READ THIS if you have problems with your RPC service, svchost.exe or similar.

Robert Moir wrote:

> Go and get the patch from here, choose the right version for your
> system. If you don't know whether your system is "32 bit" or "64 bit"
> then its 32 bit. http://support.microsoft.com/?kbid=823980
>
> Next check your system for unusual processes that may be running. In
> particular watch out for:
> (NOTE, THIS LIST IS NOT EXCLUSIVE, KEEP AN EYE OUT FOR ANY UNUSUAL
> ACTIVITY) MSBlast.exe
> rpc.exe
> rpctest.exe
> dcomx.exe
> lolx.exe
> worm.exe
>
> Scan with an up-to-date virus scanner to help with removal of nasties
> that might be left on your system.
> Next, visit http://windowsupdate.microsoft.com and grab hold of *all*
> critical updates. Yes, all of them. Try to make a habit of doing this
> on a regular basis.
>
> This is not a comprehensive guide, just a quick and dirty fix to stop
> the worst of your immediate problems.
> Regards
> --

"This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At
this point, it is spreading rapidly. "
http://isc.sans.org/diary.html?date=2003-08-11
http://isc.incidents.org/port_details.html?port=135

Jonathan Maltz [MS-MVP] wrote:

> So that's it? A worm has been released?

Yeah, theres a couple out now. One that seems to be concentrating on simply
spreading and DDOSing systems and one that seems to be after control of
people's systems.

*sigh*

Are you sure it's concentrating on DDoS'ing?

It could just be like Slammer....generating so many requests that it creates
an "un-intended" DDoS

*tear*

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.


"Robert Moir" <bofh@mvps.org> wrote in message
news:#w4plYFYDHA.2236@TK2MSFTNGP10.phx.gbl...

> Jonathan Maltz [MS-MVP] wrote:

> > So that's it? A worm has been released?

>
> Yeah, theres a couple out now. One that seems to be concentrating on

simply

> spreading and DDOSing systems and one that seems to be after control of
> people's systems.
>
> *sigh*
>
>

We are on Yellow Alert....MSBLASTER worm - aka DCOM worm
This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At this
point, it is spreading rapidly.

Increase in port 135 activity: http://isc.sans.org/images/port135percent.png


**********
NOTE: PRELIMINARY. Do not base your incidents response solely on this writeup.
**********


Executive Summary:

A worm has started spreading early afternoon EDT (evening UTC Time) and is
expected to continue spreading rapidly. This worms exploits the Microsoft
Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS Institute, and
Incidents.org recommends the following Action Items:

* Close port 135/tcp (and if possible 135-139, 445 and 593)
* Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for
activity related to this worm.
* Ensure that all available patches have been applied, especially the patches
reported in Microsoft Security Bulletin MS03-026.
* This bulletin is available at
http://www.microsoft.com/technet/sec...n/MS03-026.asp
* Infected machines are recommended to be pulled from the network pending a
complete rebuild of the system.


Technical Details:

Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee),
WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure),
MSBLASTER,Win32.Poza.


Infection sequence:
1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit to
TARGET
2. this causes a remote shell on port 4444 at the TARGET
3. the SOURCE now sends the tftp get command to the TARGET, using the shell on
port 4444,
4. the target will now connect to the tftp server at the SOURCE.


The name of the binary is msblast.exe. It is packed with UPX and will self
extract. The size of the binary is about 11kByte unpacked, and 6kBytes packed:

MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)

So far we have found the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably
random IP address
- uses multiple TFTP servers to pull the binary
- adds a registry key to start itself after reboot


Name of registry key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'

Strings of interest:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your
software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Existing RPC DCOM snort signatures will detect this worm. The worm is based on
dcom.c




Once you are infected, we highly recommend a complete rebuild of the site. As
there have been a number of irc bots using the exploit for a few weeks now, it
is possible that your system was already infected with one of the prior
exploits. Do not connect an unpatched machine to a network.

The worm may launch a syn flood against windowsupdate.com on the 16th. It has
the ability to infect Windows 2000 and XP.

