Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: phranque
There is some application msblast.exe which has suddenly appeared on my computer (which I noticed via the task manager). I have windows 2000.
Now, I can't open any window by right-clicking on a link & selecting
"open a new window", neither am I able to doan uninstall from the "Control Panel > Add/Remove program", simply because when I click on "Add/Remove program" option in CP, it doesn't display anything. In short, many applications are not responding and I feel like my comps been hijacked.
I tried looking for msblast.exe in google to learn more about it, but can't find anything.
Does anyone have an idea whats happening?
[added] Another potential clue could be the svchost.exe file. Windows suddenly gave an error that this particular file has done an error or some message like that, and now I see this msblast.exe
I can't do a ctrl+c or any basic functions as well[/added]
The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable system, it will spawn a shell on port 4444 and use it to download the actual worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears to use the "universal Win2k" offset only.
As usual, block 135-139, 445, and possibly 4444 at the network edge.
And, of course, make sure your patches are up to date!
1. Click Start/Programs/Accessories/System Tools/System Information
2. Click "Tools", then "System Configuration Utility"
3. Click the "Startup" tab
4. See if you see the program there with a "check" on the box
5. Uncheck the box
6. Click OK
7. The system will need to reboot
By the way, you can go ahead and uncheck any programs that you do not want to start on start up, this will make your start up faster.
Hope that helps, WFN :)
So I told him to look in processes and he found the same file running. I looked for this filename on google and nothing came up, same for atw. I had "recent posts" open in front of me while I was helping him on the phone. Page refreshed and this post came up. What a great forum once again! :))
Anyways, does anyone have any information on what it does and how? Does it infect other files? Is it enough to just delete the msblast.exe file?
How does computer get infected? What security measurments should be taken?
Post #2 has a link with all the specs on the worm. Basics are that it downloads the worm through tftp, it initially uses an RPC exploit on port 4444 to install itself, counter-measures are to turn off File & Print Sharing and Netbios / Remote Procedure Call services (or block their ports in a firewall).
Standard Disclaimer - I'm not responsible for these instructions. Use them at your own risk...
... But this should work. To disinfect:
1. Start, Run, "regedt32"
2. Navigate to the tree HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
3. Delete entry called 'windows auto update' - It should mention msblast.exe
5. Delete msblast.exe
As I mentioned in my previous post, PATCH YOUR SYSTEMS. Block the ports mentioned too, if you can.
[edited by: bakedjake at 9:52 pm (utc) on Aug. 11, 2003]
it initially uses an RPC exploit on port 4444 to install itself
No, at least from what I'm seeing on my net, the attempt is at 135. It then spawns a shell on 4444.
[added]I made a post about this vulnerability about a week ago, but I'm not sure where it went. Here's the link to the original CERT report:
This one will be bloody, folks.[/added]
[edited by: bakedjake at 9:37 pm (utc) on Aug. 11, 2003]
 I work for MS, right now we have 873 people waiting to talk to 54 Windows XP support pro's, its about a 3hr and 30 minute wait to talk to a support pro, the above URL should be enough info to fix the issue on your own. [/edit]
If this is the case, the only solution will be to block 135 until we see a patch.
I've seen almost 2000 attempts today against our network. Right now, they're coming at about 3 per minute. Just an hour ago, it was 2 a minute.
MS DCOM RPC Worm
Version 1: August 11, 2003, 20:20 GMT
Version 5: August 11, 2003, 22:50 GMT
The DeepSight Threat Analyst Team encourages network administrators to:
• Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied.
• Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445, tcp/593.
• Deploy the provided Snort signature to assist in the detection of exploitation attempts targeting this issue.
The attacking host will issue 20 simultaneous connect() calls, each going to a unique IP address. The host will then use a select() call to determine which host have responded. Upon receiving a response the worm will attempt to exploit the host. The worm uses an algorithm based off the current local host IP address to find IP address to attack. Given the local host IP A.B.C.D. ‘D’ is set to zero. If C is greater than 20, a random number (less than 20) is subtracted from C. Once this semi random IP address has been calculated, the worm will continually increment the IP address, attacking in a sequential order. This means the local subnet will become saturated with port 135 requests prior to exiting the local subnet."
Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to <a href=http://windowsupdate.microsoft.com target="new">windowsupdate.microsoft.com</a>. The user will be prompted by some pop up windows, directed through a fairly easy to understand and intuitive process.
And yes, in most case ctrl+c & ctrl+v won't work. But text from notepad works with IE.
Visit_Thailand if the process says:
msblast.exe - Microsoft Internet Explorer
Not to worry, this is just your web browser.
The 'msblast.exe' is from the title of this web page!
LOL do I feel stupid! Thanks my heartbeat was increasing per second to unhealthy levels.
I am still confused though as to whether it can infect Windows 98 the zdnet article above does not say it can but Symantec has removal instructions for 98 -
There seems to be a cleaner available at [www3.ca.com...]
It seems microsoft had warned about this vulnerability in July: [microsoft.com...]
To download the patch, there's a link for each OS there as well :)
For those who may get confused with several names of this worm, here's a quote mentioning the names:
The worm goes by the name MS Blast (ISS X-Force), Blaster (Symantec and Sophos), Win32.Poza (Computer Associates) or Lovsan (McAfee and F-Secure). Symantec rated the urgency of the worm as "high," although most other anti-virus vendors deemed it a medium threat.
[b][added]I cleaned the worm sucessfully by simply running the following program on my comp - [www3.ca.com...]
And then also installing the patches mentioned and removing the key from registry.
BYE BYE MSBLAST.EXE ;)
I've noticed an increased frequency of alerts from ZA askin for permission to allow "Distributed COM Services", specifically the RPCSS.exe, to access the internet in response from calls by seemingly innocous users...whoever they may be!
Additionally, since yesterday, after a period of time I seem to be loosin connection to the net completely. In me email client log it states that, 'connection to winsock failed, process overrun', or words to that effect.
Don't think I've picked up this blaster thing as there's no sign of it in the registry at the location depicted on Symantec site :(
How do I block ports on a WIN2K machine?
The safest way would be for your network administrator to block it at the network edge, such as your router or firewall. Barring that, you can get a software firewall such as ZoneAlarm, but those are less effective and easily overloaded.
Which ports should I block or, perhaps more to the point, which should I leave unblocked?
Block everything lower than port 1023 as a rule, and unblock those which you know you need. Other than that, keep an eye on security news and block ports higher than 1024 you see becoming a problem (such as 4444 in this latest episode).