Welcome to WebmasterWorld Guest from 23.22.140.143

Forum Moderators: phranque

Message Too Old, No Replies

Found a virus on my machine - msblast.exe

This program has hijacked my computer....

     
7:51 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 3, 2003
posts:960
votes: 0


Not sure where to post this, so I selected this forum to get some answers from other experts.

There is some application msblast.exe which has suddenly appeared on my computer (which I noticed via the task manager). I have windows 2000.

Now, I can't open any window by right-clicking on a link & selecting
"open a new window", neither am I able to doan uninstall from the "Control Panel > Add/Remove program", simply because when I click on "Add/Remove program" option in CP, it doesn't display anything. In short, many applications are not responding and I feel like my comps been hijacked.

I tried looking for msblast.exe in google to learn more about it, but can't find anything.

Does anyone have an idea whats happening?

[added] Another potential clue could be the svchost.exe file. Windows suddenly gave an error that this particular file has done an error or some message like that, and now I see this msblast.exe

I can't do a ctrl+c or any basic functions as well[/added]

8:32 pm on Aug 11, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


It's a new RPC worm. Hot off the press today:

[isc.sans.org...]

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

As usual, block 135-139, 445, and possibly 4444 at the network edge.

And, of course, make sure your patches are up to date!

8:33 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2003
posts:2355
votes: 0


Time for SpyBot and AdAware on that comp!

Also, install a msconfig substitute like:

mlin.net/StartupCPL.shtml

to see what is loading in Win2K.

9:09 pm on Aug 11, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Dec 16, 2002
posts:239
votes: 0


This might help. These are instructions for Win98, but I believe they are similar to Win2000:

1. Click Start/Programs/Accessories/System Tools/System Information
2. Click "Tools", then "System Configuration Utility"
3. Click the "Startup" tab
4. See if you see the program there with a "check" on the box
5. Uncheck the box
6. Click OK
7. The system will need to reboot

By the way, you can go ahead and uncheck any programs that you do not want to start on start up, this will make your start up faster.

Hope that helps, WFN :)

9:16 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 18, 2003
posts:1925
votes: 0


My friend just called me asking for help. He said his computer just keeps restarting with RPC blah blah messages.

So I told him to look in processes and he found the same file running. I looked for this filename on google and nothing came up, same for atw. I had "recent posts" open in front of me while I was helping him on the phone. Page refreshed and this post came up. What a great forum once again! :))

Anyways, does anyone have any information on what it does and how? Does it infect other files? Is it enough to just delete the msblast.exe file?

How does computer get infected? What security measurments should be taken?

9:18 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 7, 2001
posts:661
votes: 0


Boy did I just have a scare!

While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine.

Amagine my horror when I saw it listed as the first entry! (Try it yourself and see!)

It took me a couple of minutes to realize what had happened.

DUH! :)

9:20 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 18, 2003
posts:1925
votes: 0


Seems like a real bad virus! Affecting many people on first day. I am going to keep Windows Task Manager open all the time today and until I get some details about it.

Good that in XP it can be above other windows :)

9:24 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


moltar:

Post #2 has a link with all the specs on the worm. Basics are that it downloads the worm through tftp, it initially uses an RPC exploit on port 4444 to install itself, counter-measures are to turn off File & Print Sharing and Netbios / Remote Procedure Call services (or block their ports in a firewall).

Jordan

9:26 pm on Aug 11, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


We broke this story 20 minutes before Slashdot. ;)

Standard Disclaimer - I'm not responsible for these instructions. Use them at your own risk...

... But this should work. To disinfect:

1. Start, Run, "regedt32"
2. Navigate to the tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Delete entry called 'windows auto update' - It should mention msblast.exe
4. Reboot
5. Delete msblast.exe

As I mentioned in my previous post, PATCH YOUR SYSTEMS. Block the ports mentioned too, if you can.

[edited by: bakedjake at 9:52 pm (utc) on Aug. 11, 2003]

9:30 pm on Aug 11, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


it initially uses an RPC exploit on port 4444 to install itself

No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.

