Welcome to WebmasterWorld Guest from 54.161.25.142

Forum Moderators: phranque

Message Too Old, No Replies

Found a virus on my machine - msblast.exe

This program has hijacked my computer....

     
7:51 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Not sure where to post this, so I selected this forum to get some answers from other experts.

There is some application msblast.exe which has suddenly appeared on my computer (which I noticed via the task manager). I have windows 2000.

Now, I can't open any window by right-clicking on a link & selecting
"open a new window", neither am I able to doan uninstall from the "Control Panel > Add/Remove program", simply because when I click on "Add/Remove program" option in CP, it doesn't display anything. In short, many applications are not responding and I feel like my comps been hijacked.

I tried looking for msblast.exe in google to learn more about it, but can't find anything.

Does anyone have an idea whats happening?

[added] Another potential clue could be the svchost.exe file. Windows suddenly gave an error that this particular file has done an error or some message like that, and now I see this msblast.exe

I can't do a ctrl+c or any basic functions as well[/added]

8:32 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



It's a new RPC worm. Hot off the press today:

[isc.sans.org...]

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.

As usual, block 135-139, 445, and possibly 4444 at the network edge.

And, of course, make sure your patches are up to date!

8:33 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Time for SpyBot and AdAware on that comp!

Also, install a msconfig substitute like:

mlin.net/StartupCPL.shtml

to see what is loading in Win2K.

9:09 pm on Aug 11, 2003 (gmt 0)

10+ Year Member



This might help. These are instructions for Win98, but I believe they are similar to Win2000:

1. Click Start/Programs/Accessories/System Tools/System Information
2. Click "Tools", then "System Configuration Utility"
3. Click the "Startup" tab
4. See if you see the program there with a "check" on the box
5. Uncheck the box
6. Click OK
7. The system will need to reboot

By the way, you can go ahead and uncheck any programs that you do not want to start on start up, this will make your start up faster.

Hope that helps, WFN :)

9:16 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



My friend just called me asking for help. He said his computer just keeps restarting with RPC blah blah messages.

So I told him to look in processes and he found the same file running. I looked for this filename on google and nothing came up, same for atw. I had "recent posts" open in front of me while I was helping him on the phone. Page refreshed and this post came up. What a great forum once again! :))

Anyways, does anyone have any information on what it does and how? Does it infect other files? Is it enough to just delete the msblast.exe file?

How does computer get infected? What security measurments should be taken?

9:18 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Boy did I just have a scare!

While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine.

Amagine my horror when I saw it listed as the first entry! (Try it yourself and see!)

It took me a couple of minutes to realize what had happened.

DUH! :)

9:20 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Seems like a real bad virus! Affecting many people on first day. I am going to keep Windows Task Manager open all the time today and until I get some details about it.

Good that in XP it can be above other windows :)

9:24 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



moltar:

Post #2 has a link with all the specs on the worm. Basics are that it downloads the worm through tftp, it initially uses an RPC exploit on port 4444 to install itself, counter-measures are to turn off File & Print Sharing and Netbios / Remote Procedure Call services (or block their ports in a firewall).

Jordan

9:26 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



We broke this story 20 minutes before Slashdot. ;)

Standard Disclaimer - I'm not responsible for these instructions. Use them at your own risk...

... But this should work. To disinfect:

1. Start, Run, "regedt32"
2. Navigate to the tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Delete entry called 'windows auto update' - It should mention msblast.exe
4. Reboot
5. Delete msblast.exe

As I mentioned in my previous post, PATCH YOUR SYSTEMS. Block the ports mentioned too, if you can.

[edited by: bakedjake at 9:52 pm (utc) on Aug. 11, 2003]

9:30 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



it initially uses an RPC exploit on port 4444 to install itself

No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.

[added]I made a post about this vulnerability about a week ago, but I'm not sure where it went. Here's the link to the original CERT report:

[cert.org...]

This one will be bloody, folks.[/added]

[edited by: bakedjake at 9:37 pm (utc) on Aug. 11, 2003]

9:35 pm on Aug 11, 2003 (gmt 0)

10+ Year Member



[support.microsoft.com...] :)

[edit] I work for MS, right now we have 873 people waiting to talk to 54 Windows XP support pro's, its about a 3hr and 30 minute wait to talk to a support pro, the above URL should be enough info to fix the issue on your own. [/edit]

9:39 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



the above URL should be enough info to fix the issue on your own

Even if you're already infected? It looks like the only thing that patch does is remove the vulnerability. It doesn't look like it'll clean the worm once infected.

9:59 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



bakedjake:

No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.

Oospie, I maked a boo-boo. You are correct, I got the info off the site in your link, just didn't read it carefully enough.

Jordan

10:09 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I'm seeing reports on the nanog mailing list that this worm is also trying to exploit the (currently) unpatched RPC DOS vulnerability, and crashing svchost (but not infecting the target machine).

If this is the case, the only solution will be to block 135 until we see a patch.

I've seen almost 2000 attempts today against our network. Right now, they're coming at about 3 per minute. Just an hour ago, it was 2 a minute.

10:13 pm on Aug 11, 2003 (gmt 0)

10+ Year Member



I'll be getting an internal email from MS security very soon i was told. Should have more info on the beta patch for the worm itself... I'll keep you updated if i can.
11:29 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's up to 5 a minute now according to ISC. :\

Jordan

11:54 pm on Aug 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



"DeepSight™ Threat Management
SystemThreat Alert

MS DCOM RPC Worm
Version 1: August 11, 2003, 20:20 GMT
Version 5: August 11, 2003, 22:50 GMT

[...]

