The Knife Network Forums : Knife Making Discussions

The Knife Network Forums : Knife Making Discussions (http://www.knifenetwork.com/forum/index.php)
-   Feature & Member Support (http://www.knifenetwork.com/forum/forumdisplay.php?f=60)
-   -   New internet worm -- protect yourselves! (http://www.knifenetwork.com/forum/showthread.php?t=15991)

Jamey Saunders 08-12-2003 12:56 PM

New internet worm -- protect yourselves!
 
{SHORT STORY}

There's a new internet worm. Run Windows update and check out http://sarc.com/avcenter/venc/data/w...ster.worm.html for more information.

{END SHORT STORY}

{THE LONG STORY}

I'm feeling pretty humbled right now. All these years, and I've never been bitten by a serious worm or virus. Oh, sure, I've had minor viruses (viri?) in the past, but nothing major. But last night, my laptop became a victim of the W32.blaster worm.

I have to admit that this is a pretty ingenious worm. I have absolutely no idea how I got it, as I am behind a firewall most of the time (at work) and I never accept attachments. Last night, however, when I was at home on the dial-up line, my computer issued me a message saying that the "RPC subsystem" had terminated and the computer would restart in one minute.

I thought that was odd, but hey, I'm running Windows. Odd-ball errors are to be expected. I let the computer restart, logged back onto the Information Superhighway, and in two minutes, I got the same message.

OK, by this time, I'm pretty sure I've got a virus. I fire up my anti-virus and run a full-system scan. Nothing. Clean as a whistle. Now I'm starting to get concerned.

Then it came to me. I remembered hearing about a nasty little worm making the rounds when I was watching "The Screensavers" on TechTV. I logged back onto the internet and Googled the message "RPC subsystem terminated". Lo and behold, there are the messages -- It's a nasty worm that is propogating over the internet and exploiting a hole in Windoze.

Basically, it looks on the internet for an open port (TCP Port 135). Once it finds one, it loads a program onto the target machine and attempts to run it. The error gets issued because the program has guessed the wrong operating system.

Microsoft has a patch for this problem at the windows update site. But here's where the worm is really nasty: The program that is being run is targeted specifically to run a denial-of-service attack on the Windows Update site!

The solution for me was to turn on the Windoze XP firewall until I could get to work this morning and load the latest update. If you haven't done this, do it. If the worm guesses the right OS, I am assuming that it will work in the background without you even knowing it.

The program that is being run is msblast.exe. If you do a full-system search for "msblast" and find that file, DELETE IT! Then load your updates. This has apparently spread so rapidly that my antivirus (updated Sunday) didn't even catch it.

Here's the URL to Symantec's dissertation on this worm, including the fix instructions. They have a tool to remove the problem, but you really should load the Windows updates to shut down this vunerability.

http://sarc.com/avcenter/venc/data/w...ster.worm.html

{END LONG STORY}

Rob Frink 08-12-2003 01:13 PM

yeppers! I got nailed yesterday. Can't figure out how I got it....as I use norton and with auto updates....email scan and computer scan every evening.

It was MSblaster.exe. and it caused the rpc shut down thing.

I used the fixes from norton's web site...but had to use a different computer to find out what was wrong since the infected computer keep shuttiung down every 2-3 min with the RPC message.

I think I'm back up to speed.

-Rob

Jamey Saunders 08-12-2003 01:20 PM

Rob, best I've been able to figure out, the worm is not spread by email. It is spread on the open internet. Just being on the internet without a firewall and having TCP Port 135 open exposes you to getting this worm.

To put it simply...

We've been hacked!

Glad you got it sorted out.

Chuck Burrows 08-12-2003 01:47 PM

For those who are infected and can't do a Windows Update - Here is the MS info page re: msblast with a link for the patch.

http://search.microsoft.com/search/r...exe&View=en-us

Note according to this Bulletin the patch is ONLY for computers using the NT platform : NT 4.0, Windows 2000, and Windows XP. Did a Windows Update search and there is no patch for Win 95/98 so apparently it is aimed at the newer Windows machines.

Rob Frink 08-12-2003 03:48 PM

Jamey,

Thanks! I use a dial up ISP...... I didn't think it was possible for me to get anything other than from email. I could understand if I was using a T1. uhhhh....Its way over my head.....I wish the folks that did it (viruses) would spend thier brilliance on something more constructive.

Whatta ya do?

-Rob

Jamey Saunders 08-12-2003 03:58 PM

I write accounting software for Georgia county and municipal governments. We do property tax billing and mobile home tax billing for most of the state of Georgia. All the internet stuff (web pages, security, etc.) is a side hobby of mine. Our software still runs as a "green-screen" application!

Chuck Burrows 08-12-2003 04:10 PM

The other geeks in the crowd may find this of interest re: TCP PORT 135
Quote:

"It's very likely that a new worm ? la "code red" will emerge to exploit this vulnerability."
Here's a link to the full article
http://www.nta-monitor.com/news/port135-overview.htm


Quote:

I wish the folks that did it (viruses) would spend thier brilliance on something more constructive.

Whatta ya do?
A good lynch mob maybe :confused:

I believe in Singapore malicious hacking is punishable by death.?

john costa 08-13-2003 09:22 PM

I've just spent the last 6 hours trying to get mine fixed. Chuck or Jamey, if you see this and are so inclined , give me a call. Maybe you can answer a couple of questions. thanks, jc 706-769-6624

Martyn 08-24-2003 09:49 PM

Dont feel bad Jamey, I got nailed almost as soon as the ####ed thing came out. I'm running a bang up to date version of Norton, on a win 2k system with zone alarm pro firewall and it still nailed me. I couldn't figure out why I was getting these vchost.exe crashes. That's the thing that manages how your browser handles url's on the internet. I lost the ability to click links or use right click to "open a new window". I searched high and low for a solution and while doing some research on vchost.exe, came accross an early alert for the blaster32 worm. Once I knew my problems were virus related, I popped over to symantec who had by then issued a scan tool for download. Bingo, there it was. I wiped it and ran the security patch from microsoft.

At work (a large hospital employing 5,000 people), the entire network has been infected. We have terminals all over the place and they all have net access.

StevePryor 08-25-2003 03:06 PM

I got *blasted* also, even though being on an antiquated dial up system and running firewalls, etc.. It took he two days just to get up and running again and will take two yrs. or more to reload/reconfig everything.
I agree totally in the death penalty, but if the gov. does catch them, they will probably reward them with a cushy job.
Personally I think they should be staked out in a field and let everyone that has been hit by the virus, ten at a time drive golf balls at em from 50ft....and that's just for starters.:D


All times are GMT -5. The time now is 12:34 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
The Knife Network : All Rights Reserved