up all over Europe," said David Emm from Network Associates Avert labs.

"We're keeping an eye on it but at present it doesn't look like it's going to be as much of a problem as Slammer. Administrators must still patch their systems as a matter of urgency."

The worm is spread automatically by sending itself via TCP port 135 to random IP addresses, generating large amounts of network traffic.

Once it finds and infects a system it copies itself onto the registry and sets up a shell using TCP port 4444, which downloads a program, msblast.exe, before sending itself out again.

The worm code also contains a message for Microsoft chairman Bill Gates, hidden in the code: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible? Stop making money and fix your software!!"

The worm is particularly worrying since it can be used against both servers and client PCs.

"This puts the future of Windows at threat," said Gary Jones, services manager at MIS Corporate Defence Solutions.

"People underestimate how vicious this exploit code is. A single line of code gives the hacker system-level privileges.

"If someone writes an email worm this is going to spread like wildfire; it affects clients and servers and runs on 90 per cent of the world's PCs."

The critical flaw is in Microsoft's Distributed Component Object Model Remote Procedure Call (RPC) interface.

The vulnerability involves the RPC protocol, which deals with inter-computer communications. Microsoft warned that, under certain circumstances, the RPC might not properly check messages sent to the PC.

The patch is available here , and the major antivirus web sites also have free removal utilities available.

 

[size=3]NT AUTHORITY shutting down PC[/size=3]

Advisory Warning to all users of the following operating systems:

Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003

Your Microsoft Operating System may potentially be under attack by HACKER ACTIVITY. The vulnerability attack can fool software into accepting insecure commands that could let intruders steal data, delete files or eavesdrop on e-mails.

Download locations for this patch:
Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32 bit Edition
Windows XP 64 bit Edition
Windows Server 2003 32 bit Edition
Windows Server 2003 64 bit Edition


This is a security flaw in Microsoft Windows, mainly NT/XP/Server.

To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135, 139, or 445 or any other specifically configured RPC port on the remote machine. For intranet environments, these ports would normally be accessible, but for Internet connected machines, these would normally be blocked by a firewall. In the case where these ports are not blocked, or in an intranet configuration, the attacker would not require any additional privileges.

Best practices recommend blocking all TCP/IP ports that are not actually being used, and most firewalls including the Windows Internet Connection Firewall (ICF) block those ports by default. For this reason, most machines attached to the Internet should have RPC over TCP or UDP blocked. RPC over UDP or TCP is not intended to be used in hostile environments such as the Internet. More robust protocols such as RPC over HTTP are provided for hostile environments.

To learn more about securing RPC for client and server please refer to:
http://msdn.microsoft.com/library/de...or_server.asp.

To learn more about the ports used by RPC, please refer to: http://www.microsoft.com/technet/pro...t4/tcpappc.asp

What’s the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over a remote computer. This would give the attacker the ability to take any action on the server that they want. For example, and attacker could change Web pages, reformat the hard disk, or add new users to the local administrators group.

To carry out such an attack, an attacker would require the ability to send a malformed message to the RPC service and thereby cause the target machine to fail in such a way that arbitrary code could be executed.

If you see this message you should install Windows updates as soon as possible. There is basically someone out there sending data to your PC causing this to happen.

Due to the seriousness of this vulnerability the Department of Homeland Security and Microsoft encourages system administrators and computer owners to update vulnerable versions of Microsoft Windows operating systems as soon as possible.

It should be noted, however, that since the vulnerability
permitted an attacker to do almost anything with a victim machine, the
information below may represent only one of many possible attack
results. Therefore, the absence of the files described below should
*not* be considered to be a conclusive indication that a system was
not compromised due to this vulnerability.

The latest version of McAfee VirusScan Enterprise 7 (and I would guess
VS 4.5.1 also) does NOT recognize any files related to exploiting the
RPC DCOM vulnerability as being problematic. This may not be
surprising, since we're not dealing with a virus - yet. Please don't
rely on a virus scanner to find these, or similar files on a system at
this time.

