Re: READ THIS if you have problems with your RPC service, svchost.exe or similar.

From: Jonathan Maltz [MS-MVP] (jmaltz_at_mvps.org)
Date: 08/12/03 

Date: Mon, 11 Aug 2003 20:39:05 -0400

Great :-/ 

-- 
--Jonathan Maltz [Microsoft MVP - Windows Server]
http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
tutorial site :-)
Only reply by newsgroup.  If I see an email I didn't ask for, it will be
deleted without reading.
"Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>
wrote in message news:3F3834FF.F7A8FB9C@pacbell.net...
> We are on Yellow Alert....MSBLASTER worm - aka DCOM worm
> This RPC DCOM worm started spreading early afternoon EDT (evening UTC). At
this
> point, it is spreading rapidly.
>
> Increase in port 135 activity:
http://isc.sans.org/images/port135percent.png
>
>
> **********
> NOTE: PRELIMINARY. Do not base your incidents response solely on this
writeup.
> **********
>
>
> Executive Summary:
>
> A worm has started spreading early afternoon EDT (evening UTC Time) and is
> expected to continue spreading rapidly. This worms exploits the Microsoft
> Windows DCOM RPC Vulnerability announced July 16, 2003. The SANS
Institute, and
> Incidents.org recommends the following Action Items:
>
> * Close port 135/tcp (and if possible 135-139, 445 and 593)
> * Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm
for
> activity related to this worm.
> * Ensure that all available patches have been applied, especially the
patches
> reported in Microsoft Security Bulletin MS03-026.
> * This bulletin is available at
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> * Infected machines are recommended to be pulled from the network pending
a
> complete rebuild of the system.
>
>
> Technical Details:
>
> Names and Aliases: W32.Blaster.Worm (symantec),W32/Lovsan.worm (McAfee),
> WORM_MSBLAST.A (Trend Micro),Win32.Posa.Worm (CA),Lovsan (F-secure),
> MSBLASTER,Win32.Poza.
>
>
> Infection sequence:
> 1. SOURCE sends packets to port 135 tcp with variation of dcom.c exploit
to
> TARGET
> 2. this causes a remote shell on port 4444 at the TARGET
> 3. the SOURCE now sends the tftp get command to the TARGET, using the
shell on
> port 4444,
> 4. the target will now connect to the tftp server at the SOURCE.
>
>
> The name of the binary is msblast.exe. It is packed with UPX and will self
> extract. The size of the binary is about 11kByte unpacked, and 6kBytes
packed:
>
> MD5sum packed: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
>
> So far we have found the following properties:
>
> - Scans sequentially for machines with open port 135, starting at a
presumably
> random IP address
> - uses multiple TFTP servers to pull the binary
> - adds a registry key to start itself after reboot
>
>
> Name of registry key:
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update'
>
> Strings of interest:
>
> msblast.exe
> I just want to say LOVE YOU SAN!!
> billy gates why do you make this possible ? Stop making money and fix your
> software!!
> windowsupdate.com
> start %s
> tftp -i %s GET %s
> %d.%d.%d.%d
> %i.%i.%i.%i
> BILLY
> windows auto update
> SOFTWARE\Microsoft\Windows\CurrentVersion\Run
>
>
> Existing RPC DCOM snort signatures will detect this worm. The worm is
based on
> dcom.c
>
>
>
>
> Once you are infected, we highly recommend a complete rebuild of the site.
As
> there have been a number of irc bots using the exploit for a few weeks
now, it
> is possible that your system was already infected with one of the prior
> exploits. Do not connect an unpatched machine to a network.
>
> The worm may launch a syn flood against windowsupdate.com on the 16th. It
has
> the ability to infect Windows 2000 and XP.
>
> The worm uses the RPC DCOM vulnerability to propagate. One it finds a
vulnerable
> system, it will spawn a shell on port 4444 and use it to download the
actual
> worm via tftp. The exploit itself is very close to 'dcom.c' and so far
appears
> to use the "universal Win2k" offset only.
>
> Other References:
>
> http://www.cert.org/advisories/CA-2003-19.html
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
>
> https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
> http://www3.ca.com/virusinfo/virus.aspx?ID=36265
> http://www.datafellows.com/v-descs/msblast.shtml
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
> http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
> http://www.sophos.com/virusinfo/analyses/w32blastera.html
> http://xforce.iss.net/xforce/alerts/id/150
> http://vil.nai.com/vil/content/v_100547.htm
>
>
>
>
>
> "Jonathan Maltz [MS-MVP]" wrote:
>
> > Are you sure it's concentrating on DDoS'ing?
> >
> > It could just be like Slammer....generating so many requests that it
creates
> > an "un-intended" DDoS
> >
> > *tear*
> >
> > --
> > --Jonathan Maltz [Microsoft MVP - Windows Server]
> > http://www.imbored.biz - A Windows Server 2003 visual, step-by-step
> > tutorial site :-)
> > Only reply by newsgroup.  If I see an email I didn't ask for, it will be
> > deleted without reading.
> >
> > "Robert Moir" <bofh@mvps.org> wrote in message
> > news:#w4plYFYDHA.2236@TK2MSFTNGP10.phx.gbl...
> > > Jonathan Maltz [MS-MVP] wrote:
> > > > So that's it?  A worm has been released?
> > >
> > > Yeah, theres a couple out now. One that seems to be concentrating on
> > simply
> > > spreading and DDOSing systems and one that seems to be after control
of
> > > people's systems.
> > >
> > > *sigh*
> > >
> > >
>
> --
> "Don't lose sight of security. Security is a state of being,
> not a state of budget. He with the most firewalls still does
> not win. Put down that honeypot and keep up to date on your
> patches. Demand better security from vendors and hold them
> responsible. Use what you have, and make sure you know how
> to use it properly and effectively."
> ~Rain Forest Puppy
> http://www.wiretrip.net/rfp/txt/evolution.txt
>
>

Relevant Pages

  • Re: removing w32/sdbot.worm.gen
    ... Time to blow it away and start a new install. ... boot the Windows 2000 install CD-Rom or setup disks. ... because of the worm or something I dont know. ... the infection I cannot go to that Windows update site. ...
    (microsoft.public.win2000.general)
  • Re: w32 blaster worm
    ... >> I have read that the blaster worm is through listening ports only. ... > An infected pc contacted the service which listens on port 135. ... > the infection and start spreading again. ... can this worm also infect other computers within the workgroup or must ...
    (alt.computer.security)
  • Re: READ THIS if you have problems with your RPC service, svchost.exe or similar.
    ... > We are on Yellow Alert....MSBLASTER worm - aka DCOM worm ... > Windows DCOM RPC Vulnerability announced July 16, ... > Infection sequence: ... SOURCE sends packets to port 135 tcp with variation of dcom.c exploit ...
    (microsoft.public.security)
  • Re: READ THIS if you have problems with your RPC service, svchost.exe or similar.
    ... > We are on Yellow Alert....MSBLASTER worm - aka DCOM worm ... > Windows DCOM RPC Vulnerability announced July 16, ... > Infection sequence: ... SOURCE sends packets to port 135 tcp with variation of dcom.c exploit ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Welchia and Dlink 707p Cable/DSl Router
    ... >3) You used the DMZ port, which is like not having a router ... The worm specifically targets Windows XP ... The worm specifically targets machines ...
    (comp.security.firewalls)
Quantcast