Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Win32 Blaster Worm is on the Rise

CmdrTaco posted more than 11 years ago | from the i-can't-hold-her-together-any-longer-captain dept.

Windows 1251

EvilNight writes "You know you've got it when a 60 second shutdown timer pops up on your screen. The virus uses the RPC vulnerability. It looks like it's reaching critical mass today. Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool." Update: 08/12 19:19 GMT by M : Security bulletin URL corrected.

Sorry! There are no comments related to the filter you selected.

shutdown /a (5, Informative)

mjmalone (677326) | more than 11 years ago | (#6674769)

My friend was getting hit constantly by this worm yesterday. The box wouldn't stay up long enough for him to install the patches :P. Just a tip for those of you who are getting hit a lot and having your box reboot: To stop those pesky reboots try:

shutdown /a

That should abort the shutdown and give you enough time to install patches. This also works well when you install a piece of software that trys to force you to reboot. (Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.)

Re:shutdown /a (3, Funny)

Pionar (620916) | more than 11 years ago | (#6674817)

>Why he hadn't fixed it already is a mystery, especially since slashdot.org is his homepage.

You actually believe that reading /. makes you smart? Apparently, you never read comments below 5.

Re:shutdown /a (3, Funny)

whiteranger99x (235024) | more than 11 years ago | (#6674867)

Apparently, you never read comments below 5.

In some cases even THAT doesn't mean you'll see smart comments

(hell, look at MY 5 point comments sometime lol ;)

Nice pouncepost! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6674824)

You got this all teed-up in advance, ready to jump and grab that karma. You're a go-getter, I can tell. Well done. Your up-mods are certainly well-deserved! I like how you're putting that subscription money to good use!

Slashdot: Subscribe, and you too can be a karma whore!

Re:shutdown /a (5, Informative)

Anonymous Coward | more than 11 years ago | (#6674883)

You can also go into Computer Manager -> Services and Applications -> Services and change the Recovery settings for Remote Procedure Call (RPC) from "Restart the Computer" to "Restart the Service".

I was hit by this last night, and couldn't download/install the update in the 60 seconds allowed.

Re:shutdown /a (1, Insightful)

Eric Ass Raymond (662593) | more than 11 years ago | (#6674891)

The box wouldn't stay up long enough for him to install the patches :P

Uh... why didn't he just unplug the net cable and install the patches?

I mean that's how you're supposed to setup any operating system. No net connection until you've got all the necessary patches installed and firewalls set up. Don't give them even the smallest window of opportunity.

Re:shutdown /a (2, Insightful)

mjmalone (677326) | more than 11 years ago | (#6674915)

He was connecting to it remotely. Also, it's hard to download patches when you aren't connected to the net.

Re:shutdown /a (3, Interesting)

TedCheshireAcad (311748) | more than 11 years ago | (#6674914)

How creepy. I was setting up a relative's DSL modem yesterday, when I saw that the RPC service was shutting down the machine. Thought it was just Windows XP being retarded, but I guess it's time for a new visit.

The box hadn't been on the internet for more than 15 minutes.

Re:shutdown /a (4, Insightful)

Tony Hoyle (11698) | more than 11 years ago | (#6674965)

Rule 1: The first thing you do when putting any system on the net is make sure it's behind a firewall.
Rule 2: See rule 1. Then do it.

FFS it's not as if it's attacking via port 80... No properly administered system should ever get this. Home users, maybe but businesses????

it hit me this morning! (2, Informative)

baxterux (575852) | more than 11 years ago | (#6674773)

posted an article about it here http://www.baxter2.com/modules.php?name=News&file= article&sid=114 i have never seen a worm spread so fast! dangerously fast

Virus, not starring Jamie Lee Curtis. (3, Funny)

Channard (693317) | more than 11 years ago | (#6674944)

Man, it's almost as bad as that Teddy Bear virus *cough*

First FailIt (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6674775)

I Fail It I Fail It FuGG fUkk FuCC

Good timing... (2, Interesting)

tbase (666607) | more than 11 years ago | (#6674776)

Someone in my office just gave me a screen shot of a shutdown timer on their computer at home. Anyone used the removal tool yet and had any luck with it?

