homepage Welcome to WebmasterWorld Guest from 23.22.194.120
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

This 53 message thread spans 2 pages: 53 ( [1] 2 > >     
Found a virus on my machine - msblast.exe
This program has hijacked my computer....
Imaster




msg:365752
 7:51 pm on Aug 11, 2003 (gmt 0)

Not sure where to post this, so I selected this forum to get some answers from other experts.

There is some application msblast.exe which has suddenly appeared on my computer (which I noticed via the task manager). I have windows 2000.

Now, I can't open any window by right-clicking on a link & selecting
"open a new window", neither am I able to doan uninstall from the "Control Panel > Add/Remove program", simply because when I click on "Add/Remove program" option in CP, it doesn't display anything. In short, many applications are not responding and I feel like my comps been hijacked.

I tried looking for msblast.exe in google to learn more about it, but can't find anything.

Does anyone have an idea whats happening?

[added] Another potential clue could be the svchost.exe file. Windows suddenly gave an error that this particular file has done an error or some message like that, and now I see this msblast.exe

I can't do a ctrl+c or any basic functions as well[/added]

 

bakedjake




msg:365753
 8:32 pm on Aug 11, 2003 (gmt 0)

It's a new RPC worm. Hot off the press today:

[isc.sans.org...]

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

As usual, block 135-139, 445, and possibly 4444 at the network edge.

And, of course, make sure your patches are up to date!

bcolflesh




msg:365754
 8:33 pm on Aug 11, 2003 (gmt 0)

Time for SpyBot and AdAware on that comp!

Also, install a msconfig substitute like:

mlin.net/StartupCPL.shtml

to see what is loading in Win2K.

Web Footed Newbie




msg:365755
 9:09 pm on Aug 11, 2003 (gmt 0)

This might help. These are instructions for Win98, but I believe they are similar to Win2000:

1. Click Start/Programs/Accessories/System Tools/System Information
2. Click "Tools", then "System Configuration Utility"
3. Click the "Startup" tab
4. See if you see the program there with a "check" on the box
5. Uncheck the box
6. Click OK
7. The system will need to reboot

By the way, you can go ahead and uncheck any programs that you do not want to start on start up, this will make your start up faster.

Hope that helps, WFN :)

moltar




msg:365756
 9:16 pm on Aug 11, 2003 (gmt 0)

My friend just called me asking for help. He said his computer just keeps restarting with RPC blah blah messages.

So I told him to look in processes and he found the same file running. I looked for this filename on google and nothing came up, same for atw. I had "recent posts" open in front of me while I was helping him on the phone. Page refreshed and this post came up. What a great forum once again! :))

Anyways, does anyone have any information on what it does and how? Does it infect other files? Is it enough to just delete the msblast.exe file?

How does computer get infected? What security measurments should be taken?

msr986




msg:365757
 9:18 pm on Aug 11, 2003 (gmt 0)

Boy did I just have a scare!

While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine.

Amagine my horror when I saw it listed as the first entry! (Try it yourself and see!)

It took me a couple of minutes to realize what had happened.

DUH! :)

moltar




msg:365758
 9:20 pm on Aug 11, 2003 (gmt 0)

Seems like a real bad virus! Affecting many people on first day. I am going to keep Windows Task Manager open all the time today and until I get some details about it.

Good that in XP it can be above other windows :)

MonkeeSage




msg:365759
 9:24 pm on Aug 11, 2003 (gmt 0)

moltar:

Post #2 has a link with all the specs on the worm. Basics are that it downloads the worm through tftp, it initially uses an RPC exploit on port 4444 to install itself, counter-measures are to turn off File & Print Sharing and Netbios / Remote Procedure Call services (or block their ports in a firewall).

Jordan

bakedjake




msg:365760
 9:26 pm on Aug 11, 2003 (gmt 0)

We broke this story 20 minutes before Slashdot. ;)

Standard Disclaimer - I'm not responsible for these instructions. Use them at your own risk...

... But this should work. To disinfect:

1. Start, Run, "regedt32"
2. Navigate to the tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Delete entry called 'windows auto update' - It should mention msblast.exe
4. Reboot
5. Delete msblast.exe

As I mentioned in my previous post, PATCH YOUR SYSTEMS. Block the ports mentioned too, if you can.

