| View previous topic :: View next topic |
| do you find this denz public service announcement to be helpful? |
| yes |
|
64% |
[ 9 ] |
| no. and i'm a moran. |
|
35% |
[ 5 ] |
|
| Total Votes : 14 |
|
| Author |
Message |
denz
Joined: 15 Jan 2003
Location: soapland. alternatively - the school of rock!
|
 Posted: Mon Aug 11, 2003 8:49 pm Post subject: worm alert: 60 seconds until shutdown |
 |
|
for anyone getting hit by that "60 second shut down" blast worm for windows XP, here is the remedy supplied by god (korean versions of XP only). you might have to change your encoding to korean to read this:
(1) install this patch: http://download.microsoft.com/download/e/3/1/e31b9d29-f650-4078-8a76-3e81eb4554f6/WindowsXP-KB823980-x86-KOR.exe
(2) it will reboot your computer after completing installation.
(3) after reboot. hit ctrl + alt + del => and terminate the "msblast.exe" program.
(4) then go to ���� (start menu of Windows) => ���� => type 'regedit' and hit enter. then registry window will pop up.
(5) browse to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (delete "windows auto update" / msblast.exe) if you find it.
denz public service announcement brought to you by god's short shorts.
english versions go here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Last edited by denz on Mon Aug 11, 2003 10:08 pm; edited 1 time in total |
|
| Back to top |
|
 |
denz
Joined: 15 Jan 2003
Location: soapland. alternatively - the school of rock!
|
| Posted: Mon Aug 11, 2003 8:51 pm Post subject: |
|
|
or vote no like a suuuuuuuuucker!
denz |
|
| Back to top |
|
|
mishlert
Joined: 13 Mar 2003
Location: On the 3rd rock from the sun
|
| Posted: Mon Aug 11, 2003 10:12 pm Post subject: |
|
|
The scary thing about the worm is that it allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
Source: Trend Micro |
|
| Back to top |
|
|
denz
Joined: 15 Jan 2003
Location: soapland. alternatively - the school of rock!
|
| Posted: Mon Aug 11, 2003 10:17 pm Post subject: |
|
|
yesh indeed.
ibm (workplace of god) got hit this morning. those smart girls and boys at big blue nailed it pretty quick though:
there was a rat in the deep end, but we got 'im.
denz |
|
| Back to top |
|
|
the_beaver
Joined: 15 Jan 2003
|
| Posted: Mon Aug 11, 2003 10:23 pm Post subject: |
|
|
| The computer at work was hit with this very virus today and tomorrow I can fix it. Denz, you rock. |
|
| Back to top |
|
|
Wombat
Joined: 28 May 2003
Location: slutville
|
| Posted: Mon Aug 11, 2003 10:26 pm Post subject: |
|
|
I use a Mac! CHUMPS!
Wombat the Crafty. |
|
| Back to top |
|
|
camel96
Guest
|
| Posted: Tue Aug 12, 2003 9:29 am Post subject: |
|
|
Kind of serves me right for not paying attention to other threads I guess.  |
|
| Back to top |
|
|
Walter Mitty
Joined: 27 Mar 2003
Location: Tokyo! ^.^
|
| Posted: Tue Aug 12, 2003 10:48 am Post subject: |
|
|
| Wombat wrote: |
I use a Mac! CHUMPS!
Wombat the Crafty. |
Same here!
Hackers  don't scare me.  |
|
| Back to top |
|
|
Bulsajo
Joined: 16 Jan 2003
|
| Posted: Tue Aug 12, 2003 11:24 am Post subject: |
|
|
My home pc is sitting pretty, but at work.... this system is so full of bugs and crap I doubt one more worm would even be noticed...  |
|
| Back to top |
|
|
rudyflyer
Joined: 26 Feb 2003
Location: pacing the cage
|
| Posted: Tue Aug 12, 2003 4:17 pm Post subject: |
|
|
question:
I'm running Norton Internet security and have my personal firewall up. Will I be OK? |
|
| Back to top |
|
|
FlagWaver
Joined: 12 Apr 2003
|
| Posted: Tue Aug 12, 2003 4:49 pm Post subject: |
|
|
Add this to your reading list people.
http://isc.sans.org/diary.html?date=2003-08-11
| Quote: |
operated by the SANS Institute - the most trusted source for Computer Security Training
Trends Top 10 Reports Contact About
Previous
Handlers Diary August 11th 2003
Updated August 12th 2003 11:26 EDT
RPC DCOM WORM (MSBLASTER)
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this point, it is spreading rapidly.
