W32.Blaster.Worm - RPC vulnerability causes reboots in Windows NT, 2K, and XP.

[Antoneo]

Hmm.. so users behind a router w/ NAT wouldn't be affected? Just those who have a direct PC to internet connection?

"The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability."

Sure seems like it, can't get to Windows Update at all... arg

 

[Macro2]

RE:"This means that the likelyhood that black-hats already knew about this for a long time is fairly decent."

Exactly why I don't trust microsoft. About 15 months ago they knew about a serious hole that could wipe your HD just by going to a website. They waited months until SP1 to address it.

 

[geoffkin]

So as long as I have been downloading the Windows Updates from MS when they pop up, I should be protected no matter what else I'm running on my system?
I have systems running Win2000 Pro, WinXP Home and WinXP Pro

 

[Mavtech]

My router blocked any infection. I also update every week or two. I leave my computer and server on all the time too. I have to admit, I was afraid to come home from work yesterday. Everything was fine on my systems though. Anytime you are wide open to the internet, you are at risk.

 

[jfunk]

I can't believe so many people are running broadband connections without a router...they're like $40 now people, come on...



j

 

[NesuD]

Originally posted by: Macro2
Once it's on your computer how does a firewall stop it?
Never trust Microsoft? hummm...good idea.

wormguard or a router is your best defense, IMHO.

http://wormguard.diamondcs.com.au/

firewall stops the rpc access that causes the reboots allowing you to stay online and get the patch and info on how to remove it.

 

[NesuD]

Originally posted by: xcript

Originally posted by: NesuD

Originally posted by: Macro2
RE:"the built in xp firewall will also block it out as well according to MS"

Thats questionable

Why do you say that? I have had it work for several people here already. Do you just didtrust MS? Unless you have definitive prrof that it does not help at all which i know it does do not confuse an already frustrating problem with your misinformation.

The built-in firewall only prevents incoming connections.

So if you've got Msblast.exe running, it'll continue to do it's job.

Edit:
Looks like the DoSing doesn't begin until the 16th though.

I understand that. If you look at my post again you will also see a resource instructing you on how to remove it. but to stop the reboots so that you can get the patch and find out how to remove it the firewall will help so that you can get the help you need online to kill it.

 

[Kinesis]

NesuD - I wasn't crapping on you. I was just stating a point. Maybe I am dumb, but what does a .com file from microtrend do for someone who doesn't use there products? Maybe you could enlighten me.

I am not pushing for or against microsoft, but the built in firewall does suspend the system crash associated with the virus....somewhat. At least long enough to remove and clean the virus off the system.

 

[Wiktor]

My unprotected Win2000 sp3 machine didn't get it, yes NAT through router or WindowsXP NAT will protect all network computers (as long as the server has the right ports closed).

Wouldn't you say that WindowsXP is not Internet ready if it is critical to use a firewall with it? I think MS should work on some more sophisticated built in firewall protection for future Windows.

And if this worm will manage to stay around for months or longer (and it has already been compared to code red which is still active) then just about any computer is no longer safe. And I mean even myself - now I can't turn off the firewall for 10 sec.? Or if I reformat/reinstall WindowsXP, should I keep my pc offline? And then how will I get the critical updates and virus defs, there's a problem.

 

[Syringer]

How do worms transfer around? Are there certain websites or something that you have to go through? Or is it all just "automatic"?

 

[hcarlson]

My PC didn't get it even though it was doing the shutdown from RPC. My wife's did get it and luckily I deleted the msblast.exe early this morning. I am now downloading the new SuperDAT for McAfee VirusScan to make sure it's gone. Damn this is crazy!

 

[Mavtech]

Syringer-

This particular worm scans the internet for vulnerable computers on port 135. It then uses that computer to scan for another victim.

 

[titanmiller]

Originally posted by: Syringer
How do worms transfer around? Are there certain websites or something that you have to go through? Or is it all just "automatic"?

Yes, it is automatic. The writer hacked into a few systems origionaly and placed the virus in those computers and then it takes off by its self.

 

[bobdude1]

The fact is that code for these exploits is posted freely on the internet. Just go to .Xfocus and you will find that they posted 'proof of concept' code, which in fact, is primarily the body of the code that is causing the exploit.
If you never connect to the internet, you will find that whatever OS you use will never be exploited, because you are never 'available' to be exploited.

Does including a firewall in the OS mean that it is unsafe? No, it just means that steps have been taken to prevent what is happening. If an OEM includes a software firewall on their system, do you automatically assume that they are selling an unsafe system? No, you probably applaud them for taking the initiative to protect your investment.

Please, think about your comment before you post. It is ludicrous that you would say what you have. I believe that some, if not all, Linux distros include a firewall, does that mean they are unsafe too?