[edited by: bakedjake at 9:52 pm (utc) on Aug. 11, 2003]

bakedjake




msg:365761
 9:30 pm on Aug 11, 2003 (gmt 0)

it initially uses an RPC exploit on port 4444 to install itself

No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.

[added]I made a post about this vulnerability about a week ago, but I'm not sure where it went. Here's the link to the original CERT report:

[cert.org...]

This one will be bloody, folks.[/added]

[edited by: bakedjake at 9:37 pm (utc) on Aug. 11, 2003]

RoadRash




msg:365762
 9:35 pm on Aug 11, 2003 (gmt 0)

[support.microsoft.com...] :)

[edit] I work for MS, right now we have 873 people waiting to talk to 54 Windows XP support pro's, its about a 3hr and 30 minute wait to talk to a support pro, the above URL should be enough info to fix the issue on your own. [/edit]

bakedjake




msg:365763
 9:39 pm on Aug 11, 2003 (gmt 0)

the above URL should be enough info to fix the issue on your own

Even if you're already infected? It looks like the only thing that patch does is remove the vulnerability. It doesn't look like it'll clean the worm once infected.

MonkeeSage




msg:365764
 9:59 pm on Aug 11, 2003 (gmt 0)

bakedjake:

No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.

Oospie, I maked a boo-boo. You are correct, I got the info off the site in your link, just didn't read it carefully enough.

Jordan

bakedjake




msg:365765
 10:09 pm on Aug 11, 2003 (gmt 0)

I'm seeing reports on the nanog mailing list that this worm is also trying to exploit the (currently) unpatched RPC DOS vulnerability, and crashing svchost (but not infecting the target machine).

If this is the case, the only solution will be to block 135 until we see a patch.

I've seen almost 2000 attempts today against our network. Right now, they're coming at about 3 per minute. Just an hour ago, it was 2 a minute.

RoadRash




msg:365766
 10:13 pm on Aug 11, 2003 (gmt 0)

I'll be getting an internal email from MS security very soon i was told. Should have more info on the beta patch for the worm itself... I'll keep you updated if i can.

MonkeeSage




msg:365767
 11:29 pm on Aug 11, 2003 (gmt 0)

It's up to 5 a minute now according to ISC. :\

Jordan

MonkeeSage




msg:365768
 11:54 pm on Aug 11, 2003 (gmt 0)

"DeepSight™ Threat Management
SystemThreat Alert

MS DCOM RPC Worm
Version 1: August 11, 2003, 20:20 GMT
Version 5: August 11, 2003, 22:50 GMT

[...]

The DeepSight Threat Analyst Team encourages network administrators to:
• Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied.
• Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445, tcp/593.
• Deploy the provided Snort signature to assist in the detection of exploitation attempts targeting this issue.

[...]

The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The host will then use a select() call to determine which host have responded. Upon receiving a response the worm will attempt to exploit the host. The worm uses an algorithm based off the current local host IP address to find IP address to attack. Given the local host IP A.B.C.D. ‘D’ is set to zero. If C is greater than 20, a random number (less than 20) is subtracted from C. Once this semi random IP address has been calculated, the worm will continually increment the IP address, attacking in a sequential order. This means the local subnet will become saturated with port 135 requests prior to exiting the local subnet."

Jordan

Chuma




msg:365769
 5:23 am on Aug 12, 2003 (gmt 0)

I noticed someone was trying to connect to my computer when I was online last night (I denied their request as I have firewall software running.)

Would this have anything to do with the worm?

Thanks.

Visit Thailand




msg:365770
 6:26 am on Aug 12, 2003 (gmt 0)

I do not understand this I also did a Ctrl - Alt - Delete and it was there at the top of the tasks running.

But I am on Windows 98 and according to that link from Microsoft it does not affect Windows 98? Am I correct in saying that? or I am just looking in the wrong places.

msr986




msg:365771
 6:37 am on Aug 12, 2003 (gmt 0)

Visit_Thailand if the process says:

msblast.exe - Microsoft Internet Explorer

Not to worry, this is just your web browser.

The 'msblast.exe' is from the title of this web page!

Imaster




msg:365772
 6:40 am on Aug 12, 2003 (gmt 0)

The site I mentioned above says:

Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to <a href=http://windowsupdate.microsoft.com target="new">windowsupdate.microsoft.com</a>. The user will be prompted by some pop up windows, directed through a fairly easy to understand and intuitive process.