The worm uses the RPC DCOM vulnerability to propagate. One it finds a vulnerable
system, it will spawn a shell on port 4444 and use it to download the actual
worm via tftp. The exploit itself is very close to 'dcom.c' and so far appears
to use the "universal Win2k" offset only.

Other References:

http://www.cert.org/advisories/CA-2003-19.html
http://www.microsoft.com/technet/sec...n/MS03-026.asp

https://tms.symantec.com/members/Ana...t-DCOMworm.pdf
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
http://www.datafellows.com/v-descs/msblast.shtml
http://us.mcafee.com/virusInfo/defau...virus_k=100547
http://www.sarc.com/avcenter/venc/da...ster.worm.html
http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A
http://www.sophos.com/virusinfo/anal...2blastera.html
http://xforce.iss.net/xforce/alerts/id/150
http://vil.nai.com/vil/content/v_100547.htm





"Jonathan Maltz [MS-MVP]" wrote:

> Are you sure it's concentrating on DDoS'ing?
>
> It could just be like Slammer....generating so many requests that it creates
> an "un-intended" DDoS
>
> *tear*
>
> --
> --Jonathan Maltz [Microsoft MVP - Windows Server]
> http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
> tutorial site :-)
> Only reply by newsgroup. If I see an email I didn't ask for, it will be
> deleted without reading.
>
> "Robert Moir" <bofh@mvps.org> wrote in message
> news:#w4plYFYDHA.2236@TK2MSFTNGP10.phx.gbl...

> > Jonathan Maltz [MS-MVP] wrote:

> > > So that's it? A worm has been released?

> >
> > Yeah, theres a couple out now. One that seems to be concentrating on

> simply

> > spreading and DDOSing systems and one that seems to be after control of
> > people's systems.
> >
> > *sigh*
> >
> >

--
"Don't lose sight of security. Security is a state of being,
not a state of budget. He with the most firewalls still does
not win. Put down that honeypot and keep up to date on your
patches. Demand better security from vendors and hold them
responsible. Use what you have, and make sure you know how
to use it properly and effectively."
~Rain Forest Puppy
http://www.wiretrip.net/rfp/txt/evolution.txt

Great :-/

--
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup. If I see an email I didn't ask for, it will be
deleted without reading.


"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:3F3834FF.F7A8FB9C@pacbell.net...

> We are on Yellow Alert....MSBLASTER worm - aka DCOM worm
> This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At

this

> point, it is spreading rapidly.
>
> Increase in port 135 activity:

http://isc.sans.org/images/port135percent.png

>
>
> **********
> NOTE: PRELIMINARY. Do not base your incidents response solely on this

writeup.

> **********
>
>
> Executive Summary:
>
> A worm has started spreading early afternoon EDT (evening UTC Time) and is
> expected to continue spreading rapidly. This worms exploits the Microsoft
> Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS

Institute, and

> Incidents.org recommends the following Action Items:
>
> * Close port 135/tcp (and if possible 135-139, 445 and 593)
> * Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm

for

> activity related to this worm.
> * Ensure that all available patches have been applied, especially the

patches

> reported in Microsoft Security Bulletin MS03-026.
> * This bulletin is available at
> http://www.microsoft.com/technet/sec...n/MS03-026.asp
> * Infected machines are recommended to be pulled from the network pending

a

> complete rebuild of the system.
>
>
> Technical Details:
>
> Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee),
> WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure),
> MSBLASTER,Win32.Poza.
>
>
> Infection sequence:
> 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit

to

> TARGET
> 2. this causes a remote shell on port 4444 at the TARGET
> 3. the SOURCE now sends the tftp get command to the TARGET, using the

shell on

> port 4444,
> 4. the target will now connect to the tftp server at the SOURCE.
>
>
> The name of the binary is msblast.exe. It is packed with UPX and will self
> extract. The size of the binary is about 11kByte unpacked, and 6kBytes

packed:

>
> MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
>
> So far we have found the following properties:
>
> - Scans sequentially for machines with open port 135, starting at a

presumably

> random IP address
> - uses multiple TFTP servers to pull the binary
> - adds a registry key to start itself after reboot
>
>
> Name of registry key:
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'
>
> Strings of interest:
>
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ? Stop making money and fix your
> software!!
> windowsupdate.com
> start %s
> tftp -i %s GET %s
> %d.%d.%d.%d
> %i.%i.%i.%i
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
>
> Existing RPC DCOM snort signatures will detect this worm. The worm is

based on

> dcom.c
>
>
>
>
> Once you are infected, we highly recommend a complete rebuild of the site.