[added]I made a post about this vulnerability about a week ago, but I'm not sure where it went. Here's the link to the original CERT report:

[cert.org...]

This one will be bloody, folks.[/added]

[edited by: bakedjake at 9:37 pm (utc) on Aug. 11, 2003]

9:35 pm on Aug 11, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Nov 9, 2002
posts:231
votes: 0


[support.microsoft.com...] :)

[edit] I work for MS, right now we have 873 people waiting to talk to 54 Windows XP support pro's, its about a 3hr and 30 minute wait to talk to a support pro, the above URL should be enough info to fix the issue on your own. [/edit]

9:39 pm on Aug 11, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


the above URL should be enough info to fix the issue on your own

Even if you're already infected? It looks like the only thing that patch does is remove the vulnerability. It doesn't look like it'll clean the worm once infected.

9:59 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


bakedjake:

No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.

Oospie, I maked a boo-boo. You are correct, I got the info off the site in your link, just didn't read it carefully enough.

Jordan

10:09 pm on Aug 11, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


I'm seeing reports on the nanog mailing list that this worm is also trying to exploit the (currently) unpatched RPC DOS vulnerability, and crashing svchost (but not infecting the target machine).

If this is the case, the only solution will be to block 135 until we see a patch.

I've seen almost 2000 attempts today against our network. Right now, they're coming at about 3 per minute. Just an hour ago, it was 2 a minute.

10:13 pm on Aug 11, 2003 (gmt 0)

Full Member

10+ Year Member

joined:Nov 9, 2002
posts:231
votes: 0


I'll be getting an internal email from MS security very soon i was told. Should have more info on the beta patch for the worm itself... I'll keep you updated if i can.
11:29 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


It's up to 5 a minute now according to ISC. :\

Jordan

11:54 pm on Aug 11, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 26, 2003
posts:881
votes: 0


"DeepSight™ Threat Management
SystemThreat Alert

MS DCOM RPC Worm
Version 1: August 11, 2003, 20:20 GMT
Version 5: August 11, 2003, 22:50 GMT

[...]

The DeepSight Threat Analyst Team encourages network administrators to:
• Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied.
• Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445, tcp/593.
• Deploy the provided Snort signature to assist in the detection of exploitation attempts targeting this issue.

[...]

The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The host will then use a select() call to determine which host have responded. Upon receiving a response the worm will attempt to exploit the host. The worm uses an algorithm based off the current local host IP address to find IP address to attack. Given the local host IP A.B.C.D. ‘D’ is set to zero. If C is greater than 20, a random number (less than 20) is subtracted from C. Once this semi random IP address has been calculated, the worm will continually increment the IP address, attacking in a sequential order. This means the local subnet will become saturated with port 135 requests prior to exiting the local subnet."

Jordan

5:23 am on Aug 12, 2003 (gmt 0)

Junior Member

10+ Year Member

joined:Dec 10, 2002
posts:68
votes: 0


I noticed someone was trying to connect to my computer when I was online last night (I denied their request as I have firewall software running.)

Would this have anything to do with the worm?

Thanks.

6:26 am on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 29, 2002
posts:1819
votes: 0


I do not understand this I also did a Ctrl - Alt - Delete and it was there at the top of the tasks running.

But I am on Windows 98 and according to that link from Microsoft it does not affect Windows 98? Am I correct in saying that? or I am just looking in the wrong places.

6:37 am on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 7, 2001
posts:661
votes: 0


Visit_Thailand if the process says:

msblast.exe - Microsoft Internet Explorer

Not to worry, this is just your web browser.

The 'msblast.exe' is from the title of this web page!

6:40 am on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 3, 2003
posts:960
votes: 0


The site I mentioned above says:

Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to <a href=http://windowsupdate.microsoft.com target="new">windowsupdate.microsoft.com</a>. The user will be prompted by some pop up windows, directed through a fairly easy to understand and intuitive process.