But if you go to windowsupdate.ms.com, it displays a blank page, and the reason being that this worm deactivates javascript as well and since the site in question redirects to [v4.windowsupdate.microsoft.com...] via a javascript, it doesn't auto work. So perhaps, all may have to paste this code manually.

And yes, in most case ctrl+c & ctrl+v won't work. But text from notepad works with IE.

Visit Thailand




msg:365773
 6:43 am on Aug 12, 2003 (gmt 0)

Visit_Thailand if the process says:
msblast.exe - Microsoft Internet Explorer

Not to worry, this is just your web browser.

The 'msblast.exe' is from the title of this web page!

LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.

I am still confused though as to whether it can infect Windows 98 the zdnet article above does not say it can but Symantec has removal instructions for 98 -
[securityresponse.symantec.com...]

Imaster




msg:365774
 6:49 am on Aug 12, 2003 (gmt 0)

A description of the virus: [www3.ca.com...]

There seems to be a cleaner available at [www3.ca.com...]

It seems microsoft had warned about this vulnerability in July: [microsoft.com...]

To download the patch, there's a link for each OS there as well :)

For those who may get confused with several names of this worm, here's a quote mentioning the names:

The worm goes by the name MS Blast (ISS X-Force), Blaster (Symantec and Sophos), Win32.Poza (Computer Associates) or Lovsan (McAfee and F-Secure). Symantec rated the urgency of the worm as "high," although most other anti-virus vendors deemed it a medium threat.

[entmag.com...]

[b][added]I cleaned the worm sucessfully by simply running the following program on my comp - [www3.ca.com...]

And then also installing the patches mentioned and removing the key from registry.

BYE BYE MSBLAST.EXE ;)

dmorison




msg:365775
 12:13 pm on Aug 12, 2003 (gmt 0)

Boy did I just have a scare!
While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine.

Gaw struth, Brett and his search engine optimised BBS had my heart skipping a few beats there!

lazerzubb




msg:365776
 12:17 pm on Aug 12, 2003 (gmt 0)

MOre links:
[microsoft.com...]
[f-secure.com...]
[us.mcafee.com...]

dmorison




msg:365777
 12:25 pm on Aug 12, 2003 (gmt 0)

Fix posted by Symantec:

[securityresponse.symantec.com...]

edit_g




msg:365778
 12:29 pm on Aug 12, 2003 (gmt 0)

LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.

lol - I did exactly the same thing. My systems guy just came over, laughed and called me a muppet... :)

TheWhippinpost




msg:365779
 1:04 pm on Aug 12, 2003 (gmt 0)

I'm still on Win98SE, which is s'possed to be immune by this threat - and it probably is - but I think I'm still suffering side-effects.

I've noticed an increased frequency of alerts from ZA askin for permission to allow "Distributed COM Services", specifically the RPCSS.exe, to access the internet in response from calls by seemingly innocous users...whoever they may be!

Additionally, since yesterday, after a period of time I seem to be loosin connection to the net completely. In me email client log it states that, 'connection to winsock failed, process overrun', or words to that effect.

Don't think I've picked up this blaster thing as there's no sign of it in the registry at the location depicted on Symantec site :(

Mohamed_E




msg:365780
 12:44 am on Aug 13, 2003 (gmt 0)

Many thanks to Imaster for the link to ww3.ca.com, it removed the worm and the MS patch prevented it from returning.

How do I block ports on a WIN2K machine? Which ports should I block or, perhaps more to the point, which should I leave unblocked?

bakedjake




msg:365781
 12:51 am on Aug 13, 2003 (gmt 0)

How do I block ports on a WIN2K machine?

The safest way would be for your network administrator to block it at the network edge, such as your router or firewall. Barring that, you can get a software firewall such as ZoneAlarm, but those are less effective and easily overloaded.

Which ports should I block or, perhaps more to the point, which should I leave unblocked?

Block everything lower than port 1023 as a rule, and unblock those which you know you need. Other than that, keep an eye on security news and block ports higher than 1024 you see becoming a problem (such as 4444 in this latest episode).

This 53 message thread spans 2 pages: 53 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved