Warning: RPC Vulnerablity Virus is out!
Thread Starter
Registered User
Joined: Mar 2003
Posts: 14,890
Likes: 0
Warning: RPC Vulnerablity Virus is out!
This is not a hoax. As some of you may have known, Microsoft release information that their windows systems is has an RPC vulnerablity that can allow a hacker to take over your pc and send out malicious code.
Well the day has come and a new virus exploiting this vulnerablity is here.
This is the patch.
http://www.microsoft.com/technet/security/...in/MS03-026.asp.
This is a very serious virus and I encourage everyone to at least finish reading this post and take corrective action
"PSS Security Response Team Alert - New Virus: W32.Blaster.worm
SEVERITY: CRITICAL
DATE: August 11, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition
WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.
Customers that have previously applied the security patch MS03-026 before today are protected and no further action is required.
IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets re-booted or has mblast.exe exists on customer's system.
TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.
Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionRun "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customer may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.
For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:
Network Associates: http://us.mcafee.com/virusInfo/default.asp...&virus_k=100547
Trend Micro: http://www.trendmicro.com/vinfo/virusencyc...=WORM_MSBLAST.A
Symantec: http://securityresponse.symantec.com/avcen...aster.worm.html
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
For more information on Microsoft's Virus Information Alliance please visit this link: http://www.microsoft.com/technet/security/...y/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits download and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673
1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/...in/MS03-026.asp. Install the patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
As always, please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
RECOVERY: Security best practices suggest that previously compromised machine be wiped and rebuilt to eliminate any undiscovered exploits that can lead to a future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech_tips/win-UNIX-sys...compromise.html
For additional information on recovering from this attack please contact your preferred anti-virus vendor.
RELATED MICROSOFT SECURITY BULLETINS: http://www.microsoft.com/technet/security/...in/MS03-026.asp
RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.
RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
PSS Security Response Team
"
Well the day has come and a new virus exploiting this vulnerablity is here.
This is the patch.
http://www.microsoft.com/technet/security/...in/MS03-026.asp.
This is a very serious virus and I encourage everyone to at least finish reading this post and take corrective action
"PSS Security Response Team Alert - New Virus: W32.Blaster.worm
SEVERITY: CRITICAL
DATE: August 11, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0, NT 4.0 Terminal Services Edition
WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.
Customers that have previously applied the security patch MS03-026 before today are protected and no further action is required.
IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets re-booted or has mblast.exe exists on customer's system.
TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.
Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentV ersionRun "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customer may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.
For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:
Network Associates: http://us.mcafee.com/virusInfo/default.asp...&virus_k=100547
Trend Micro: http://www.trendmicro.com/vinfo/virusencyc...=WORM_MSBLAST.A
Symantec: http://securityresponse.symantec.com/avcen...aster.worm.html
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
For more information on Microsoft's Virus Information Alliance please visit this link: http://www.microsoft.com/technet/security/...y/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits download and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673
1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/...in/MS03-026.asp. Install the patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
As always, please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
RECOVERY: Security best practices suggest that previously compromised machine be wiped and rebuilt to eliminate any undiscovered exploits that can lead to a future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise. http://www.cert.org/tech_tips/win-UNIX-sys...compromise.html
For additional information on recovering from this attack please contact your preferred anti-virus vendor.
RELATED MICROSOFT SECURITY BULLETINS: http://www.microsoft.com/technet/security/...in/MS03-026.asp
RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.
RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
As always please make sure to use the latest Anti-Virus detection from your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Technical Account Manager or Application Development Consultant.
PSS Security Response Team
"
Joined: Mar 2002
Posts: 1,485
Likes: 0
From: Hampton
I had it too - damned computer kept shutting down on me. It is easily fixed, all you have to do is to download and install the latest Windows patches. The trick is keeping the computer on long enough to do it 
Joined: Jul 2002
Posts: 2,537
Likes: 101
From: Fort Lauderdale
Extractor tools are available from the anti-virus companies. My wife's office had this virus/exploit hitting them yesterday afternoon, didn't know what was going on. This morning, their IT guy located it.
Thread
Thread Starter
Forum
Replies
Last Post