BIG Security Alert From New Blaster Worm VIRUS!

Discussion in 'Safety valve' started by Oriphus, Aug 16, 2003.

  1. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    [bold]PSS Security Response Team Alert - New Worm: W32.Blaster.worm
    SEVERITY: CRITICAL[/bold]


    [bold]XP Download Patch: http://www.microsoft.com/downloads/...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

    Windows NT4.0 Patch: http://www.microsoft.com/downloads/...4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en

    Windows 2000 Patch: http://www.microsoft.com/downloads/...46-F541-4C15-8C9F-220354449117&displaylang=en

    Windows 2003 Patch: http://www.microsoft.com/downloads/...-4061-9009-3A212458E92E&displaylang=en[/bold]


    DATE: Updated August 15, 2003 12:05 PDT

    [bold]PRODUCTS AFFECTED:[/bold] Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0 Server, Windows NT 4.0 Terminal Services Edition, Windows NT 4.0 Workstation

    [bold]Update:[/bold] Microsoft has released a tool that can be used to scan a network for the presence of systems which do not have the MS03-026 patch installed. More details on this tool are available in Microsoft Knowledge Base article 826369. This tool is designed for enterprise administrators who have had difficulties detecting systems in need of security patch MS03-026.

    [bold]The Worm
    WHAT IS IT?[/bold]

    The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.

    [bold]Date discovered: August 11, 2003. Customers who had previously applied the security patch MS03-026 are protected. To determine if the virus is present on your machine see the technical details below. [/bold]

    [bold]IMPACT OF ATTACK:[/bold]

    Spread through open RPC ports. Customer's machine gets re-booted or the file "msblast.exe" exists on customer's system.

    [bold]TECHNICAL DETAILS:[/bold]

    This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.

    Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

    Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:

    - Presence of unusual TFTP* files
    - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

    To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.

    For additional information on recovering from this attack please contact your preferred anti-virus vendor. Please note there are several variants of this worm, and the most up-to-date information on these variants can be found at your preferred anti-virus vendor's web site.

    [bold]RECOVERY: [/bold]

    Many Antivirus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor follow the procedures outlined below.

    [bold]For Windows XP[/bold]

    1. Enable the built in firewall such as Internet Connection Firewall (ICF) in Windows XP: http://support.microsoft.com/?id=283673

    --From your Windows Start menu, run the Control Panel. In the Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".

    --Right-click the connection on which you would like to enable the firewall, and then click "Properties". The connection you choose should be the one that you use to get access to the Internet.

    --On the Advanced tab, click the box to select the option to “Protect my computer or network”. Now your Windows XP firewall is enabled. If you are running Windows 2000 or Windows NT 4.0, you should enable a 3rd Party firewall product.

    2. Download the MS03-026 security patch from Microsoft:


    Windows XP (32 bit) [NOTE:Most customers have this edition. If you are unsure, try this first.]



    [bold]Windows XP (64 bit) [/bold]


    3. Install or update your anti-virus signature software. Look below for direct links to Microsoft Virus Information Alliance (VIA) partners or contact your own anti-virus vendor's web site. You will also find direct links to anti-virus removal tools for this worm.

    [bold]For Windows 2000 systems:[/bold]

    Were Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://support.microsoft.com/?id=309798

    1. Configure TCP/IP security on Windows 2000:

    --Select "Network and Dial-up Connections" in the control panel.

    --Right-click the interface you use to access the Internet, and then click "Properties".

    --In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".

    --In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".

    --Click the "Options" tab.

    --Click "TCP/IP filtering", and then click "Properties".

    --Select the "Enable TCP/IP Filtering (All adapters)" check box.

    --There are three columns with the following labels:

    TCP Ports

    UDP Ports

    IP Protocols

    --In each column, you must select the "Permit Only" option. >

    --Click OK.

    2. Download the MS03-026 security patch for Windows 2000 from Microsoft at: http://download.microsoft.com/downl...b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

    3. Install or update your anti-virus signature software. Look below for direct links to Microsoft Virus Information Alliance (VIA) partners or contact your own anti-virus vendor's web site. You will also find direct links to anti-virus removal tools for this worm.

    For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

    Network Associates:
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

    Trend Micro:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

    Symantec:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    Computer Associates:
    http://www3.ca.com/virusinfo/virus.aspx?ID=36265

    For more information on Microsoft’s Virus Information Alliance please visit this link:
    http://www.microsoft.com/technet/security/virus/via.asp

    For details on cleanup tools from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

    Network Associates:
    http://vil.nai.com/vil/stinger/

    Trend Micro:
    http://www.trendmicro.com/download/tsc.asp

    Symantec:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

    Computer Associates:
    http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=48952

    If your anti-virus vendor is not a part of the Microsoft Virus Information Alliance(VIA), please visit their web site as most anti-virus vendors offer a cleanup tool for their customers.


    Please contact your Antivirus Vendor for additional details on this virus.


    [bold]PREVENTION:[/bold]

    Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138;also UDP 69 (TFTP) and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673


    In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
    Right-click the connection on which you would like to enable ICF, and then click Properties.
    On the Advanced tab, click the box to select the option to Protect my computer or network.
    This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security MS03-026. In order to assist customers, Microsoft has released a tool which can be used to scan a network for the presence of systems which have not had the MS03-026 patch installed. More details on this tool are available in Microsoft Knowledge Base article 826369.



