Thread: New internet worm -- protect yourselves!
View Single Post
  #1  
Old 08-12-2003, 12:56 PM
Jamey Saunders's Avatar
Jamey Saunders Jamey Saunders is offline
Moderator
  
Join Date: Jul 2002
Location: Portal, GA - If you know where it is, you probably got a speeding ticket.
Posts: 1,951
Send a message via AIM to Jamey Saunders Send a message via MSN to Jamey Saunders Send a message via Yahoo to Jamey Saunders
Exclamation New internet worm -- protect yourselves!
{SHORT STORY}

There's a new internet worm. Run Windows update and check out http://sarc.com/avcenter/venc/data/w...ster.worm.html for more information.

{END SHORT STORY}

{THE LONG STORY}

I'm feeling pretty humbled right now. All these years, and I've never been bitten by a serious worm or virus. Oh, sure, I've had minor viruses (viri?) in the past, but nothing major. But last night, my laptop became a victim of the W32.blaster worm.

I have to admit that this is a pretty ingenious worm. I have absolutely no idea how I got it, as I am behind a firewall most of the time (at work) and I never accept attachments. Last night, however, when I was at home on the dial-up line, my computer issued me a message saying that the "RPC subsystem" had terminated and the computer would restart in one minute.

I thought that was odd, but hey, I'm running Windows. Odd-ball errors are to be expected. I let the computer restart, logged back onto the Information Superhighway, and in two minutes, I got the same message.

OK, by this time, I'm pretty sure I've got a virus. I fire up my anti-virus and run a full-system scan. Nothing. Clean as a whistle. Now I'm starting to get concerned.

Then it came to me. I remembered hearing about a nasty little worm making the rounds when I was watching "The Screensavers" on TechTV. I logged back onto the internet and Googled the message "RPC subsystem terminated". Lo and behold, there are the messages -- It's a nasty worm that is propogating over the internet and exploiting a hole in Windoze.

Basically, it looks on the internet for an open port (TCP Port 135). Once it finds one, it loads a program onto the target machine and attempts to run it. The error gets issued because the program has guessed the wrong operating system.

Microsoft has a patch for this problem at the windows update site. But here's where the worm is really nasty: The program that is being run is targeted specifically to run a denial-of-service attack on the Windows Update site!

The solution for me was to turn on the Windoze XP firewall until I could get to work this morning and load the latest update. If you haven't done this, do it. If the worm guesses the right OS, I am assuming that it will work in the background without you even knowing it.

The program that is being run is msblast.exe. If you do a full-system search for "msblast" and find that file, DELETE IT! Then load your updates. This has apparently spread so rapidly that my antivirus (updated Sunday) didn't even catch it.

Here's the URL to Symantec's dissertation on this worm, including the fix instructions. They have a tool to remove the problem, but you really should load the Windows updates to shut down this vunerability.

http://sarc.com/avcenter/venc/data/w...ster.worm.html

{END LONG STORY}


__________________
Jamey Saunders -- Charter Member, GCKG
(Got a question? Have you tried to for the answer?)

"I won't be wronged, I won't be insulted, and I won't be laid a hand on. I don't do these things to other people, and I require the same of them." --John Wayne, in The Shootist
Last edited by Jamey Saunders; 08-12-2003 at 12:58 PM.
Reply With Quote