PDA

View Full Version : restart virus!!!



XyZspineZyX
08-12-2003, 06:35 PM
Anyone got this virus that shuts your computer down if u are connected to the internet. You get a 60 sec countdown due to RPC being terminated unsuspectedly then your comp shutsdown. phoned microsoft techsupport , they said half the country (uk) was infected! solved it by installing latest security patch from website

XyZspineZyX
08-12-2003, 06:35 PM
Anyone got this virus that shuts your computer down if u are connected to the internet. You get a 60 sec countdown due to RPC being terminated unsuspectedly then your comp shutsdown. phoned microsoft techsupport , they said half the country (uk) was infected! solved it by installing latest security patch from website

XyZspineZyX
08-12-2003, 06:54 PM
Please give the website...
BTW my friend had it yesterday... he got it out...

<center>[i]1mg to me and ur down /i/smilies/16x16_smiley-happy.gif [i]</center>

<center>-='EverdarK<|>Tracer'=-</center>

XyZspineZyX
08-12-2003, 06:54 PM
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

XyZspineZyX
08-12-2003, 06:57 PM
You need to remove the worm too.

The patch does NOT work on its own:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

This will remove it.

I tried the patch alone last night and things seemed Ok for a while........then boom!

XyZspineZyX
08-12-2003, 06:57 PM
One more, of MANY, reasons I am glad i still run Windows ME... this virus doesn't affect ME. I HATE the thought of having to run Windows XP when I get my new system in a few months.

<center>Wiley</center><center><font color="#FF0000";font size="3pt">Click HERE to visit Wiley'sWWIIGunCameraWorld (http://people.ee.ethz.ch/~chapman/flightsims/oberstguncam/Frameset/)</center>
<center>http://imagehost.auctionwatch.com/preview/wi/wileycoyote2/IwoJimatiny2.gif (http://people.ee.ethz.ch/~chapman/flightsims/oberstguncam/Movies/SandsOne.WMV) </center>
<center><font size ="2pt">Click Flag-Raising for the Full-Size(4.2Mb) Version</center>

XyZspineZyX
08-12-2003, 07:24 PM
oh so it is a VIRUS.... Yup I have it!

XyZspineZyX
08-12-2003, 07:28 PM
http://www.wuaf.com/forums/viewtopic.php?t=228

__
Sharx (Online; WUAF_Sharx)
<A HREF="http://www.il2skins.com" TARGET=_blank>
http://www.il2skins.com/images/banners/il2skins-468x60.jpg</A>

XyZspineZyX
08-12-2003, 07:31 PM
Yep i had it, had it a week or so ago, dindt realize it was a virus, thought it was spy ware gone bad, nothing happened for awhile, then it acted up yesterday.

<center>
<center><img src=http://mysite.freeserve.com/zORKSstuff/images/6-picture6.jpg><center>

XyZspineZyX
08-12-2003, 07:35 PM
I had it happen once a week or two before this stuff started, didn't think much of it, no probs since

XyZspineZyX
08-12-2003, 07:41 PM
I had it two days and at first thought it was an older windows glitch I suffered with last year. Then I saw this program called MSBlast running in my task manager. Soon it was shutting down my computer within seconds of booting up every time, using the Remote Procedure call. I disabled from my startup using MSCONFIG, then later removed the exe. and the registry entry. I though I had successfully installed the service pack which was supposed to prevent this, but apparently it didn't take.

XyZspineZyX
08-12-2003, 07:57 PM
All the computers at work had it this morning, and another computer out in the field had it, too.

Kind of scary, if you ask me.

I helped the guy with the remote computer get rid of it. At least, I think it's gone...

It was weird, though. When I went to Microsoft for the patch, with Windows Update, the damned error message showed up again, and shut the computer off before I could download it.

Is Microsoft's site fecked? Seems like it.

I got the fix tool from Symantec, and that seemed to work.

Like I said, still not sure it is thoroughly fixed...

Zip

<center>BlitzPig_Zip

http://homepage.ntlworld.com/gingernuts/blitz_anim.gif </center>

XyZspineZyX
08-12-2003, 08:27 PM
downloaded the worm fix too, it was a bit like mission imposible trying to find the solution online before the timer ran out!