As

> there have been a number of irc bots using the exploit for a few weeks

now, it

> is possible that your system was already infected with one of the prior
> exploits. Do not connect an unpatched machine to a network.
>
> The worm may launch a syn flood against windowsupdate.com on the 16th. It

has

> the ability to infect Windows 2000 and XP.
>
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a

vulnerable

> system, it will spawn a shell on port 4444 and use it to download the

actual

> worm via tftp. The exploit itself is very close to 'dcom.c' and so far

appears

> to use the "universal Win2k" offset only.
>
> Other References:
>
> http://www.cert.org/advisories/CA-2003-19.html
> http://www.microsoft.com/technet/sec...n/MS03-026.asp
>
> https://tms.symantec.com/members/Ana...t-DCOMworm.pdf
> http://www3.ca.com/virusinfo/virus.aspx?ID=36265
> http://www.datafellows.com/v-descs/msblast.shtml
> http://us.mcafee.com/virusInfo/defau...virus_k=100547
> http://www.sarc.com/avcenter/venc/da...ster.worm.html
>

http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

> http://www.sophos.com/virusinfo/anal...2blastera.html
> http://xforce.iss.net/xforce/alerts/id/150
> http://vil.nai.com/vil/content/v_100547.htm
>
>
>
>
>
> "Jonathan Maltz [MS-MVP]" wrote:
>

> > Are you sure it's concentrating on DDoS'ing?
> >
> > It could just be like Slammer....generating so many requests that it

creates

> > an "un-intended" DDoS
> >
> > *tear*
> >
> > --
> > --Jonathan Maltz [Microsoft MVP - Windows Server]
> > http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
> > tutorial site :-)
> > Only reply by newsgroup. If I see an email I didn't ask for, it will be
> > deleted without reading.
> >
> > "Robert Moir" <bofh@mvps.org> wrote in message
> > news:#w4plYFYDHA.2236@TK2MSFTNGP10.phx.gbl...

> > > Jonathan Maltz [MS-MVP] wrote:
> > > > So that's it? A worm has been released?
> > >
> > > Yeah, theres a couple out now. One that seems to be concentrating on

> > simply

> > > spreading and DDOSing systems and one that seems to be after control

of

> > > people's systems.
> > >
> > > *sigh*
> > >
> > >

>
> --
> "Don't lose sight of security. Security is a state of being,
> not a state of budget. He with the most firewalls still does
> not win. Put down that honeypot and keep up to date on your
> patches. Demand better security from vendors and hold them
> responsible. Use what you have, and make sure you know how
> to use it properly and effectively."
> ~Rain Forest Puppy
> http://www.wiretrip.net/rfp/txt/evolution.txt
>
>

What about different propagation vectors? For instance, if somebody
would run MSBlast.exe delivered via e-mail, would MSBlast.exe work the
same way?


"Robert Moir" <bofh@mvps.org> wrote in message news:<O3AlOEFYDHA.2484@TK2MSFTNGP09.phx.gbl>...

> Go and get the patch from here, choose the right version for your system. If
> you don't know whether your system is "32 bit" or "64 bit" then its 32 bit.
> http://support.microsoft.com/?kbid=823980
>
> Next check your system for unusual processes that may be running. In
> particular watch out for:
> (NOTE, THIS LIST IS NOT EXCLUSIVE, KEEP AN EYE OUT FOR ANY UNUSUAL ACTIVITY)
> MSBlast.exe
> rpc.exe
> rpctest.exe
> dcomx.exe
> lolx.exe
> worm.exe
>
> Scan with an up-to-date virus scanner to help with removal of nasties that
> might be left on your system.
> Next, visit http://windowsupdate.microsoft.com and grab hold of *all*
> critical updates. Yes, all of them. Try to make a habit of doing this on a
> regular basis.
>
> This is not a comprehensive guide, just a quick and dirty fix to stop the
> worst of your immediate problems.
> Regards
> --