Re:Good timing... (5, Interesting)

brejc8 (223089) | more than 11 years ago | (#6674846)

The removal tool takes several minutes to run.
Just apply the exact patch and remove the msblast.exe from your windows/system32 directory.
Then run the tool afterwards to ensure it has
gone.
The exact patch needed is here
http://www.microsoft.com/technet/treeview/de fault. asp?url=/technet/security/bulletin/MS03-026.asp

Taco responds re: editor moderation abuse (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6674779)

Do Editors Moderate?
The Slashdot Editors have unlimited mod points, and we have no problem using them. Our moderations represent about 3% of all moderation, and according to Meta Moderation, the fairness of these moderations are either statistically indistinguishable from non-admin users, or substantially better. The raw numbers are: 95.1% of non-admin upmods are fair, and 94.7% of admin upmods are fair. 79.1% of non-admin downmods are fair, and 83.6% of admin downmods are fair.

The editors tend to find crapfloods and moderate them down: a single malicious user can post dozens of comments, which would require several users to moderate them down, but a single admin can take care of it in seconds. This tends to remove the obvious garbage from the discussion so that the general population can use their mod points to determine good. Otherwise, a few crapfloods could suck a lot of moderator points out of the system and throw things out of whack.

You can argue that allowing admins unlimited moderation is somehow inherently unfair, but one of the goals of Slashdot is to produce readable content for a variety of readers with a variety of reading habits. I believe this process improves discussions for the vast majority of Slashdot Readers, so it will stay this way. [ If you don't like it, well, I don't care. This is my sandbox, those are my rules, and until someone takes this site away from me, what you see is, ultimately, what I want you to see. - ed.]

Answered by: CmdrTaco Last Modified: 4/12/03

first post! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6674782)

whee!

Re:first post! (-1, Offtopic)

The Ayatrollah (697382) | more than 11 years ago | (#6674794)

NO! YOU FAIL IT!

Wrong link (5, Funny)

JPelzer (202626) | more than 11 years ago | (#6674783)

Shouldn't the "Removal Tool" link point to a Linux ISO download site or something? I mean, this is slashdot... :-)

Re:Wrong link (2, Funny)

TopShelf (92521) | more than 11 years ago | (#6674833)

Preferably SCO's [sco.com] , right? Might as well burn up their servers...

Re:Wrong link (-1, Offtopic)

Nicolas MONNET (4727) | more than 11 years ago | (#6674835)

Slashdot has been assimilated, seriously.

The Rise (5, Funny)

mao che minh (611166) | more than 11 years ago | (#6674784)

DOOM-DOOM-DOOM-DOOM DOOM *PANG*
DOOM-DOOM-DOOM-DOOM DOOM * PANG*

At 10:06 AM, August 12th, 2003, Skynet launched dah Win32 Blaster Wahm. It quickly seized contrahl of ahh computers on the Net and forced a mahndatory reboot.

OK this is getting old.....

hahaha u r teh funni (-1)

Anonymous Coward | more than 11 years ago | (#6674857)

yess u ar teh vary funni in teh hole wolrd me did lauhg sommuch that me FUCK FUCK FUCK

Re:The Rise (-1, Offtopic)

insomnic (306237) | more than 11 years ago | (#6674959)

I actually watched T3 yesterday... Coincidence??

Make your bets... (-1, Flamebait)

Urkki (668283) | more than 11 years ago | (#6674787)

Will internet come to a grinding halt or not?
Are there enough dumb win-users who do not know what "security hole" is, or do enough people patch their systems in time?
Stay tuned, /. will be back in a week to report more...

