PPRuNe Forums

PPRuNe Forums (https://www.pprune.org/)
-   Computer/Internet Issues & Troubleshooting (https://www.pprune.org/computer-internet-issues-troubleshooting-46/)
-   -   RPC/Blast worm virus (https://www.pprune.org/computer-internet-issues-troubleshooting/99032-rpc-blast-worm-virus.html)

HugMonster 12th Aug 2003 22:15

RPC/Blast worm virus
 
There is a weakness in later versions of Windows (2000, XP etc) that people have just discovered and are using it to take control of computers and load the W32.Blast.Worm virus.

Fix for the virus is here:-

http://securityresponse.symantec.com...oval.tool.html

The MS patch Fix to close the RPC loophole is at:-

http://www.microsoft.com/technet/tre...n/MS03-026.asp

More info at:-

http://www.thetechguy.co.uk/comments...atid=1&id=1321

FWIW, my version of Norton Internet Security (as updated) catches the virus, but can't close the lophole.

kopbhoy2 12th Aug 2003 23:09

This is causing havoc in my workplace, thankfully I applied the MS patch to my 3 Win2K machines a couple of weeks back & I've not been afftected yet...

If you're not sure whether or not your system is OK go into control panel/add-remove programs & if 'Windows 2000 Hotfix - KB823980' is listed then the patch is installed.

Capt BK 12th Aug 2003 23:25

This one caught me, managed to get rid of it using the latest update of VirusScan but it caused me a bit of hassle first! It's made the BBC news website as well.

A friend of mine without protection has it but cant delete the msblast.exe file in the system32 directory, anyone know how to get rid of it? He say's its not 'Read only' but won't delete?

If you haven't already I suggest everyone downloads the MS patch given in HugMonster's Post

Naples Air Center, Inc. 13th Aug 2003 04:12

HugMonster,

I have been getting calls for computer repairs on this one for the last two days. It is keeping my evenings busy.

Take Care,

Richard

fobotcso 13th Aug 2003 06:27

Capt BK, two suggestions for your friend.

1. Start in "safe mode" and see if Windows Explorer will allow the deletion.

2. If no joy, open a Command Window, navigate to the file using keystrokes, make sure it isn't Hidden, System or Read-only and then delete it.

Naples Air Center, Inc. 13th Aug 2003 11:52

The funny thing about this virus, all the comps I have had to go service this evening all had two things in common:

1) All on Dialup

2) All with WinXP SP1

Reason all the affected machines were dialup internet connections is because most Dialup accounts do not have Routers/Firewalls. This worm comes though the TCP135 port, Routers/Firewalls block this port. Once in your computer the worm opens port 4444 and then it loads itself and takes over the infected computer. The code picks random IP addresses and checks those IPs for access, it tries several ways to break in. If it gets in, it infects as above, if it does not get in, it makes more random IPs and starts the process again.

Nasty little piece of work this worm. The only good thing is it does not do permanent damage to the infected computer.

Take Care,

Richard

Golden Rivet 13th Aug 2003 14:48

Had a look at the Microsoft technet page - there is two options for the patch for XP, a 32 bit version and a 64 bit version. How do I know which I have installed ? ( currently running XP home edition )

GR

4PON4PIN 13th Aug 2003 18:50

Many thanks for the info on this Hugs. Discovered last night that I had the blasted thing and my Norton couldn't delete either.
Have followed the links and downloaded hardcopy info & programs onto floppy to take home this evening.

Steps to take:
a) Switch off "system restore"
b) install patch
c) install fix.
d) reboot
e) switch "system restore facility" back on.

Think I've got the above in right order but will study hardcopy later. Not being too up-to-speed on the techy side of pc's I would have been totally lost without yr links. Real Catch-22 when you need to go on-line to get the fixes but the worm keeps closing down the pc. Hence need for floppys to repair off-line.

Thanks again:ok:

fobotcso 13th Aug 2003 20:45

Golden Rivet: assume 32-bit. If it was 64-bit you would know.

Funny thing is that Microsoft specifically exclude WinME. They do not mention Win98SE at all, even though there are lots still out there.

