Helpful Information
 
 
Category: Antivirus Protection
w32.blaster.worm aka. My XP(pro) has been hijacked

What a nightmare.

I switched on my monitor for my PC today and when it lit up there was only a black screen. I could move the cursor, but nothing else worked.... reboot :(
When I restarted I got a win32 service error, couldn't find something :( :(
Rebooted again, then the PC decided to shut itself down, saying that the Remote Procedure Call (RPC) Service, had terminated unexpectedly.
Several system restores or rollbacks, I am still no further on.
My firewall, ZA, is asking if I want to allow access to the internet to msblast.exe :eek:
I am getting very high CPU usage, up to max, 99% of which is vsmon.exe :confused:

To add to this, I was unable to move / open / delete any files on the desktop, and search and explorer didn't work :mad:

Anyone, get any ideas what happened - I know MS does stuff by itself sometimes :confused:

Does anyone know what msblast.exe and vsmon.exe do?

I run XP pro and have ADSL connection and my PC is almost always on. I use Zone Alarm as a firewall and AVG anti-virus.

I also write very bad :p php with mysql database also installed if that makes a difference.

Thanks for any advice

Jamie

vsmon.exe is a component of Zone Alarm which monitors your internet traffic and generates alerts. I'm not sure what msblast.exe is, and no info on google. The RPC error could be due to a recently published exploit. If you can, be sure you have the latest service pack and security patches. If you can't fix it, you might have to reformat, then apply the patches and such.
Don't know how helpful this is, but it's all I know.
HTH
Dave

It seems this RPC exploit is getting some serious attention by the folks that use such things.

From what I've heard, they tend to drop some ms*.exe file and set it to startup, and various things (most notably task manager) won't run. These .exe files suck up all the CPU usage they can (probably trying to spread themselves thru RPC) and it looks like ZA is trying to stop it (but trying very hard to eat up that much cpu time). I'd delete msblast.exe if at all possible. Boot into safe mode to delete it if you have to. Use msconfig or startup.cpl to remove it from start up.

I'm of the opinion, if you don't know what it is, stop it from running. If you system screws up, let it back in, else, you're better off without it.

http://isc.sans.org/diary.html?date=2003-08-11

msblast info

http://clanasc.com/html/

I do believe its related to this too:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

it causes probs with msn messanger. shuts your computer off just for the hell of it.. and i'm guessing its causing even more probs.

spread the word folks
lol

yeah its w32.blaster.worm

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html#technicaldetails

Hi guys, thanks for the info.

When I got into work this morning, before reading any responses I had thought it was a virus. Then I checked the board again and it was confirmed :(

Then I searched google again, and lo and behold, there were news articles about it being just about to hit Europe.

I wonder if I was the first :o

Anyway, I have deleted the files in safe mode, tweaked the registery a bit. Installed the XP patch and am now finally able to get my virus update and do the scan.

Hopefully I will be clear by tomorrow :cool:

Jamie

PS: I am currently on a different PC :p

My friend in London got hit yesterday too....hope you get it all cleared up.:D

i havnt gotten it,... hope i never do.

I think we need a temporary sticky for this one. This keeps coming up, and probably will for the next week or two.

To sum up everything for the inevitable entry of people who are too lazy to click links and Google (and, therefore, who will keep asking questions):


shuts your computer off just for the hell of it
To clarify... it doesn't actually shut your computer off. The MSBlast worm comes in through port 135 using a previously known vulnerability (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp) in RPC. It attempts to determine what system you are running and then tries to exploit RPC. It often results in RPC crashing which is causing the shutdown. By default, Windoze attempts to reboot the system if RPC crashes (thus bringing RPC back to life). MSBlast, however, installs itself in the system32 directory as an autostarter and then crashes RPC again, resulting in another reboot, ad nauseum. You can stop the crashing by changing the "Action to Take" for RPC to "Take No Action" for all events (crash, etc.) but you'll still have the worm.