Re:Make your bets... (1)

colinleroy (592025) | more than 11 years ago | (#6674856)

Will internet come to a grinding halt or not?
Why would it ? Mostly clients, not servers, will be hit.

Will it halt the Internet? (3, Informative)

mao che minh (611166) | more than 11 years ago | (#6674896)

No, I shouldn't. This worm isn't clogging up bandwidth or DoS/DDoS attacking routers and web servers like Code Red and Nimda did. This is just making WinNT and greater workstations and servers (should you actually be using a Windows OS on a server that isn't heavily protected) to reboot.

no excuse (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6674792)

patch is dated 26 March. Plenty of time to test. You've only got yourself to blame

Much better removal tool.. (2, Funny)

_14k4 (5085) | more than 11 years ago | (#6674798)

fdisk
format
install FreeBSD or keep your copy of Winders up to date. :)

Re:Much better removal tool.. (3, Funny)

Anonymous Coward | more than 11 years ago | (#6674901)

I tried that and nothing happened ??

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\>fdisk
'FDISK' is not recognized as an internal or external command,
operable program or batch file.

C:\>format
Required parameter missing -

C:\>install FreeBSD

C:\>WTF !!!

Fscking Windows. (-1, Flamebait)

Hulver (5850) | more than 11 years ago | (#6674804)

Nothing like this would ever happen on a UNIX platform like Linux.

I'm Still using Linux 7.2, and that's rock solid. Never had to update it.

Bandwidth usage is a bit high for some reason, but other than that I'm glad I moved away from windows.

Re:Fscking Windows. (2, Insightful)

Overly Critical Guy (663429) | more than 11 years ago | (#6674842)

Please. I still remember when my system got hosed by a sendmail hole.

Re:Fscking Windows. (2, Informative)

Jellybob (597204) | more than 11 years ago | (#6674936)


Nothing like this would ever happen on a UNIX platform like Linux.
I'm Still using Linux 7.2, and that's rock solid. Never had to update it.

Yeah... nothing like that.

Other of course than the multitude of root kits out there, sendmail holes, bind holes, apache holes, anything else holes.

And yeah. Linux 7.2 - guess you havn't been around long enough to remember.

in russia (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6674805)

In Soviet Russia Win32 worm rise YOU!

Honest question (5, Insightful)

lseltzer (311306) | more than 11 years ago | (#6674806)

Dear all of you who are being hit by this attack:

Why hadn't you applied the patch before? It was released 7/16 and nothing has had this level of publicity before.

Re:Honest question (1)

garcia (6573) | more than 11 years ago | (#6674906)

a lot of people that I have seen that are vunerable to the attack were made noticable to me by the simple fact that they were hitting my webserver with the worm that causes the "default.ida" to show up in the logs.

If they didn't know to patch against that (and how old is it?) why would you think that they know to patch against this?

Re:Honest question (1, Interesting)

Overly Critical Guy (663429) | more than 11 years ago | (#6674996)

Because Windows bugs you to turn on Automatic Updates. You specifically have to tell it that you don't want it on. Had it been turned on, those ignorant people would still have been patched. Every action has a consequence, and this is one.

Re:Honest question (2, Interesting)

CaptainBaz (621098) | more than 11 years ago | (#6674910)

Because our proxy blocks .exe downloads. Yes, even from windowsupdate. No, really...

Re:Honest question (3, Redundant)

killmenow (184444) | more than 11 years ago | (#6674934)

(Better yet)

To whom it may concern:
Why aren't you blocking stupid useless open ports from the Internet? There are freely available tools [zonelabs.com] if you insist on running Windows. Then again, most electronics stores sell standalone broadband firewall/routers. If you used one of those, you could take your time and patch whenever you feel like it...

I tell all those in my circle of influence: never connect to the Internet without a firewall in place. It makes no difference what your host OS is. At the least, you should be running a host-based firewall like Zone Alarm or ipchains/ipfilter/etc. Even better is a standalone box that does nothing but firewall. It's just prudence...even on a simple home PC or LAN.