Excellent Thread. Thanks to all.

amanoffewwords 14th Aug 2003 01:12


Funny thing is that Microsoft specifically exclude WinME. They do not mention Win98SE at all, even though there are lots still out there.
That's probably because they ceased support on Win 98 end June (I imagine that's for all flavours of Win 98).

I'm just back from setting up a laptop for a customer - 2 mins into showing her how to dial up the Internet - bang got the 60 second warning of reboot. Problem is if do not have the patch with you it prevents you getting back on the net to download it - and it disabled NAV (Norton Anti-Virus) and DUN (dial-up) properties so I couldn't set the firewall.

Managed to get round it by disabling all RPCs services, then downloading the patch from M$, disabling messenger services, activating the firewall, updating NAV and then checking my customer's blood pressure though by then she had had enough of her first experience with computers, switched it off, signed the sheet and sent me on my way.

When they catch the guy/girl who started this he/she's a getting an invoice for my time...with the appropriate supplements...

amofw

fobotcso 14th Aug 2003 05:40

amofw

This is probably what you are referring to. But why no fix for Win ME?

malaysian eaglet 14th Aug 2003 06:13

BLASTER VIRUS
 
If Norton Antivirus (Professionnal) is updated it stops the virus which seems quite active and frequently met but I was obliged to restart the computer because some files were neutralized. After downloading the last security package of Windows 2K, no problem my computer is definitively out of reach.

fobotcso 14th Aug 2003 07:11

TCS, thanks. But in your link Microsoft do say that they tested the fix on Windows ME.

:confused: Who cares. Life's too short and ME went back into its box 6 months ago anyway.

Timothy 14th Aug 2003 15:23

JAAMOI, is ME considered to be the same as 98SE? In other words, does the end of 98 support also mean the end of ME support?

W

fobotcso 14th Aug 2003 18:26

According to Microsoft in the link in my post above, ME support will cease at the end of this year (2003).

Capt BK 14th Aug 2003 20:13

fobotcso,

Thanks for the reply. He rang me to say he'd fixed the problem, he just went out and bought Norton!

Why didn't I think of that;)

Naples Air Center, Inc. 15th Aug 2003 23:30

I have been getting a lot of time with MSBlast lately. Something that helps, if you have to download the patch, is to go in to your Task Manager and disable the Process MSBlast.exe. That will stop the Shutdown Countdown the worm gives you. Then you have all the time you need to download the patch.

Take Care,

Richard

Wing Commander Fowler 17th Aug 2003 23:06

Hi Guys,

caught this ****** meself and had some trouble getting my head around it!

I never had the MSblast.exe program anywhere nor had the appropriate string in the registry and yet it was doing the business with my RPC. Most peculiar.

Now I still cannot download any updates from Windows Update. Have seen many posts regarding this problem on a microsoft forum but no answers.

Any Ideas anyone?

:*

Fuji-san 18th Aug 2003 00:47

I believe that MS have temporarily disabled the Update site in order to avoid being hit by the virus which was due to flood the site yesterday.

Fuji.

Mac the Knife 18th Aug 2003 01:13

WC Fowler - there are variants where msblast.exe is replaced by TEEKIDS.EXE or PENIS32.EXE

Don't know about variant registry changes tho'

Wing Commander Fowler 18th Aug 2003 06:41

ahh.... thanx guys - don't feel so lonely now!

type1 18th Aug 2003 22:46

the answer.....
 
will windows users never learn?

buy a macintosh

no system freezes, no crashes, no viruses

Mac the Knife 19th Aug 2003 01:42

will windows users never learn?

switch to a proper O/S

no system freezes, no crashes, no viruses

[Registered Linux User #302442]

ORAC 19th Aug 2003 01:52

Geez! Haven't you guys ever heard of the fun of living dangerously? :}

Naples Air Center, Inc. 19th Aug 2003 22:41

It did not take long:

There is a new variant of the Worm that is destructive.

The new variant also copies the file TFTPD.EXE to the %System%\Wins folder as SVCHOST.EXE and then creates a service for it with the display name "Network Connections Sharing".

TFTPD.EXE or SVCHOST.EXE is a TFTP (Trivial File Transfer Protocol) server that is used by this worm to set the affected system as a download site for its copy. This worm is then able to propagate by instructing remote systems into downloading it using TFTP.