Increase in port 135 activity: http://isc.sans.org/images/port135percent.png
**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup.
**********
Executive Summary:
A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and Incidents.org recommends the following Action Items:
* Close port 135/tcp (and if possible 135-139, 445 and 593)
* Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for activity related to this worm.
* Ensure that all available patches have been applied, especially the patches reported in Microsoft Security Bulletin MS03-026.
* This bulletin is available at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
* Infected machines are recommended to be pulled from the network pending a complete rebuild of the system.
Technical Details:
Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure), MSBLASTER,Win32.Poza.
The name of the binary is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:
MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
Infection sequence:
1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on port 4444,
4. the target will now connect to the tftp server at the SOURCE.
So far we have found the following properties:
- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot
- infected machines will start a DDOS attack (port 80 synflood) against windowsupdate.com on August 16th.
Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'
Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The worm may launch a syn flood against windowsupdate.com on the 16th. It has the ability to infect Windows 2000, XP and potentially 2003.
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
Detection: Existing RPC DCOM snort signatures will detect this worm. The worm is based on dcom.c
Removal and Eradication:
Once you are infected, we highly recommend a complete rebuild of the site. As there have been a number of irc bots using the exploit for a few weeks now, it is possible that your system was already infected with one of the prior exploits. Do not connect an unpatched machine to a network.
If you can not do this and/or the computer resides on a protected or non-Internet connected network, then several Anti-Virus Venders have supplied tools to assist in removing the worm. However, these tools can not clean-up damage from other RPC DCOM malware such as the recent sdbot irc bots. This method of cleaning your system is _not_ recommended, but the URLs are presented below for completeness.
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip
Other References:
http://www.cert.org/advisories/CA-2003-19.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
http://www.datafellows.com/v-descs/msblast.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://xforce.iss.net/xforce/alerts/id/150
http://vil.nai.com/vil/content/v_100547.htm
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=40369&sind=0
|
Last edited by FlagWaver on Tue Aug 12, 2003 4:59 pm; edited 1 time in total |
|
| Back to top |
|
|
FlagWaver
Joined: 12 Apr 2003
|
| Posted: Tue Aug 12, 2003 4:51 pm Post subject: |
|
|
Rudy,
Our customers run a business class firewall and are getting hit constantly. |
|
| Back to top |
|
|
rudyflyer
Joined: 26 Feb 2003
Location: pacing the cage
|
| Posted: Tue Aug 12, 2003 5:36 pm Post subject: |
|
|
| thanks flag waver, i've installed updates from synamtec and microsoft and am now doing a complete system scan |
|
| Back to top |
|
|
kangnamdragon
Joined: 17 Jan 2003
Location: Kangnam, Seoul, Korea
|
| Posted: Tue Aug 12, 2003 5:39 pm Post subject: I have the worm |
|
|
this might sound dumb, but I got the worm and wonder how to fix it in the 60 seconds before my computer restarts itself again. Is this possible?
I guess my question is: How do I kill the worm if I already have it?  |
|
| Back to top |
|
|
Zyzyfer
Joined: 29 Jan 2003
Location: who, what, where, when, why, how?
|
| Posted: Tue Aug 12, 2003 8:14 pm Post subject: |
|
|
:B nerdalert nerdalert nerdalert :B
mishlert's avatar is Goenitz(pronounced gay knits) from King of Fighters '96. Just when I thought GirlFromMars was the only person brave enough to sport a KoF character.
:B nerdalert nerdalert nerdalert :B |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