Precisely (5, Insightful)

Overly Critical Guy (663429) | more than 11 years ago | (#6674964)

There was even a Slashdot article about the exploit. It was such a big deal because it was the first and only vulnerability for Windows Server 2003 so far.

All these people sarcastically saying to "patch with Linux" or "use the firewall" are missing the point that the smart people downloaded the 1.2MB patch last month and had no idea anything was going on until we read about the worm on Slashdot. My entire work network was unscathed, because they're all kept completely up to date. I can't think of any reason why someone shouldn't be doing the same to their Windows network, except for arcane Slashbot conspiracy theories or just plain needing to hate Microsoft for something, anything.

If this was a Linux worm, people would be telling everyone else that they should have patched to the latest versions of whatever. But, it's Windows, so it won't exactly happen that way...

There are several reasons... (4, Insightful)

aug24 (38229) | more than 11 years ago | (#6674970)

Have you met many people who are MS sysadmins? A good proportion of those that I have met are Joe User types who have knowledge of how to set up, auto-reboot and backup machines, and not a lot more.

Windows is easier to pick up, but just as hard, possibly harder, to maintain than *nix. So you get less-trained or less-capable or whatever people who are employed doing this, who look fine on the day-to-day, but who are damn-near useless at the harder stuff like security - which should, of course, be the day to day.

Combine that with the sheer number of sever and critical patches MS expects you to apply, each of which must go through regression testing before deployment, and you can see why sticking the ol' head in the sand looks appealing...

J.

Re:Honest question (1)

insomnic (306237) | more than 11 years ago | (#6675002)

Because I'm not in charge of change & problem management and those who aren't haven't addressed the problem until today?

Nasty little bugger (5, Informative)

snack (71224) | more than 11 years ago | (#6674812)

I've been helping my friends get this NASTYNESS off of their machines too.

Something else you might want to try is booting into safe mode (F8 right when Windows splashscreen pops). Deleting the registry entries, and the virus runprogram (msblast.exe). Also please... PLEASE patch your computer.

When you're done, run some AV on your system. Some ppl had a 2nd virus sneaking around that they didnt even know about (Spybot.worm).

-Tim

Software firewall help? (0)

Anonymous Coward | more than 11 years ago | (#6674815)

I have hardware/external firewalls at work and home, and I haven't seen it. Is this just more unpatched/unprotected idiocy, or does it get around software firewalls too?

Cancelling this problem (5, Informative)

UnassumingLocalGuy (660007) | more than 11 years ago | (#6674818)

Yes, you can cancel this. Start up a console session (oh wait, this is Windows, it's called a command prompt) and type in:

C:\WINDOWS>shutdown -a now

Granted, this does leave your system in an unstable state, but if you have something urgent you absolutely need to get done, this gives you a few minutes to do it before you reboot.

Re:Cancelling this problem (2, Informative)

rkz (667993) | more than 11 years ago | (#6674991)

you don't need the "now" this is not unix.

A BBC link (3, Informative)

azzy (86427) | more than 11 years ago | (#6674825)

Another article here [bbc.co.uk]

Virus (5, Funny)

Anonymous Coward | more than 11 years ago | (#6674827)

If this thing wouldn't keep crashing computers, it would be spreading like greased wildfire.

It is not easy, one stop! (5, Informative)

Eric Ass Raymond (662593) | more than 11 years ago | (#6674829)

The patch does not appear to work properly.

Read more on SecurityFocus' mailing list [securityfocus.com] .

RPC? (3, Informative)

Quasar1999 (520073) | more than 11 years ago | (#6674834)

Funny, a few days ago I had my XP system exhibit the same problem (after using windowsupdate)... but I checked the event log and it told me that 0x70/0x71 was accessed by the BIOS unexpectedly.

