Recent Remote Procedure problems
BlackHawk
Bible music connoisseurThere's no place like 127.0.0.1 Icrontian
BlackHawk
Bible music connoisseurThere's no place like 127.0.0.1 Icrontian
Comments
I wonder how many people this blast virus is getting?
The class of holes exists in 95 OSR 2 and up, and perhaps earlier. What makes it easy for you to get a friend to help remotely with your computer, for example, uses this class of things. I am not talking about the single issues you see one by one, but the whole set of functional things that allow this stuff.
i got the RPC errors earlier today and thanks to blackhawk's thread earlier i was able to fix that part... but later on the blaster.virus or whatever was caught by norton and then i spent the next hour updating and scanning my system
ugh i hate hackers
Dunno why, but I am sceered now.. :P
When you see the countdown, hurry and enter cmd and type "shutdown -a" (without the quotes) so that you dont have to reboot.
Start regedit: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete "windows auto update"="msblast.exe"
The last tip, update os.
http://www.short-media.com/forum/showthread.php?s=&threadid=2086
Currently in the room behind me I have all the directors having a meeting about it. Arseholes are flapping now
They cant say the have not had enough warning
But the thing is if you actually have the worm and try to update, you get that message. Thats why it´s "old" news
One person said "But I just turned off the software firewall for a couple of hours while I transferred from one box to the other."
It's in North America people.
Boy am I glad I updated as soon as I saw that post!
In other words, thanks for the warning, Necropolis!
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Rebuilt!!! $170!!! OMG!!! I wish I had the recipient list, I'd send out an email undercutting their price
The worm likes ports 135, 139, and 445 (courtesy Trend Micro's expanantion of the MSBLAST "virus" and Microsoft Security Bulletin MS03-026).
Microsoft RPC Link
The trend micro link has been given on Icrontic I know, in an RPC problems thread dealing with this RPC problems issue.
It is as of a while ago (within the last 24 hours) in PC-Cillin's latest definiitons base.
In the last 27 hours ZDNet znc ZDNet.uk are calling it Widespread.
Microsoft's security patch for NT 4.0 through Windows Server 2003, including 2000 and XP, but NOT right now including ME (they say ME is not affected for the RPC issue addressed in MS03-026 which is MSBLAST congruent info) is available, but MSBLAST targets windowsupdate.com. When I was on earlier (now yesterday) getting the MSBLAST function patch for my mostly end user clients, and finding out how to delete which registry key and value (See Trend Microsystems Virus Encyclopedia for MSBLAST, I read but di not print it so no URL capture), I tried to call sales at Microsoft headquarters on 4 different (15-30 min apart) occassions-- the phone system was literally saying "High Call Volume, call back later" after 6 rings-- this was office hours in the morning Redmond time, Monday.
I called the MAIN toll number, and all the operator could say was you need to call the toll free number later, and she put me on hold twice during our 4 minute quick chat(so I now have a 10 minute toll bill to Redmond Washington from Florida).
She said the rollover alternate number was also the same as main sales. That was 8-9 hours after ZDNet hit the news online with this in an interesting article pair in US and UK.
Ok, things to do:
I would get a good firewall, either Sygate or Tiny, and not use ports 135, 139, and 445 unless you know what you are doing exactly.
Ok, registry keys:
First, patch verification---
2000:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB823980
-->Note number, that KB823980 article has details of exactly what to check to make sure the patch took.
XP Gold:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980
Windows XP (most, same key as above exactly if installed on a SP1 Windows XP):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\KB823980
Windows Server 2003:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB823980
You can get the function fix to block this at the Microsoft Downloads center by doing this:
Go to http://www.microsoft.com/
Click the "Support" menu entry in white on black up in the very top black background menu. Choose "Download Center".
In the download center Search box, type in
security_patch or security-patch
Top line of results, at right, there is a drop down menu showing probably popularity (if not default has been changed since about 11:20 AM yesterday (on 11 August)). Click the down arrow, change sort to "title".