Think about it

 

[Chobits]

Hahah I have it on my PC and i think it might be preventing me from opening up new windows in win2kpro SP3

i'm d/ling that thing from symatec as we speak (AVG can't delete it )

The weird thing is I do'nt have random reboots

And I don't have broadband AND I don't do automatic windows downloads. I update it manually every few months and that lasta time I did it was probably around april...


Oh, bobdude1 welcome to AT

 

[bobdude1]

Remember, the reason that the system reboots is that the exploit will overrun the local buffer too. Blocking at the firewall, even inbound on port 135, can slow or eliminate the probem long enough to get it fixed.

If you want a good A/V that updates on a DAILY basis, then you should look into Panda Anti VirusPanda Anti-Virus (US) or Panda Anti-Virus (International).

As I stated, they update DAILY, and they have a very good website as far as new virus alerts, etc. They also have a Blaster removal tool here, just choose the Blaster tool. If you are not a user, you can download it, but looks like you will have to go through an information gathering page. Just fill it out (it doesn't seem to matter what you put in there, as long as you fill the mandatory fields) and you should be able to download it and get the infection cleared.

Hope this is useful to somebody out there!

 

[Wiktor]

You got me all wrong there bobdude1

I think it's great that WinXP incorporates such services as firewall or CD burning or many other (also a audio/video player and Internet communicator or even IE). Some say it is unfair to all those software comapnies that develop these products on their own, maybe, but for the costumer it is better IMO.

So what I was saying is: well, it looks like even with the firwall (or ignore the firewall itself - this time it seems to do the job and blocks the worm, but it doesn't have the reputation of a professional security application or you may have it off), Windows on it's own is so open to worms/viruses especially this one that you can't say it is 'good' for Internet. There

I encourage MS to further develop their firewall and igonore all those that will start talking about monopoly and so on

 

[Macro2]

Nesdu,

RE:"firewall stops the rpc access that causes the reboots allowing you to stay online and get the patch and info on how to remove it."

Thanks, didn't mean to misinform you just misunderstood.

Mac

 

[Chobits]

Why rather than develop their own and spend time doing it...why can't they go to a company that already has a pimp firewall software from them and liscensce it for use in Windows?

 

[EvilWobbles]

I am amazed by the number of dial-up users who have been affected by this worm. I've had no less that four calls from people today at work who have a home computer on dial-up that got infected by this worm.

As a system administrator at my company, it seems one of my tasks is to support the family members of our employees who can't get on the Internet at home because their machine keeps rebooting (what about real work I ask!)

It seems like the hardest hit group will be home users. I would be willing to bet you'll see sales of Zone Alarm and the like skyrocket. Time to buy some stock

 

[bobdude1]

Allow me to apologize. I misunderstood your point.

I agree that by itself, Windows can be extremely vulnerable to attack, however, to properly lock the OS down, IMHO, would require the usability factor to plummet to the point that most users would move to another OS.

My point, in fact is this: To have a truly unexploitable OS, you would need to lock the system in a hermetically sealed box, that has no outside connection other than the necessary power leads, never let anyone touch it, never connect it to the net or internet, and never allow any installations of software, hardware or saving of data to the system. That is the perfect security protection for a system.

Other than that (since that is obviously not realistic), you should always take steps to protect yourself from attacks, to the best of your ability. The best solution is to combine Anti-virus utilities (1 or more) with a good firewall (preferably a hardware based one that also does a stateful packet inspection).

I don't believe that any company makes a truly secure OS, Windows just happens to be the most prolific and consequently the easiest to attack. It obviously does not help that some of the usability features are also the weakest points, but by locking at least the inbound traffic down to a manageable state, exploits of this kind can be reduced, probably not eliminated, but definitely reduced.

<Stepping down from my soapbox>

 

[Wiktor]

"Why rather than develop their own and spend time doing it...why can't they go to a company that already has a pimp firewall software from them and liscensce it for use in Windows?"


Because that's how Microsoft is, I think. They jump to a new field, new type of software and first they will realease a below avarage (like the WinXP firewall) product. But only to constantly work on new versions and updates untill they master the technology and it is really hard to tell if they are still behind (MS sucks and so on) or in the lead.

They make money with their philosophy, not the other way around.


BTW in my firewall logs I only have the ip's that belong to my ISP, about twenty different, muliple times detected, looks like the worm doesn't attack all random...

EDIT: I also agree with what you said, bobdude1. Welcome to the forums (unless you just made a new account ), I don't post much but visit a lot

 

[batmang]

heh, this worm is making me pissed, i got a call from a person i built a computer for, its a good thing i found this section in the forum, i wasnt even aware of this worm to begin with. another reason i love www.anandtech.com

 

[magomago]

yay! Internet Explorer is starting to workin once more!!

First virus that has ever hit me too...

 

[Macro2]

One good thing about this. I will have to listen to LESS people tell me..."I don't run any anti-virus program, firewall etc. and I've never had a virus...I'm just careful where I go and what I open..."

Mac