After doing a bit of research I discovered that at some point, microsoft decided that ACPI needs to behave differently, and forced all BIOS's to be upgraded to work with XP. After getting a new version of my BIOS, the problem disappeared... but the symptoms were identical to what is described with this bug... Bad timing I guess... But if you have this problem, check the event log, it may be your now non-compliant BIOS, rather than an infection/attack.

Same here (0)

JMUChrisF (188300) | more than 11 years ago | (#6674837)

Our office got closed yesterday cause of it. We got hit pretty badly.

Holy smokes this thing sucks (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#6674839)

I got it on two of my machines last night.

Both were win2k, and both were up-to-date on patches. The win2k patches from microsoft don't stop it. To protect your win2k system, you need to follow these instructions. [bbc.co.uk]

Good luck.

Re:Holy smokes this thing sucks (-1)

Anonymous Coward | more than 11 years ago | (#6674929)

Yes, I'm sure that humping a traffic cone will help enormously. Yawn.

In addition... (4, Informative)

OrthodonticJake (624565) | more than 11 years ago | (#6674840)

My friends and I discovered that turning on your windows firewall (Windows XP) also stops the shutdowns. (Wish I had known that BEFORE I formatted my computer) Unfortunately, I told my parents about this 'epidemic' of computer error (I heard about it from my cousin in Kansas before it happened to me, and then some friends here got it at the same time), and I'm sure that now whenever something is wrong with the computer my parents will get a big serious face and say "You know, it's probably an epidemic".

A sure fire method to solve this RPC exploit (0, Funny)

Dental Plan (631974) | more than 11 years ago | (#6674845)

not patching your Windows machine... that's a paddling!

not using a firewall... that's a paddling!

not using Linux as you should be... you better believe that's a paddling!

bit slowing your stuff down... (-1, Offtopic)

Yaa 101 (664725) | more than 11 years ago | (#6674849)

I downloaded and updated the patch, but it slowed my puter so much that i decided to take it off again and close the whole RPC service instead...

Risky business (2, Insightful)

Doesn't_Comment_Code (692510) | more than 11 years ago | (#6674852)

I had to patch several computers at work, and I noticed that the patch installer software says something at the beginning like,
"Back up all your harddrives, we are not responsible if this program breaks your entire computer. Do you Accept?"

Well in the middle of a virus scare, nobody has time to back up every machine in the office. So that really doesn't make me feel comfortable. So far, so good though. No broken computers as of yet.

But another scary thought that crossed my mind while installing the patch... What if those smooth criminals had gotten into the microsoft servers and put a virus into that patch installer? That would be a killer!

If you need to use Windows, you might as well use win98.

Re:Risky business (0)

Anonymous Coward | more than 11 years ago | (#6674961)

>If you need to use Windows, you might as well use win98.

win98 is vulnerable to DCOM attack. Not sure about this particular one... The reason win98 did not show up on the MS bulletin is that it is no longer supported. Same with NT workstation.

Quick manual removal on XP (0)

Information Minister (668823) | more than 11 years ago | (#6674859)

Had some PC's in the office constantly shutting down. To remove:

* Go into Task Mgr -> Processes and Kill msblast.exe processes.
* Remove "Windows Auto Update" item in HKLM\..\Run folder in the Registry.
* >attrib -r \windows\system32\msblast.exe
* >del \windows\system32\msblast.exe

That should be it. Remember to patch your Windows.

McAfee has a removal tool (0, Redundant)

modme2 (630194) | more than 11 years ago | (#6674860)

McAfee has a removal tool that works well detects 28 other trojans/worms/virii too, if i remembered the name i'd let you know ;)

Nice touch. (3, Informative)

bbum (28021) | more than 11 years ago | (#6674862)

From Symantec's analysis:

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


Maybe this will motivate Microsoft to actually deal with the gaping festering security holes in their OS? How many systems do you think will still be infected after the 15th?

Nahh....

Re:Nice touch. (0, Redundant)

bbum (28021) | more than 11 years ago | (#6674886)

That title was intended to be sarcasm, by the way.