XyZspineZyX
08-12-2003, 09:09 PM
How did you guys get the virus? through email?

XyZspineZyX
08-12-2003, 10:02 PM
dragonhart38 wrote:
- How did you guys get the virus? through email?
-
-


dragonhart 38,

I just read an article about the virus. This is the scary part: it does not show up by email.

It is "self-propogating," in that it randomly contacts other IP's to give vulnerable computers the worm.

This sounds like an excellent reason to have a good firewall.

My computer did not get it, because I have Windows ME, and a good firewall. I am assuming a firewall would protect you from it.

Getting rid of the worm can be a real pain.

I had to boot into safe mode and run Norton Anti-virus to get rid of it. The infected computer was not allowed to connect to the internet by the ISP while infected, so I couldn't get the instructions from Symantec on how to get rid of it.

I never did get the patch from Microsoft, so it could show up again on that same computer.

I used the tool from Symantec to finish cleaning it off the computer I worked on. An entry in the Windows Registry must be deleted, and the fix tool from Symantec did that.

Zip


<center>BlitzPig_Zip

http://homepage.ntlworld.com/gingernuts/blitz_anim.gif </center>

XyZspineZyX
08-12-2003, 10:08 PM
Are you suceptable if you are behind a NAT?

XyZspineZyX
08-12-2003, 10:09 PM
Three of my friends got it. Unluckly for my neighbor she was on 56K and downloading the patch in 60 seconds is impossible.

I burned her the patch on my CLEAN PC /i/smilies/16x16_smiley-happy.gif (I take pride in my computer) and removed the virus.

<center>
http://www.geocities.com/cgdreamerx/sigimage3.jpg.txt
I do not know any good signature message, so I will put this anyway.
-=[CGDreamerX]=-

XyZspineZyX
08-12-2003, 10:14 PM
Hey, wait a sec, only UK is infected, or is posible to getit in Eastern europe??
Sounds scary to me....

<center>"The show must go on..."<center>
<center>http://www.btinternet.com/~jj_b/vaw/images/iar81t.jpg </center>
<center>A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again<center>

XyZspineZyX
08-12-2003, 10:15 PM
That's one nasty virus!
I had the HDD formated, it was new and just in the machine.

So, when I proceeded to use the recovery CD's of the comp...at one moment I had the option to update the setup engine of the MS XP installer. Guess what, it were 20 secs.
The only time I had the laptop connected to the Internet...and guess again...got infectedhttp://ubbxforums.ubi.com/infopop/emoticons/icon_wink.gif)

How the hell a comp with no OS!!! can get infected? Beats me.

I burned a copy of the antivir on the other machine, used the laptop without connected it to the LAN and removed the sucker.

W32/Lovsan.worm...

XyZspineZyX
08-12-2003, 10:25 PM
Von_Zero wrote:
- Hey, wait a sec, only UK is infected, or is posible
- to getit in Eastern europe??
- Sounds scary to me....

We have that disgusting virus down here in australia too, it seems affecting globally. /i/smilies/16x16_smiley-sad.gif

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
http://www.tamiya.com/japan/products/list/48plane_img/61027.jpg

XyZspineZyX
08-12-2003, 10:29 PM
Von_Zero wrote:
- Hey, wait a sec, only UK is infected, or is posible
- to getit in Eastern europe??
- Sounds scary to me....

It's definitely not limited to the UK, as it's worming its way through the US (and many other locations, I'd imagine) right now. It's not an e-mail worm like so many others. If you've got TCP/UDP port 135 (and possibly others) open to the outside world, you're vulnerable. The patch for the associated vulnerability has been available from Microsoft for months now, but that doesn't mean everyone has downloaded it. Also, it's been shown that this patch is imperfect, in that patched systems are still vulnerable to a DoS attack on the affected ports. That's better than an arbitrary-code vulnerability in my book, though.


---
There are 10 kinds of people in this world: those who can count in binary, and those who can't.
(If I knew who said that first, I'd give credit here.)

HL callsign: Ctrl_Eeee, the guy you just shot down

XyZspineZyX
08-12-2003, 10:38 PM
I'm Fuc*ed!!!!
I have to wait for three hours to dounload this 1.1 patch and now I'm out and opened for three hours???
That means that online playing is a death trap??

