sig101

Join Date 04/2002

New worm attacking NT based PC's on the net: firewall and patch

Just for those who may need to know. Now more than a demo exploit, it looks like an actual worm is in the wild and propagating today through the internet via vulnerable PC's. It attacks Port 135 and uses a RPC/DCOM vulnerability (buffer overflow) to get inside unprotected (unfirewalled and unpatched) NT based PC's and then propagates from there.

MS provided a patch on July 16 but there are indications that this new worm may be using another DCOM vulnerability for which MS has not yet provided a patch. This exploit effects NT 4, W2K, XP and Win Server 2003 systems. Best thing to do at the very least is to run a firewall (software or NAT router) to block Port 135 to the internet since it's suspected that the MS patch may not be effective for the current exploit.

The MS update patch can be found via this page: http://www.microsoft.com/security/security_bulletins/ms03-026.asp but again, this may not be enough and blocking port 135 to the net should be effective.

I just mention this since some people don't have any firewalling of their PC's (no router with firewalling capabilities or software firewall). Reports on this new worm as it propagates are being posted on various security news sites and forums today. So raise your shields or get one if you don't already have one. ZA Free, one choice out of several other free firewall apps is here: http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

More info from SANS on this latest worm: http://isc.sans.org/diary.html?date=200-08-11

(And please, no flaming on MS. Not that I necessarily disagree, but it gets tiresome. It's like complaining about death and taxes.

It's really old news that the "most secure OS and Server OS to date" ain't.)

[Message Edited]

Locked Post

Advanced Search

Watch this post

Do not email me updates for this post Email me updates for this post

Successfully updated karma reason!

F-Secure AV has info on this new worm. http://www.datafellows.com/v-descs/msblast.shtml

Successfully updated karma reason!

thanks!

Successfully updated karma reason!

Frogboy

Join Date 03/2001

+2419

Yea, we have several machiens internally affected. Blech.

Successfully updated karma reason!

Sign Up or Login and this ad disappears!
There are many great features available to you once you register. Sign Up for a free account and browse the forums without ads.

http://grc.com/default.htm open link and click on 'probe=135' link to see if your port is open or closed.

[Message Edited]

Successfully updated karma reason!

Fuzzy Logic

Join Date 05/2002

+493

My NT servers are secure and updated

Another update to be aware of is "Flaw in Windows Function Could Allow Denial of Service (823803)" This prevents access to the server by remote means. Please note installing this update disables RAS! After installing 823803 it took me a couple of hours to figure out why the RAS wouldn't run, un-installing the update cured the problem.

Successfully updated karma reason!

elvee

Join Date 03/2001

+113

Thanks for that link yrag

I am good to go

Successfully updated karma reason!

You're more then welcome

yrag2 hopes everyone is good to go

Successfully updated karma reason!

Another news article, from CNET: http://news.com.com/2100-1002_3-5062364.html?tag=fd_top

McAfee apparently has a virus def for it now (perhaps had generic detection before): http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547 I'd imagine their online scanner would have it too?

Successfully updated karma reason!

Aargh....I'm clean, but a friend rang with the problem...so I had to walk him through it all by remote...a pain in the arse, really....

Successfully updated karma reason!

make you want to reach out and touch someone >

Successfully updated karma reason!

SuperheroCanadian hits his computers with large stick

Dang it! All mine got infected, good excuse to format my main system though, since it really needs it. This thing is a pain, i think im gonna be doing a round of the nieghborhood since im the only one in at least a mile radius to know whats going on 0_o

Successfully updated karma reason!

well heck I guess if you are not running a registry monitor that intercepts every modification and demands you to either allow or disallow it you've got a good chance of being hit with it.

Must suck, "total rebuild" of the OS and applications, ack!

Successfully updated karma reason!

The easiest way to see if you have it is run Task Manager and see if Msblast.exe is running in processes. If it is, kill it and do the song and dance with the registry.

Guess I should have supplied edits to Registry:
Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor. Restart System.........

[Message Edited]

Successfully updated karma reason!

A friend of mine got this, didn't know what was going on and reformatted his machine, which he had completely rebuild last week.

Yay for my brand spanking new router with built-in firewall. And I think I have disabled RPC anyhow.

IPlural: what kind of registry monitor are you running then?

Successfully updated karma reason!

yarg never crossed my mind to get into cleaning it out, I do know that I laughed my butt off over that *total system rebuild* on the one link. You know they did not go into manually cleaning the system up and restoring dcom configuration to the original because of the depth involved if someone has not done something like it before

------------------------------------

FYI: for those who do not really understand net security these are some simpler things you can do to protect your system. There are many more things you can/could do but that would take some typing extrema.

Also to prevent this from happening in the first place.

Lavasofts Ad-aware come with ad-watch3 which plays a part in watching registry modifications as do many different Active Registry monitors. Before any changes to the registry plays games install one.

RegHance is a very good registry editor which is also Lavasofts product.

Registry Firstaide is a good one for backing up the registry with protection from anything messing with the backups.

GFi has a freeware version of it's lan monitor/security scanner and patch monitor.

Norton Internet Security is one of the better active firewalls on the software side and also comes with Norton Virus which is also an active memory scanner behind as a back ground process.

There are loads more apps that help keep this kind of crap happening, but you have to use them and not turn them off while online or they make no difference.

Broadband users should have a NAT gateway/router at least between their cable/dsl router and their computer. A Software firewall is still a must because when your on the web either/and/or Newsgroup downloads, Web downloads, cookies, malware, scripts and Web Browsers will kill your system sooner or later.

If someone else uses the system create an Administrative account in your firewall software and user accounts otherwise you do not know when little Billy is going to turn it off so he can visit the Disney Web or Download something.

Good luck to everyone and I hope if you haven't been nicked by this, you won't!

Successfully updated karma reason!

This worm is expected to unleash itself this weekend....if you cannot get thru to MS update site (and it will get more difficult as time goes on, and in fact will probably go off line completely on Saturday since this site is the target of the worm), here is a back door to the file. Download the file (it will save to your hard drive) for your OS and and then install.........http://www.microsoft.com/security/incident/blast.asp

Successfully updated karma reason!

Someone may have posted this already. This is the tool I am using at work to fix infected machines...It's called FixBlast.exe

http://securityresponse.symantec.com/avcenter/FixBlast.exe

when it's run is completed you get a prompt to click on a link that takes you to the page with the patches for the various os's.
It's very easy to use and does a good job. You don't have to be a Norton customer to use it either like my company which uses Command Anti-Virus ( I hate it)

here's the page http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
[Message Edited]

Successfully updated karma reason!