Re:Nice touch. (1)

JamesP (688957) | more than 11 years ago | (#6674897)

Especially if M$ "forgot" to path windows update servers...

Just my luck (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#6674863)

I was installing windows XP on my boss his laptop, when the setup was finally over and I got into win, that damn countdown pops up! Remember kids, first thing you do in windows is enable the firewall :)

Link to the removal tool and patch:

http://securityresponse.symantec.com/avcenter/ve nc /data/w32.blaster.worm.removal.tool.html
http://w ww.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS03-026.asp

A little something they left out... (5, Informative)

EvilNight (11001) | more than 11 years ago | (#6674874)

If you want to stop the timer from fscking with you, simply set your clock back a few hours right after the timer appears. Any time you subtract from the clock is added to the timer. This will give you time to install the patches. We got lucky, this one is mostly harmless. This vulnerability was patched on March 26th, btw.

Re:A little something they left out... (4, Informative)

BrainInAJar (584756) | more than 11 years ago | (#6674918)

Turn off the timer.

Right click on my computer, go to manage, in the services & apps tab, go to services, right click Remote Procedure Call (RPC), properties. In the recovery tab, change all the things that say "restart the computer" to "take no action"

Slight change (0, Funny)

Anonymous Coward | more than 11 years ago | (#6674876)

Can anyone be so kind to take this worm (since I already patched my system) and change windowsupdate.com to something more interesting like

sco.com
riaa.org

Thank you

Windows Update slashdotted? (2, Informative)

chiph (523845) | more than 11 years ago | (#6674880)

Having trouble getting out to Windows Update. Looks like a lot of people are taking this one seriously.

Chip H.

its going to be a slow day on the net today.... (1)

dallask (320655) | more than 11 years ago | (#6674882)

This is just the thing that the hackers were waiting for, an open door into millions of computer systems. People havent patched because they either dont know about it, or dont know how.

Maybe the next worm should drain their paypal, epay, egold, and bank accounts into an account in the Caymans... format their hard drive just for good mesure and force people to open their eyes.

Are we Linux users? (1)

jmcnamera (519408) | more than 11 years ago | (#6674887)

Ok, this will get me modded as a troll for life...

but I'm surprised by all the posters so far who have this problem.

First, I thought we used Linux and BSD (or BSD and Linux).

Second, I thought /.'ers all kept up on patches. :-)

Re:Are we Linux users? (0)

Anonymous Coward | more than 11 years ago | (#6674949)

Second, I thought ./'ers all kept up on patches. :-)

It is /. not /.

Coincidence (2, Flamebait)

ctid (449118) | more than 11 years ago | (#6674888)

A few minutes ago (about 14:45 my time), I tried this:

grep "DPT=13[5-9]" messages | grep -c "Aug 12"
643

Then I tried this:

grep "DPT=13[5-9]" messages | grep -c "Aug 11"
643


So it took less than 15 hours to reach yesterday's 24-hour total. Doesn't look too good. I suspect that fixing this will prove to be way beyond the abilities of a huge proportion of home users of Windows. Anyone who says that "Linux isn't ready for your Grandma" or whatever, should be forced to do community service for a week fixing this crap.

Echoes (3, Informative)

saskwach (589702) | more than 11 years ago | (#6674893)

Why-oh-why can't people patch? Shouldn't broadband providers be sending emails to their clients with a link in them? You'd think every hotmail account would get a message saying "Plug that hole" from whoever it is that runs hotmail. Even the most clueless of windows users can click on a link and then click the "Yes" button. I can see my logs filling with failed attempts to bring down my machine already...