Files that exploit RPC DCom will only show up on a machine as part of
kit that one might use to carry out attacks on remote hosts. However,
because such files can only be installed when an attacker has
substantial access to a victim machine, the most reliable method of
clean up is to rebuild the victim machine from known, good media,
while __NOT__ connected to the network (e.g., rebuild and _fully_
patch, and enable the XP built-in firewall, while behind a firewall
device (e.g. Linksys BEFSR41), or while disconnected from the network).

Hence, if a host is discovered to have been the victim of the RPC DCOM
exploit, and until organizations such as CERT, NAI, etc can issue more
definitive information on what the bounds of these exploits might be,
Information Security can only endorse the recommendation that the
machine be rebuilt. As soon as we become aware of a less-drastic yet
more certainly effective means of ensuring identification of whatever
the attackers may have done, we will pass that along.

Several of the victim workstations examined have had the following
characteristics in common (note: these characteristics represent only
one "footprint" - there are certainly other, different footprints
related to exploiting RPC DCOM - absence of these files does *NOT*
mean definitively that the system was not victimized in some other way):

* Three files located in a directory named "c:\temp"
+ directx.exe
+ cygwin1.dll
+ rpcroot.exe

* Some of the machines examined had a copy of directx.exe and
rpcroot.exe in c:\windows\system32.

* Directx.exe, while a file by that name may normally be present as
part of the Windows 'Direct-X' display facility, is in this case
actually an IRC server. When executed, directx.exe will create the
following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ C:\test\directx.exe

HKLM\SOFTWARE\ColdVision
+ (Default)
+ update

* In addition to the registry entries, directx.exe will generate two
text files (in the same directory as directx.exe):
+ JoinMe.conf
+ operators.conf
The "operators.conf" file is empty, while "JoinMe.conf" contains 22
lines of IRC server configuration variables (with no interesting
values). It has been reported that directx.exe may contain a client
component which attempts to connect to an IRC server at 38.115.134.245.

* After a re-boot, the victim host will be running the IRC server on
port 6667

* Turns out that directx.exe and "ColdVision" have a bit of a history.
See http://vil.nai.com/vil/content/v_100024.htm

* The rpcroot.exe file is a script-kiddie utility that will allow one
to reboot vulnerable Windows machines remotely (via the RPC DCom issue).
Note that rpcroot.exe does not give one a shell on the victim machine
(other utilities floating around the Internet apparently will provide
shell access).

Cygwin1.dll is, of course, probably used in support of the IRC server
(directx.exe). It's possible for rpcroot.exe to be used for any
number of bad deeds: e.g., from general troubel making, to remotely
rebooting other victim Windows machines for the purpose of bringing up
newly installed IRC servers.

You can do this to stop the computer restarting each time and give you time to install the patch:

go to START, CONTROL PANEL, ADMINISTRATIVE TOOLS, COMPONENT SERVICES

then select SERVICES (local) from the left hand window. Find "REMOTE PROCEDURE CALL (RPC)" from the right hand window, right click, porperties. From the RECOVERY tab you can then set it so windows won't reboot each time.

Final instructions to fix infected PCs:

1. Locate "msblast.exe" (Generally located at C:\winnt\system32\msblast.exe)
2. Delete it.
3. Go to Start->Run, and type "regedit"
4. Navigate through the tree to " HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run" and find the key labelled "windows auto update", which should contain "msblast.exe". Right click it, and select "delete".
5. Install the security patch so you don't have to do this again.

 

I've spent my whole day trying to walk people thru removing this.:madfawk:


:madfawk: Nerds w/ nothing better to do!

 

If you have XP home or Pro download the 32bit.

 

if you are unsure what version you have, you dont have 64 bit.

 

We sort of have it contained now at HSN but holy shit people, this is kicking our ass. We'll clean 1 PC and it will infect others before we can disinfect it and patch it. The domain update for the patch will protect the remainder of the workstations, but it's already spread far enough to cause a lot of damage.

oh well, I get OT

 

what does the bug do?

 

how do you know if it did damage? does it have to be done by an actual person, or is it done automatically

 

is windows 98 vulnerable? also, once we install the patch we are safe right? even if the bug was already on the machine, it is safe with the patch right?

sorry im just a little worried

 

im running norton antivirus in the background. i guess im good