Once installed, the binary opens up port 4444 on your system and scans random IP addresses at port 135 looking for more vulnerable machines to propogate to, though it seems to stay in your IP block most of the time (i.e. within your ISPs block of IPs for most home users).

The bigger deal with this worm is that on August 15th at Midnight (or, the 16th, depending on how you look at it), it's going to start attacking the windowsupdate.com site in an attempt to SYN flood it (DDOS). Expect to see that start happening within 36-48 hours.

It's relatively simple to stop. In fact, in theory, if you were smart enough to turn on ICF when you setup your Inernet connection in XP, you should be safe. ICF blocks incoming port 135 requests. If you don't have ICF, you just need to run a firewall that blocks ports 135, 139, and 445 (and any others you may have configured as RCP ports for whatever reason). Also, patch your damn computer. Home users have no excuses. There are reports that the patch is ineffective, but it's better than not trying it at all.

Finally, to stop the shutdowns, simply go into the command prompt (Start > Run > cmd or, on Win9x Start > Run > dosprmpt) and type 'shutdown /a'. There are also reports that you can set the system time back an hour to delay the shutdown an hour, but I can't say for sure that that works. Go into the system32 directory and delete 'msblast.exe' and delete the registry key 'HKLM\Software\Microsoft\Windows\Run\windows auto update'.

Any more info that I forgot or corrections welcome!

UPDATE

A variant of the worm has been released W32.Blaster-B (http://www.sophos.com/virusinfo/analyses/w32blasterb.html)



W32/Blaster-B is functionally equivalent to W32/Blaster-A, except that this variant uses the filename teekids.exe and the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..

Also the internal message has been changed to:
Microsoft can suck my left testi!
Bill Gates can suck my right testi!
And All Antivirus Makers Can Suck My...

Yeah I am going to leave that last bit of the quote behind... doesnt need to be posted here :D

Also a worm called W32.RpcSpybot-A (http://www.sophos.com/virusinfo/analyses/w32rpcspybota.html) has been released, takes advantage of the same RPC exploit.


W32/RpcSpybot-A is a worm that exploits the RPC/DCOM vulnerability on computers running the Windows operating system to spread. The worm has a backdoor component that allows a malicious user remote access to an infected computer.

i wonder what they are going to do to the person thats responsible for this!

is this virus the most successful todate?

I think this one (http://world.std.com/~franl/worm.html) still holds the record.

I love it when something big like this comes out, and some twit somewhere alters one or two lines of code and re-releases it thinking they're soooooo clever. Never mind that the truly elite people in this story are the folks who actually disassembled it in the first place and figured out it's footprint and connection pattern / packet data / signatures / etc. If it wasn't for the really smart people, these dolts couldn't re-release it to begin with.

Man, that 1988 worm is bad, but hey the internet was a lot smaller back then so easier to bring down. Networks were easy to crash back then, just reach behind a machine and slightly disconnect the BNC plug from its T connector. Good old 10Base2 networks :D

I love this entry in the chronology:


11/3:1800 (approx.)
The Berkeley group sends out for calzones. People arrive and leave; the offices are crowded, there's plenty of excitement. Parallel work is in progress at MIT Athena; the two groups swap code.

:D

Can you imagine the havoc a worm that successful could wreak today? Eek.

man, that would be different :D

I would hope that all major security holes in the essential Linux and BSD systems are behind us now.

Little can be said for Troll packages like PHPNuke and phpBB though :D

it would have to be pretty successfuly to work off a nix machine..

Not really... there's plenty of vulnerabilities in the default installations of many nix distributions. From running sendmail by default to various ftp attacks - A Linux distro is often a highly vulnerable system. The major difference is that, unlike with Windows, you can actually harden your system without waiting for some slow-*** vendor to release the patch of the week.

How many people actually take advantage of that is another story....










privacy (GDPR)