<center>"The show must go on..."<center>
<center>http://www.btinternet.com/~jj_b/vaw/images/iar81t.jpg </center>
<center>A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again<center>

<center>"The show must go on..."<center>
<center>http://www.btinternet.com/~jj_b/vaw/images/iar81t.jpg </center>
<center>A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again<center>

XyZspineZyX
08-12-2003, 10:45 PM
The virus will attack 80% win xp and 20% win 2000.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
http://www.tamiya.com/japan/products/list/48plane_img/61027.jpg

XyZspineZyX
08-12-2003, 10:52 PM
It's not a virus but a vulnerability in the Remote Procedure Call. Was happening to me all day yesterday. Right up to date with my virus definitions. Windowsupdate will fix it...

It's the critical update which reads as follows...

A security issue has been identified that could allow an attacker to cause a computer running Microsoft Windows to fail. An attacker would need the ability to connect to a process on the computer. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer

If you click 'more info' for this fix it mentions a vulnerability in RPC (Remote Procedure Call) which is what was is shutting people down...

You don't have a virus, the same way you don't have a virus when you get those CR*P messenger popups...

Just another hole in Windows security, update and you will be allright...

Might take you a while though because when I was updating windows kept shutting down, luckily the updates are cached so when you reconnect it will continue where you left off...

Oh and BTW, the instant your updates are downloaded and they start installing, disconnect from the net or you will get shutdown...

You are only vulnerable while you are connected to the net without this fix.

Not a virus just another hole in Windows XP (Swiss Cheese Edition).

Message Edited on 08/12/0311:00PM by Scragbat

XyZspineZyX
08-12-2003, 11:00 PM
Scragbat wrote:
- It's not a virus but a vulnerability in the Remote
- Procedure Call.

Nope, it's both. It's a worm that takes advantage of the RPC DCOM vulnerability. The vulnerability has been known about for months, and some piece of filth has finally written a worm to exploit it. If you've been paying attention and have patched the vulnerability already, you're not susceptible to the worm.


---
There are 10 kinds of people in this world: those who can count in binary, and those who can't.
(If I knew who said that first, I'd give credit here.)

HL callsign: Ctrl_Eeee, the guy you just shot down

XyZspineZyX
08-12-2003, 11:02 PM
Ok i havent got the virus. so should i download anyhtin?

http://www.x-plane.org/users/12thiaptbone/viper.jpg
47|FC

XyZspineZyX
08-12-2003, 11:09 PM
Oh OK, if you say so...

Norton and AVG both up to date and said no viruses or worms on my system. Did the fix and still say no viruses.
Are you saying that without the patch to fix the vulnerability in RPC the worm will install itself remotely? Is it so new that Norton and AVG can't spot it?

I keep up to date all the time with my definitions and when I saw RPC was shutting me down I immediately thought it was a hole in Windows security...

Whatever...
I'm safe for now...


DrDave242 wrote:
- Scragbat wrote:
-- It's not a virus but a vulnerability in the Remote
-- Procedure Call.
-
- Nope, it's both. It's a worm that takes advantage
- of the RPC DCOM vulnerability. The vulnerability
- has been known about for months, and some piece of
- filth has finally written a worm to exploit it. If
- you've been paying attention and have patched the
- vulnerability already, you're not susceptible to the
- worm.
-
-
-
----
- There are 10 kinds of people in this world: those
- who can count in binary, and those who can't.
- (If I knew who said that first, I'd give credit
- here.)
-
- HL callsign: Ctrl_Eeee, the guy you just shot down
-

XyZspineZyX
08-12-2003, 11:14 PM
Scragbat wrote:
- Norton and AVG both up to date and said no viruses
- or worms on my system. Did the fix and still say no
- viruses.

You're clean, then. Norton's latest signatures will spot this one. It wouldn't hurt to drop by the Windows Update site, though, just to be sure you're patched against everything that's now known (if you can get through).

- I keep up to date all the time with my definitions
- and when I saw RPC was shutting me down I
- immediately thought it was a hole in Windows
- security...

Well, it is. It's just that the W32.Blaster worm takes advantage of this hole.