Removal Tool (1)

chamenos (541447) | more than 11 years ago | (#6674894)

everytime i try to execute the removal tool downloaded from symantec, i get the stupid dialog box telling me the program has to shut down. what gives? i just kept trying until the log file showed that it'd managed to modify the registry before getting shut down, then i searched for all files with "msblast" in it and deleted them. anything else i should do? (can't install linux cos this isn't my computer)

Worm (2, Informative)

WesLsoN (696427) | more than 11 years ago | (#6674898)

I run an ISP in Virginia, its nailing all of our Windows XP users.

Re:Worm (1)

azzy (86427) | more than 11 years ago | (#6674981)

your ISP is nailing WinXP users? Deliberatly? Cool!

ms blaster patch site (1)

ibmman85 (643041) | more than 11 years ago | (#6674902)

the site loaded for me last night but looks like its begin really slow right now.. is microsoft feeling the slashdot effect??

Re:ms blaster patch site (1)

BrainInAJar (584756) | more than 11 years ago | (#6674954)

I think it's the tech support effect, not the slashdot effect. I work helldesk, and I know I personally referred 30 people to the fix last night, add that to the countless other helldesk agents that did the same

This thing hit our customers yesterday... (5, Funny)

Snarfangel (203258) | more than 11 years ago | (#6674904)

I work at an ISP, and over half of our tech support calls yesterday were because of this worm. You wouldn't believe the number of people who thought we were somehow going into their computer and not only kicking them off the internet, but rebooting their computers. (Yes, sir, the tech support staff feels horribly underworked today, so we thought we'd make things more exciting and pi** off a few customers in the process.) I hope they find the person involved and perform medical experiments on him.

RPC Exploit, not virus ? (1)

mge (120046) | more than 11 years ago | (#6674913)

This is not an email virus. It is an RPC exploit.

The virus comes through tcp ports 4444 and 135, UDP port 69. FWIW, win98 and earlier don't use the RPC 'feature'.

Re:RPC Exploit, not virus ? (1)

Tony Hoyle (11698) | more than 11 years ago | (#6674998)

It also spreads via an email virus.. Not a particularly smart one, though, and anyone who blocks executable attachments (isn't that everyone, now?) will never see it.

Here's a screenshot of the security hole (-1, Troll)

Anonymous Coward | more than 11 years ago | (#6674921)

Here [msn.com] it shows the hole and teh worme.

Just seen an ATM affected... (5, Funny)

mccalli (323026) | more than 11 years ago | (#6674922)

Seriously. If you fancy a laugh, and you're working in the City of London, then go to the Halifax ATM between Canon Street and Poultry.

Then try, really, really hard to stop laughing...

Cheers,
Ian

Surprised? Not me (1, Funny)

Anonymous Coward | more than 11 years ago | (#6674930)

Have fun patching, windows lusers. Maybe linux isn't ready for the desktop, but this goes to show that windows isn't ready for the Internet.

Getting Around.... (1)

InnovativeCX (538638) | more than 11 years ago | (#6674932)

I have to say...this worm is gettin around unlike any that I've seen before. Checking last night's firewall logs on my box at home I can see that I'm being scanned about twice a minute, though it tapered off a bit after midnight. Still, 517 port 135 scans between sunset and sunrise is a tad more than I'm used to.

I've had two or three people get ahold of me so far trying to remove it...Not too hard on 2k/XP machines. The shutdowns can be prevented by popping up Task Manager and killing msblast.exe's process, "windows auto update" from HKEY_LOCAL_MACHINE--Software--Microsoft--Windows-- CurrentVersion--Run. After that, it's just a matter of deleting msblast.exe from %SYSTEMROOT% and tossing on the patch. Alternately, Symantec's removal tool is nice too.

Happy patching!

A good time to install OpenBSD (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#6674933)

Yesterday I replaced WinXP Pro on my pc at work. Today I can taunt my colleagues who got hit by this worm.
All this, and a faster computer too. Life is good.

/s-o, enjoying the small things in life

on national television just a few minutes ago (2, Insightful)

Basje (26968) | more than 11 years ago | (#6674941)

RTL Z (national television, all day business news), the Netherlands, this afternoon:

It was said that if you valued security, Microsoft wasn't the best solution. You'd be better off with Apple or Linux.

