W32.Blaster.Worm - RPC vulnerability causes reboots in Windows NT, 2K, and XP.

[drag]

Sucks to be you. I know that sp1 carries some very unpleasent liscencing with it (or was that only with wk2?), but if you need that service pack to install the patch, you have to use it. I don't know if you can try to install the patch without sp1, but I suppose it won't hurt to much to try....

Anti-virus will clean your computer off and a firewall can block port 135, but you will still be vunerable to this exploit, or at least HAVE it, but I suppose if you took those precausions you should be safe for now(after you uninstall the current bug)...

There are ways of manually removing the worm. here is a good place, found it on google by looking for: rpc msblaster worm remove, it was the third link , That has some decent details what it does to your computer and how to remove it manually...

Of course it may not be the actual MSblaster worm, there are plenty of other MS viruses out their and you could have one of those. Nowadays spending a bit extra on good virus protection is a must if your a windows user.

 

[RalfHutter]

Originally posted by: showhost
Hi all...

I'm hoping someone can help me. My computer is showing all signs of Blaster worm virus (multiple crashes, same RPC warning as others). I have followed all the steps with FixBlast making sure to disable system restore, verify digital signature of repair tool and then running the tool. But as some others have said, the tool indicates there is no virus found.

My dilemma is this: I haven't installed the patch as there is a line of text on the MS web page stating:

The patch for Windows XP can be installed on systems running Windows XP Gold or Service Pack 1

My system is running XP without SP1 and without spelling it out, I have to confess that there is a reason for this. But now I find myself in the position of possibly HAVING to install a patch that may not work without having first insalled SP1. Can anybody shed light on this or verify or at the very least, speculate?

Thanks...

Showhost

:frown:

I'm pretty sure "XP Gold" means regular old non-sp1 XP. I patched two non-sp1 systems yesterday and it fixed both of them. Neither has had the RPC reboot since then and they were both restarting every 15-30 minutes prior to applying the patch.

FYI - one of the non-sp1s was retail XP Pro, the other was XP Pro Corp Ed.

 

[bsobel]

XP Gold means the original shipping version. So this patch is for systems with or without SP1. So, there is no problem (other than your license situation, which Im sure you will now go fix... )

Bill

 

[gnumantsc]

Neowin was talking about RPC flaw and some other worm like 2 weeks ago its just that news ppl don't know that much and pretend they are doing ppl favors when it comes to announcing it.

Once they see it its too late. I remember back in the late 80s early 90s when the Michelangelo virus was spreading, think of it when AV companies weren't so big and worms\viruses were new.

 

[leolaw]

I agree that it is time to switch to Linux !!!!!

 

[leolaw]

I agree that it is time to switch to Linux !!!!!

 

[spyordie007]

I agree that it is time to lay off the caffeine!!!!

 

[spyordie007]

I agree that it is time to lay off the caffeine!!!!

 

[spyordie007]

Originally posted by: gnumantsc
Neowin was talking about RPC flaw and some other worm like 2 weeks ago its just that news ppl don't know that much and pretend they are doing ppl favors when it comes to announcing it.

Once they see it its too late. I remember back in the late 80s early 90s when the Michelangelo virus was spreading, think of it when AV companies weren't so big and worms\viruses were new.

It's almost sad, it's one of those things that we see getting built exponentially. But the media doesnt care until it is already too late.

Fortunetly for me I had everything firewalled off and Virus updates pushed everywhere long before this became an issue, oh yeah and 75%+ of our XP boxes are patched...

-Spy

 

[Slickone]

Does no one know how to match up the patch #'s (see my post above, 08/13/2003 10:14 PM)?

 

[Doubolplay1]

Guys : Just thought I would give a little tip on how I REMOTELY fixed my dad's pc.
1. You will need to have the fixblast.exe file from Symantec on the system
2. Telnet your way in and make sure the remote computer is not LOGGED ON by any user.
3. Once you are in the system, execute the file remotely and it will clean it .
4. Wait 15 minutes or so, then logon to the system. Once you are in , you should not receive the message.
5. If you have not patched it yet, do so now.
6. Also, update your virus definitions.

 

[drag]

That's good figuring that out, but it is useless for anything serious.

Telnet is a very insecure way of doing remote administration. Everything is sent out in plain text over the internet, including your password. Any host on any one of the networks connecting you to your dad's computer can use a simple packet sniffer to read your password as you type it. They can even use set it up to simply e-mail the cracker your password as soon as you are finished typing it. If this was company policy and a cracker knew it then it would be a script-kiddie bonanza.
Theri
There is a simple solution to this. If you had SSH server installed on your dad's machine (like most Linux/*BSD/Unix's have as default) then you could do this in relative safety.

Check out Openssh if your interested. I am sure that they have windows servers, and you can use putty as a good client. You can also transfer files that way, too.

 

[bsobel]

Originally posted by: drag
That's good figuring that out, but it is useless for anything serious.

Well, that is generally true, but...

Any host on any one of the networks connecting you to your dad's computer can use a simple packet sniffer to read your password as you type it.

That is a wee bit of an exageration. Any host or device whom the traffic passes thru is in a position to sniff it, suggesting that any host on one of the other networks isn't correct.

Also, while your security point is somewhat valid, considering the situation he found himself in, the tradeoff seems pretty reasonable.

Bill

 

[bobdude1]

You should also turn off System Restore...files may be stored there. go to http://www.microsoft.com/security/incident/blaster.asp

 

[bobdude1]

Originally posted by: Slickone
Microsoft says if you've previously applied the security patch MS03-026, you're protected. But I can't figure out if I've installed it. I do all the critical updates that it notifies me of, but all the updates are a 6 digit number (some have a Q in front). How do I match the #'s up?
Also the same page says the worm affects Win NT, but Symantec says only 2K and XP. Why?

Look in Add/Remove Programs for Q823980, this is the Q article associated with the patch. Also check out this page, lot of info and patches: http://www.microsoft.com/security/incident/blaster.asp

 

[bobdude1]

That is a wee bit of an exageration. Any host or device whom the traffic passes thru is in a position to sniff it, suggesting that any host on one of the other networks isn't correct.

Also, while your security point is somewhat valid, considering the situation he found himself in, the tradeoff seems pretty reasonable.

Bill

But I still wonder how he started it without the GUI? Are there command line options I missed?

 

[bobdude1]

Originally posted by: Slickone
Does no one know how to match up the patch #'s (see my post above, 08/13/2003 10:14 PM)?

Go to Add/Remove Programs and look for Q823980 in the list. That is the matching Q article for the MS03-026 patch.

 

[1966]

Bump,in case someone still hasnt updated their systems.