Since the Downloads are subsorted by widnows version first in title now, for security patches, you will find the RPC patch with you windows version in it and be able to get it if you scroll through the list. HINT, for XP about 1\2 through the list as the tile has an RPM title. Else try Support, then the Knowledge Base, the article KB823980 which has a download link set (I did not use those). There are, between the Trend Micro and Microsoft Bulletin and KB article, about 20 pages of fine print reading.
Look at what you have: If 98 SE or earlier, you might want to see what Trend Micro said as tehy model viruses and update their Virus Encyclopedia-- since Microsoft no longer supports 98 SE and earlier expect not much from them, and if you have ME do not bohter to look at Microsoft right now.
OTOH, those with 2000 or XP boxes or 2003 Server boxes need the Microsoft info. I like Microsoft CUSTOMERS just enough to spread the word about how to patch and check the patch and suggest the Trend Micro reading for how to check for MSBLAST Virus(Worm) presence.
Too tired to type more.... And gotta be up early to handle a car accident (8:30 last night, no one got hurt, steering function damage and sudden loud noises or I would have been here at 9:00 PM last night with this), work some on installing a new mobo for mom (motherboard died, new CPU and RAM needed and bought with it, new UPS already in place, HP printer drivers corrupt, possible PSU also), and try to deal with the fact that I cannot drive her car and she is having eye surgery while MSBLAST erupts and will be unable to drive for a minimum of two days. I guess a rental is needed, thta is a later thing. My three things. Not mad, not sad, mellow and OK. Money and insurance to cover ok.
John.
First, It would appear that some of the Blaster things have vairants included now, like standard Windows Trojans as well as the Blaster virus.
Second, it CERT says there are hundreds of thousands of machines infected with Blaster and variants (the variants all have exactly the same code plus additions), and how many variants there exactly are is not known, several are known if you separate the standard trojan plus Blaster from the Blaster only eariest onslaught. There are various names.
Third, some XP machines (and I suspect those might be earlier non SP1 XP boxes at least in part, ones that never got the full service pack) are, if infectd and then the patch is applied, going into reboot loops.
Here is the eWeek link, I will add to this later:
http://www.eweek.com/article2/0,3959,1219197,00.asp
Link:
http://kb.trendmicro.com/solutionDetail.asp?solutionId=15888
Oh, one thing-- skim and then do side links wherre you think knowing more would help you. If you dump the articles that are side-linked to the priner and then read, you will be doing other users of Trend Micro's clusters a big favor and have the info you need for friends to see how to kill this thing right-- burning a CD with this Blaster info only, and articels on how to fix, will not be frowned upon much if shared to friends to wipe this thing out and not at all used for commercial use to make profit-- that is short form fair use, if you credit Trend Micro for the info used and wish to be honest (honesty, tempered by shared trust, is a good thing if not public where that is not good).
This is publicly available info that SHOULD be shared with computer power users and friends and co-workers of the tech kind-- it will reduce attacks like this by causing folks to look, then apply patches, and do so intelligently. This is not an email worm that can be killed by email prevention of filtering, and lots of folks also do that these days and do not realize they are not at all protected from this kind of worm. If you make lots of money from Windows computers and security work, buy a Trend Micro subscription.
If you think as CERT as GRANDPA for security and as clearinghouse and respect it, they will welcome skilled help and Trend Micro has very good info and does not spread rumours-- though they wisely to know that each computer can react a bit differenly and cannot guarantee any use of their info on things not related to what solutions articles focus on. They do their best, but as one of hte lead AV service and software providers know that info grows and changes the picture in this world of security. But they also know that they are not infallible, so cross check with Microsoft and Symantec and GeCAD and F-Secure also and look for commonalities.
For you folks (polite slang for firends and acquaintances and welcome peoople to meet and talk with) I am going to do summaries of things I have confirmed as needed.