The DeepSight Threat Analyst Team encourages network administrators to:
• Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied.
• Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445, tcp/593.
• Deploy the provided Snort signature to assist in the detection of exploitation attempts targeting this issue.

[...]

The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The host will then use a select() call to determine which host have responded. Upon receiving a response the worm will attempt to exploit the host. The worm uses an algorithm based off the current local host IP address to find IP address to attack. Given the local host IP A.B.C.D. ‘D’ is set to zero. If C is greater than 20, a random number (less than 20) is subtracted from C. Once this semi random IP address has been calculated, the worm will continually increment the IP address, attacking in a sequential order. This means the local subnet will become saturated with port 135 requests prior to exiting the local subnet."

Jordan

5:23 am on Aug 12, 2003 (gmt 0)

10+ Year Member



I noticed someone was trying to connect to my computer when I was online last night (I denied their request as I have firewall software running.)

Would this have anything to do with the worm?

Thanks.

6:26 am on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I do not understand this I also did a Ctrl - Alt - Delete and it was there at the top of the tasks running.

But I am on Windows 98 and according to that link from Microsoft it does not affect Windows 98? Am I correct in saying that? or I am just looking in the wrong places.

6:37 am on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Visit_Thailand if the process says:

msblast.exe - Microsoft Internet Explorer

Not to worry, this is just your web browser.

The 'msblast.exe' is from the title of this web page!

6:40 am on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The site I mentioned above says:

Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to <a href=http://windowsupdate.microsoft.com target="new">windowsupdate.microsoft.com</a>. The user will be prompted by some pop up windows, directed through a fairly easy to understand and intuitive process.

But if you go to windowsupdate.ms.com, it displays a blank page, and the reason being that this worm deactivates javascript as well and since the site in question redirects to [v4.windowsupdate.microsoft.com...] via a javascript, it doesn't auto work. So perhaps, all may have to paste this code manually.

And yes, in most case ctrl+c & ctrl+v won't work. But text from notepad works with IE.

6:43 am on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Visit_Thailand if the process says:
msblast.exe - Microsoft Internet Explorer

Not to worry, this is just your web browser.

The 'msblast.exe' is from the title of this web page!

LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.

I am still confused though as to whether it can infect Windows 98 the zdnet article above does not say it can but Symantec has removal instructions for 98 -
[securityresponse.symantec.com...]

6:49 am on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



A description of the virus: [www3.ca.com...]

There seems to be a cleaner available at [www3.ca.com...]

It seems microsoft had warned about this vulnerability in July: [microsoft.com...]

To download the patch, there's a link for each OS there as well :)

For those who may get confused with several names of this worm, here's a quote mentioning the names:

The worm goes by the name MS Blast (ISS X-Force), Blaster (Symantec and Sophos), Win32.Poza (Computer Associates) or Lovsan (McAfee and F-Secure). Symantec rated the urgency of the worm as "high," although most other anti-virus vendors deemed it a medium threat.

[entmag.com...]

[b][added]I cleaned the worm sucessfully by simply running the following program on my comp - [www3.ca.com...]

And then also installing the patches mentioned and removing the key from registry.

BYE BYE MSBLAST.EXE ;)

12:13 pm on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Boy did I just have a scare!
While viewing this thread, I did a CTRL-ALT-DEL to see if I had this trojan running on my machine.

Gaw struth, Brett and his search engine optimised BBS had my heart skipping a few beats there!

12:17 pm on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



MOre links:
[microsoft.com...]
[f-secure.com...]
[us.mcafee.com...]
12:25 pm on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Fix posted by Symantec:

[securityresponse.symantec.com...]

12:29 pm on Aug 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.

lol - I did exactly the same thing. My systems guy just came over, laughed and called me a muppet... :)

1:04 pm on Aug 12, 2003 (gmt 0)

10+ Year Member



I'm still on Win98SE, which is s'possed to be immune by this threat - and it probably is - but I think I'm still suffering side-effects.

I've noticed an increased frequency of alerts from ZA askin for permission to allow "Distributed COM Services", specifically the RPCSS.exe, to access the internet in response from calls by seemingly innocous users...whoever they may be!

Additionally, since yesterday, after a period of time I seem to be loosin connection to the net completely. In me email client log it states that, 'connection to winsock failed, process overrun', or words to that effect.

Don't think I've picked up this blaster thing as there's no sign of it in the registry at the location depicted on Symantec site :(

12:44 am on Aug 13, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Many thanks to Imaster for the link to ww3.ca.com, it removed the worm and the MS patch prevented it from returning.

How do I block ports on a WIN2K machine? Which ports should I block or, perhaps more to the point, which should I leave unblocked?

12:51 am on Aug 13, 2003 (gmt 0)

WebmasterWorld Administrator bakedjake is a WebmasterWorld Top Contributor of All Time 10+ Year Member



How do I block ports on a WIN2K machine?

The safest way would be for your network administrator to block it at the network edge, such as your router or firewall. Barring that, you can get a software firewall such as ZoneAlarm, but those are less effective and easily overloaded.

Which ports should I block or, perhaps more to the point, which should I leave unblocked?

Block everything lower than port 1023 as a rule, and unblock those which you know you need. Other than that, keep an eye on security news and block ports higher than 1024 you see becoming a problem (such as 4444 in this latest episode).

This 53 message thread spans 2 pages: 53
 

Featured Threads

Hot Threads This Week

Hot Threads This Month