---
There are 10 kinds of people in this world: those who can count in binary, and those who can't.
(If I knew who said that first, I'd give credit here.)

HL callsign: Ctrl_Eeee, the guy you just shot down

XyZspineZyX
08-12-2003, 11:22 PM
And lots of people thought I was crazy for sticking with Win98SE. Now I have the last laugh, I can't get that stupid virus/worm. Plus it plays FB really great!!. My frames are as good as people who have FB on comparable speed machines.

XyZspineZyX
08-12-2003, 11:23 PM
Thnx DrDave242,

You know more about it than I do.
I just know that I had a day off from work yesterday and was looking forward to a lovely evening in with my PC and FB and some knob cheese decided to rain on my parade!
Wasted the whole evening and a good part of the early hours of the morning to get it fixed!

You would not believe how long it took me to get all the critical updates in for XP (I wasn't even sure it would fix it). I would get so far then BAM! You are shutting down in 60 seconds. WHAT!?!?!?!

This sounds like is is at a global scale and will no doubt hit international news. Hope they get the spotty **** with no life who thought this would be so funny!

Regards
Scrag

DrDave242 wrote:
- Scragbat wrote:
-- Norton and AVG both up to date and said no viruses
-- or worms on my system. Did the fix and still say no
-- viruses.
-
- You're clean, then. Norton's latest signatures will
- spot this one. It wouldn't hurt to drop by the
- Windows Update site, though, just to be sure you're
- patched against everything that's now known (if you
- can get through).
-
-- I keep up to date all the time with my definitions
-- and when I saw RPC was shutting me down I
-- immediately thought it was a hole in Windows
-- security...
-
- Well, it is. It's just that the W32.Blaster worm
- takes advantage of this hole.
-
-
-
----
- There are 10 kinds of people in this world: those
- who can count in binary, and those who can't.
- (If I knew who said that first, I'd give credit
- here.)
-
- HL callsign: Ctrl_Eeee, the guy you just shot down
-

XyZspineZyX
08-12-2003, 11:27 PM
you're not the only one!!!!
four weeks ago I was one step far from buying XP pro, but now I'm full of joy!!!
Anyway, I stilll enbled my firewall, and I'm gonna make that Symantec test, just to be sure...

<center>"The show must go on..."<center>
<center>http://www.btinternet.com/~jj_b/vaw/images/iar81t.jpg </center>
<center>A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again<center>

XyZspineZyX
08-12-2003, 11:31 PM
Just my avg told me i got lovan something...im gonnu delete the thing...im tired ofthe internet /i/smilies/16x16_smiley-sad.gif you will only get hacked and/or get a virus/worm...

Boos16
249th
RSO

XyZspineZyX
08-12-2003, 11:32 PM
I got it since yesterday here in the US...I'm glad you guys told me this was a virus, I've been accusing my wife of clickin' around in the computer again../i/smilies/16x16_smiley-happy.gif

Airmikey


<center>http://www.bloggerheads.com/mash_quiz/images/mash_hawkeye.jpg (http://www.bloggerheads.com/mash_quiz/)</center>

fluke39
08-12-2003, 11:37 PM
Scragbat wrote:
- Thnx DrDave242,
-
-- You would not believe how long it took me to get all
- the critical updates in for XP (I wasn't even sure
- it would fix it). I would get so far then BAM! You
- are shutting down in 60 seconds. WHAT!?!?!?!
-


if anyone else is having problems DL ing the wormfix and Windows update - i managed to get sufficient time to DL this by opening the task manager and ending the offending process - msblast.exe although it didn't stop it it definitely gave me extra time on the net.


unfortunately this information is about 30 posts down the thread and will probably reach no one who needs it

<center><img src=http://mysite.freeserve.com/Angel_one_five/flukelogo.jpg>

XyZspineZyX
08-13-2003, 12:02 AM
Yep definatley both DrDave,

Virus and Security hole.

My firewall kept reporting that the Trivial File transfer protocol "tftp.exe" was attempting to access the network. I'm guessing this was the door for the virus to come in through?? Without a firewall you wouldn't even know there was a file transfer being initiated and wouldn't be able to stop it.

I managed to stop that.

Didn't stop the command to RPC to shut down though. Just glad it stopped the virus.

