|
Technology
Info, Tips, FAQs
You Can Use
Virus Information
W32.Blaster.Worm
W32/Blaster-A
worm - aka Lovsan, MSBlaster or Poza
Virus Alert dd August 12, 2003
RPC/DCOM
Virus
Alert dd August 4, 2003
W32.Blaster.Worm
In mid-July 2003,
Microsoft issued a critical update about a security hole that made Windows
systems vulnerable to viruses. Microsoft urged users to download and
install a software update to "patch" the hole / vulnerability.
Computers running
Windows XP were among the systems that needed to be patched. Apparently,
some people didn't get the message (or couldn't get the update to work).
A new computer virus/worm
that takes advantage of the security hole is spreading rapidly around
the world this week. The worm is known by several names, including "MS
Blaster" and "Lovesan." This problem does
not affect Mac, Linux or Unix systems.
This is no ordinary
virus -- to prevent future re-infections, Windows XP users must also
update their system software.
If your Windows
XP machine gets infected, there are three steps to recovery:
1. Disable the
virus.
2. Remove the virus from your system.
3. Patch the hole that allowed your system to become infected.
Complete instructions
follow.
To disable the
virus:
1. Press these
three keys all at once: CTRL+ALT+DEL.
2. From the pop-up menu that appears, select "Processes."
3. In the list that appears, click on "msblast.exe"
4. Click on "End Process"
5. Exit or close that window.
To remove the
virus:
1. Download this
virus
removal tool from Symantec
2. Double-click on the file name to launch "FixBlast.exe"
3. Follow the instructions to remove the virus.
To plug the hole
in Windows XP:
1. Download this
Critical Security
Patch from Microsoft
2. Double-click on the file name to launch it ("WindowsXP-KB823980-x86-ENU.exe")
3. Follow the instructions to update Windows XP.
The W32/Blaster-A
worm (also known as Lovsan, MSBlaster or Poza) contains a
mocking message for Microsoft's chairman Bill Gates, and attempts to
launch a denial of service attack on Microsoft's windowsupdate.com
site where Microsoft distributes important security patches to protect
against such vulnerabilities!
The worm contains
a message for Microsoft's Bill Gates, which does not get displayed:
I just want
to say LOVE YOU SAN!! billy gates why do you make this possible
? Stop making money and fix your software!!
The Blaster
worm does not spread via email, but does distribute itself
via the internet looking for vulnerable computers that have not
been patched against a security hole first reported by Microsoft
in mid-July. So
because the Blaster worm doesn't spread by email, your email virus scanning
services won't be able to detect this worm.
Apple Macintosh
and Unix computer users that they are not affected by the Microsoft
security vulnerability, are not at risk from the worm.
Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected.
Apple-based workstations, Unix and other platforms (including PDAs and
games consoles) cannot be infected
with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped
there by an infected computer, or it has been executed locally.
How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers
vulnerable to Microsoft's DCOM
RPC security exploit.
When it finds one it causes the remote computer to use TFTP (Trivial
File Transfer Protocol) to download a copy of the worm. This is saved
as msblast.exe in the Windows system folder and the registry on that
computer is changed so that the worm will be run when the computer restarts.
Microsoft has published
step-by-step
instructions for home users on how to help protect their computers
with critical updates.
RPC/DCOM
Detected: August
4, 2003
Platform:
Windows
Description:
The RPC (remote procedure call) service crashes when
a malformed packet is sent to an RPC enabled port. This crash affects
DCOM (distributed component object model interface) listening
on an RPC enabled port such as 135, 139, 445, 593, or any other specifically
configured RPC port.
Microsoft provides a patch (see Security
Bulletin MS03-026). This vulnerability is being abused by various
exploit code and provides full local system privilege.
In order to determine
if your machine is vulnerable to this attack, you will need to verify
if you have installed the required patch from Microsoft.
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
Please note that
patching after compromise does not disinfect. You will need to follow
the steps in Appendix A in http://www.itap.purdue.edu/security/alert/index.cfm?AlertID=95
Advisories and patches:
http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;823980
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
http://www.cert.org/advisories/CA-2003-19.html
http://xforce.iss.net/xforce/alerts/id/147
http://www.cert.org/advisories/CA-2003-20.html
WORM SPREADING
http://xforce.iss.net/xforce/alerts/id/150
Scanning Tool for RPC/DCOM:
http://www.eeye.com/html/Research/Tools/RPCDCOM.html
run this!
Reference:
http://www.nipc.gov/warnings/advisories/2003/Potential72403.htm
http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm
http://isc.sans.org/diary.html?date=2003-08-01
http://isc.sans.org/diary.html?date=2003-08-04
http://isc.sans.org/diary.html?date=2003-08-05
http://isc.sans.org/diary.html?date=2003-08-09
http://isc.sans.org/diary.html?date=2003-08-11
|