    [bold]Installing Patch MS03-026 from Windows Update[/bold]
     
    Last edited: Aug 16, 2003
  2. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    bit late on this one eh? ;-)
     
  3. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    No too late - it was only updated by Microsoft yesterday. These are revised as far as im aware. Its for people who werent aware of the problem. Also has a direct link to the download patches since the problem was associated with the update website as well. that way people can avoid the microsoft website and still get the patch.
     
  4. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    all u need is the RPC vulnerability patch and remove msblast.exe fdrom your computer, clear prefetch and temp fileas and its gone for good, which is what i did and what i posted on monday :)_X_X_X_X_X_[small]http://www.BillLonero.com - Check out a true artists music!

    aD channel on IRC: rod.liquidirc.com #ad_buddies[/small]
     
    Last edited: Aug 16, 2003
  5. Prisoner

    Prisoner Guest

    But this is spreading like crazy. All the computers in my lab were hit and my supervior lost the use of laptop today due to it. It is still a good post. Thanks Oriphus.

    Does this worm send e-mails to everyone in you list with odd system and personel files with .pif extension? That might be a competive virus that is also hitting us.
     
  6. darthnip

    darthnip Moderator Staff Member

    Joined:
    Jan 9, 2003
    Messages:
    2,871
    Likes Received:
    1
    Trophy Points:
    68
    and yet even more fun!!!!

    W32.Welchia.Worm is a worm that exploits multiple vulnerabilities, including:


    The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm specifically targets Windows XP machines using this exploit.
    The WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80. The worm specifically targets machines running Microsoft IIS 5.0 using this exploit.

    W32.Welchia.Worm does the following:

    Attempts to download the DCOM RPC patch from Microsoft's Windows Update Web site, install it, and then reboot the computer.
    Checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.
    Attempts to remove W32.Blaster.Worm.

    Symantec Security Response has developed a removal tool to clean the infections of W32.Welchia.Worm.

    Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee], WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]

    Type: Worm
    Infection Length: 10,240 bytes



    Systems Affected: Windows 2000, Windows XP
    Systems Not Affected: Linux, Macintosh, OS/2, UNIX
    CVE References: CAN-2003-0109, CAN-2003-0352

    and here is the tool to remove it - http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

    Taken from the Symantec website__X_X_X_X_X_[small]I wasn't born with enough middle fingers.
    http://www.BillLonero.com - check out bill, he rocks and he's way cool.
    rod.Liquidirc.com #ad_buddies


    [/small]
     
    Last edited: Aug 19, 2003
  7. Prisoner

    Prisoner Guest

    Darthnip, Did you copy that from www.norton.com ? The file that they used here to remove the virus, seemed to have an other competing virus that now sends out network files to every one in the e-mail list for University of Toronto. I now get all these messages from Harvard, telling me I have a virus. Just what you need 100 messages from Harvard telling you that there is virus on your network with the 100 messages I get from everyone in UofT with the virus attached. Such a Pain.
     
  8. darthnip

    darthnip Moderator Staff Member

    Joined:
    Jan 9, 2003
    Messages:
    2,871
    Likes Received:
    1
    Trophy Points:
    68
    yes that came from symantec, which is nortons. this W32.sobig or W32.Welchia hit my company pretty hard today. it's a damn shame too, they just got cleaned up from the msblast last week, then WHAMMO, this other one hits today hehe
     
  9. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    Thats another nasty one. My computer kept shutting down for a period of about 5mins today. No virus found though and i have the blaster worm security update installed. Its stopped now though, strange all the same. Good post darthnip ;-)
     
  10. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    sobig though is a email based worm right? therefore if u arent stupid with what email u open, you are fine! lol
     
  11. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    Yeah, thats true. Its also good to know that you can open an email in hotmail and view its contents as long as you didnt download anything that was attached and yu cant be infected. I always wondered about those large emaisl with just a white screen when you opened it. now i know its still safe.
     
  12. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    ah i reckon this will disappear just as fast as it spread!
     
  13. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    Yeah, they come and go these Virus'. There is always a security patch for them eventually. You would think someone with the talent to create these would be more constructive with their time.
     
  14. darthnip

    darthnip Moderator Staff Member

    Joined:
    Jan 9, 2003
    Messages:
    2,871
    Likes Received:
    1
    Trophy Points:
    68
    hell it's probably the guys that work for nortons that make them so they can sell more software. (at least thats what i'd do)
     
  15. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    lol - never thought of that and your probably right as well
     
  16. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    Darthnip, you're not the only one who suggested that as a possibility, jnihil bet u to it ;-)
     
  17. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    A possible conspiracy here?? Rminds you of the so-called millenium bug which the government foolishly spent millions on LOL LOL
     
  18. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    Oh yes, mass chaos and confuson cause someone forgot a couple of digits ;-)
     
  19. Oriphus

    Oriphus Senior member

    Joined:
    May 31, 2003
    Messages:
    4,354
    Likes Received:
    0
    Trophy Points:
    116
    Yeah alleged confusion and hysteria. It was a set-up by microsoft and the computer industry to make us and the government fork out money. I know people who spent £50 on getting their computers checked out lol - I didnt do a thing and oh yes, it worked fine. lol
     
  20. Dela

    Dela Administrator Staff Member

    Joined:
    Aug 25, 2002
    Messages:
    8,895
    Likes Received:
    3
    Trophy Points:
    118
    Nah I reckon is was just something people used to get famous, what was that womans name again?? u know the one with the 1980's hair style?
     

Share This Page