JerseyD
08-13-2003, 12:17 AM
My good ole 98SE is running smooth as butter /i/smilies/16x16_smiley-wink.gif

<Center>http://home.cfl.rr.com/jerseydevil/JerseyDevil's%20Frag%20Zone/Frag%20Zone_files/109chevysig.jpg (http://www.mudmovers.com/Sims/IL2/il2_skins_sports.htm)</center>

J¨rsé¿D¨v*L

<a href=http://www.diskworks.com/myth.html>The Jersey Devil (Fact or Fiction?)</a>

XyZspineZyX
08-13-2003, 12:32 AM
maybe this should be made sticky? or is the worst over by now? imagine if the 60 second warning came up when your download was an estimated 61 seconds from completion

XyZspineZyX
08-13-2003, 12:34 AM
Spent the entire day sorting out peoples PC's with this exploit,

Here's our fix:

1. Remove the infected machine from the network.

2. Download the relevant patch to floppy or other removable media
(each patch is small enough to fit on one) from:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

3. Download Stinger (virus removal tool) from:

http://vil.nai.com/vil/stinger

4. Use Stinger to clean the machine OFF the network.

5. Patch machine from floppy or other removable media.

6. Put machine back on network and make sure you install
the latest DAT files (4284) AND run Windows Update.

7. Check antivirus update settings! (and scanning of compressed files)

All very well if you can d/l the patch on another non infected PC :-)

Mad



Cpt-Madcowz
Comsa (http://www.comsa.co.uk)



"When the hunter comes, the tiger runs with the deer."

XyZspineZyX
08-13-2003, 01:03 AM
It took me 3 hours last night to remove the critter from my gaming box. It is an amazing WORM. According to Symantec/Norton Win98 and WinMe are also vulnerable. So be careful out there and run that virus scanner. I am not even going near my computer tonight forget it....I got a belly full last night will download the patch tomorrow. I am going to be a human being tonight.


Happy hunting and check six!

Tony Ascaso, RN

XyZspineZyX
08-13-2003, 01:03 AM
The way i completely got rid of it was to use symantecs worm removal program downloadable free from there site

http://securityresponse.symantec.com/avcenter/FixBlast.exe

XyZspineZyX
08-13-2003, 01:13 AM
OberstWiley wrote:
- One more, of MANY, reasons I am glad i still run
- Windows ME... this virus doesn't affect ME. I HATE
- the thought of having to run Windows XP when I get
- my new system in a few months.
-
-
I am in the same boat as you. Building a system and still contemplating wether to run XP on it or not... /i/smilies/16x16_smiley-sad.gif

w*v

XyZspineZyX
08-13-2003, 01:18 AM
JerseyD wrote:
- My good ole 98SE is running smooth as butter
I'l second that /i/smilies/16x16_smiley-wink.gif

<center>"The show must go on..."<center>
<center>http://www.btinternet.com/~jj_b/vaw/images/iar81t.jpg </center>
<center>A 'good' landing is one from which you can walk away. A 'great'
landing is one after which they can use the plane again<center>

XyZspineZyX
08-13-2003, 01:21 PM
I'm bumping this as this thread is likely to be useful to some /i/smilies/16x16_smiley-happy.gif


(it was for me last night- all clean now, I think)

XyZspineZyX
08-13-2003, 09:27 PM
bump

XyZspineZyX
08-13-2003, 10:16 PM
It's easy to tell if your computer is infected:
CtrlAltDel to bring up Task Manager - look for msblast.exe in the process list
If you see it, left click on it and End Process
Then run Regedit and search for msblast - if you find msblast.exe delete the registry entry
Then search for the file msblast on your hard disk - if you find msblast.exe delete it

Reboot and look at Task Manager again
Second time through Regedit will show an entry for msblast - this is the file search you did before - there should be no msblast.exe
Search for the msblast file again - you should come up empty.

Found it this morning on my 2000 laptop - it missed my XP game machine...

/i/smilies/16x16_smiley-sad.gif

<center>
http://home.comcast.net/~argylestransom/Pics/A10Bun.jpg
</center>

XyZspineZyX
08-13-2003, 10:16 PM
duplicate


Message Edited on 08/13/0302:17PM by Bun-Bun1953