But if you go to windowsupdate.ms.com, it displays a blank page, and the reason being that this worm deactivates javascript as well and since the site in question redirects to [v4.windowsupdate.microsoft.com...] via a javascript, it doesn't auto work. So perhaps, all may have to paste this code manually.

And yes, in most case ctrl+c & ctrl+v won't work. But text from notepad works with IE.

6:43 am on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 29, 2002
posts:1819
votes: 0


Visit_Thailand if the process says:
msblast.exe - Microsoft Internet Explorer

Not to worry, this is just your web browser.

The 'msblast.exe' is from the title of this web page!

LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.

I am still confused though as to whether it can infect Windows 98 the zdnet article above does not say it can but Symantec has removal instructions for 98 -
[securityresponse.symantec.com...]

6:49 am on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 3, 2003
posts:960
votes: 0


A description of the virus: [www3.ca.com...]

There seems to be a cleaner available at [www3.ca.com...]

It seems microsoft had warned about this vulnerability in July: [microsoft.com...]

To download the patch, there's a link for each OS there as well :)

For those who may get confused with several names of this worm, here's a quote mentioning the names:

The worm goes by the name MS Blast (ISS X-Force), Blaster (Symantec and Sophos), Win32.Poza (Computer Associates) or Lovsan (McAfee and F-Secure). Symantec rated the urgency of the worm as "high," although most other anti-virus vendors deemed it a medium threat.

[entmag.com...]

[b][added]I cleaned the worm sucessfully by simply running the following program on my comp - [www3.ca.com...]

And then also installing the patches mentioned and removing the key from registry.

BYE BYE MSBLAST.EXE ;)

12:13 pm on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 3, 2003
posts:1633
votes: 0


Boy did I just have a scare!
While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine.

Gaw struth, Brett and his search engine optimised BBS had my heart skipping a few beats there!

12:17 pm on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 16, 2001
posts:2059
votes: 0


MOre links:
[microsoft.com...]
[f-secure.com...]
[us.mcafee.com...]
12:25 pm on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 3, 2003
posts:1633
votes: 0


Fix posted by Symantec:

[securityresponse.symantec.com...]

12:29 pm on Aug 12, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 3, 2002
posts:1590
votes: 0


LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.

lol - I did exactly the same thing. My systems guy just came over, laughed and called me a muppet... :)

1:04 pm on Aug 12, 2003 (gmt 0)

Preferred Member

10+ Year Member

joined:May 22, 2003
posts:354
votes: 0


I'm still on Win98SE, which is s'possed to be immune by this threat - and it probably is - but I think I'm still suffering side-effects.

I've noticed an increased frequency of alerts from ZA askin for permission to allow "Distributed COM Services", specifically the RPCSS.exe, to access the internet in response from calls by seemingly innocous users...whoever they may be!

Additionally, since yesterday, after a period of time I seem to be loosin connection to the net completely. In me email client log it states that, 'connection to winsock failed, process overrun', or words to that effect.

Don't think I've picked up this blaster thing as there's no sign of it in the registry at the location depicted on Symantec site :(

12:44 am on Aug 13, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 14, 2002
posts:1192
votes: 0


Many thanks to Imaster for the link to ww3.ca.com, it removed the worm and the MS patch prevented it from returning.

How do I block ports on a WIN2K machine? Which ports should I block or, perhaps more to the point, which should I leave unblocked?

12:51 am on Aug 13, 2003 (gmt 0)

Administrator

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 8, 2003
posts:3783
votes: 2


How do I block ports on a WIN2K machine?

The safest way would be for your network administrator to block it at the network edge, such as your router or firewall. Barring that, you can get a software firewall such as ZoneAlarm, but those are less effective and easily overloaded.

Which ports should I block or, perhaps more to the point, which should I leave unblocked?

Block everything lower than port 1023 as a rule, and unblock those which you know you need. Other than that, keep an eye on security news and block ports higher than 1024 you see becoming a problem (such as 4444 in this latest episode).

This 53 message thread spans 2 pages: 53
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members