This could very well be a (another) turning point for linux. Of course, by the time something like this happens to Linux, everybody is going to run the other way again, but it could give OS some inroads.

Win32 Blaster v2.0 (0)

trickofperspective (180714) | more than 11 years ago | (#6674942)

Still tries to bring down Windows Update, but now it gets Slashdot to do the dirty work for it!

-Trick

60 second timer (1)

MImeKillEr (445828) | more than 11 years ago | (#6674945)

Just set up a batchfile with the following:

shutdown /a

the /a switch throws the shutdown into Abort.

Of course, if you're getting hammered this isn't going to help much.

In Soviet Russia... (-1)

Yakov Smirnoff (631649) | more than 11 years ago | (#6674948)

...we patch our machines on time so we don't suffer from problems like this. The lax American attitude is entirely to blame for this outbreak. Education is the key, but American culture seems insistant on keeping computer terminology dumbed down to the point that the information isn't useful to anyone. People will never understand the terminology and how computers work until we start talking at the level neccessary to convey the information.

insert switch ad here (1)

GirTheRobot (689378) | more than 11 years ago | (#6674960)

...seriously...when are people going to get it? Windows is swiss-cheese bloatware. What good is an easy-to-use system if it breaks all the time? I can't decide what is more stupid: not running a firewall, not installing your patches, or running windows in the first place. --"I've never paid for a copy of Windows. I switched to Linux because I felt I wasn't getting my money's worth"--

You got the wrong security bulletin (5, Informative)

daun3507 (116384) | more than 11 years ago | (#6674962)

While you should have the MS03-010 [microsoft.com] patch installed, it is the wrong one for this worm. Make sure you use MS03-026 [microsoft.com] . This is the patch that it links to in the removal tool [symantec.com] link.

Another useful tool (2)

snake_dad (311844) | more than 11 years ago | (#6674967)

Install now [google.com]

Dummy Steps if that Program Doesn't Work (0, Redundant)

JacobD (454288) | more than 11 years ago | (#6674974)

1. Ctrl + Alt + Delete on windows xp and kill the msblast.exe process.
2. Open Windows Explorer, go to the C:\Windows\System32 folder and delete the msblast.exe program.
3. Start > Run > Regedit. Hit Edit then Find and type in msblast and remove the key in your registry.
4. Reboot.
5. Install the patch (Why didn't you do this during the month before you were hit with this poorly coded POS?)
6. Virus scan. Free online virus scan at http://housecall.antivirus.com.

Real simple folks.

msft (0)

Anonymous Coward | more than 11 years ago | (#6674977)

amazingly, MSFT stock is still up on the day.

Masters of FUD (0, Redundant)

gregarican (694358) | more than 11 years ago | (#6674978)

It's ironic. SCO has to spend big dollars on high priced legal help to spread FUD. Microsoft simply has to hire cheap, fresh-out-of-college programmers to write lazy code that lacks input boundary checking :-)

CERT advisory notice.... (3, Informative)

JaJ_D (652372) | more than 11 years ago | (#6674982)

The Cert [cert.org] advisory can be found here [cert.org]

to disable the forced shutdowns...(XP) (5, Informative)

j0se_p0inter0 (631566) | more than 11 years ago | (#6674983)

Start\Settings\Control Panel - Administrative Tools. Services. right-click "Remote Procedure Call (RPC)" hit Properties. click the Recovery tab. set "First Failure", "Second Failure", and "Subsequent Failures" to "Take No Action". that will keep it from trying to reboot as you clean. good luck.

Oh Great (1)

|<amikaze (155975) | more than 11 years ago | (#6674986)

Looks like I'm going to have my work cut out for me today. I work in a computer repair shop, and every time stuff like this happens, it turns into a madhouse. Last time it happened was over Christmas time, with Yaha.

Bah.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?