Looks like this one will be around for a long while,

Richard

ETOPS773 27th Aug 2003 02:36

That might explain alot...
SVCHOST.EXE :}

http://us.f1f.yahoofs.com/users/df04...ls6S_AoZ47D0PJ

I enclose an image of my task manager..seems to be more than one SVCHOST.EXE running,one of them pretty phat too?.I got rid of the blaster,using Sophos with all the upto date definitions...yet my computer continually crashes out,cannot use flight sim,paint shop pro, etc as they will not load up or crash when loading...EXCEPT..on my mums login..and thats pretty unstable too!

Is this a knackered hard drive or likley to be the worm?

Thanks,
ETOPS773 :{

Naples Air Center, Inc. 27th Aug 2003 03:31

ETOPS773,

I cannot access the page you linked so I cannot see your Task Manager. It is normal t have two svchost.exe's. You will see one for Local Service and the second for Network Service.

If you can link your picture again, I will give it another shot at opening it.

Which Operating System are you running and do you know the specs on your hardware? (It would help if you could list it.)

Take Care,

Richard

ETOPS773 27th Aug 2003 04:01

hmm..try

http://uk.f1.pg.briefcase.yahoo.com/...?.dir=/Friends

then goto the only pic there..should work :ok:

K,using windows XP home (all updated etc) ,2.4 ghz P4,60GB HDD,512MB RAM, 512KPS ADSL connection.

What alarmed me is that I had 4 SVCHOST.EXEs running..2 listed as system,1 under network service,and 1 under local service.With only me logged on...

Cheers.

Naples Air Center, Inc. 27th Aug 2003 05:07

ETOPS773,

Here are a couple of things you can check for:

Known variants create the following entries under the described registry key:

”windows auto update" = MSBLAST.EXE (variant A)

”windows auto update" = PENIS32.EXE (variant B)

”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)

In C:\Windows\System32, known variants use the the following file names for their copy:

MSBLAST.EXE (variant A)
PENIS32.EXE (variant B)
TEEKIDS.EXE (variant C)

Take Care,

Richard

Super Stall 29th Aug 2003 23:14

Hi Naples, I was infected with the new variant (nachi), within about 60 secs of logging on the internet with a new computer (it has somewhat soured the experience ) anyway...

I've spent all day putting things right, downloaded patch, symantec fix etc. and all now seems to be in order. However the task manager still shows four SVCHOST running.

Local service 3,316k
Network service 1,928k

both of which I assume are ok, it also has

System 17,872k
System 3,004k

What I'd like to know is should I delete these via windows\system32\wins file, or are they best left alone?

Any help much appreciated.

Naples Air Center, Inc. 29th Aug 2003 23:36

Super Stall,

If you removed the virus with the patches while running your affected Operating System, you are fine. (If you had pulled the hard drive out of the computer and used it as a slave on another computer, it would not have removed the virus properly.)

I am currently running 4 instances svchost.exe, two system, one local service, and one network service. The size of the memory usage will change. That is normal.

If you see any other problems with your computer, please report back. Otherwise, just monitor it.

Take Care,

Richard

Super Stall 30th Aug 2003 00:01

Crikey, that was quick, question to answer in 22 mins !!

Thanks for your help. :ok:

ss.

amanoffewwords 30th Aug 2003 01:22

The BBC reports that the FBI has identified one of the people who developed a variant of MSBlast.

You can't dig yourself a much bigger hole than he has for himself. me thinks.

Front_Seat_Dreamer 30th Aug 2003 05:41

This may be a little late for most but if you go here and download the Stinger it will check your machines for various viruses and trojans including the ones mentioned in this thread. I am still getting machines with blaster/lovsan and this tool has cleaned it off the systems.

However YMMV.

Dop 30th Aug 2003 07:22

amanoffewwords: Just read that BBC article, complete with mugshot of person involved.
Hey look! It's a big fat b'stard!!! Who'd have thought!!!
I bet he has no real friends, too...

amanoffewwords 30th Aug 2003 17:04

LOL dop!

Anyway, I was thinking it's about time they brought back medieval stoning practices for these guys, one stone for each person that was affected by the virus. Then we can bury the crums. That should put them off. :E

amofw


All times are GMT. The time now is 11:50.


Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.