blakerwry
Storage? I am Storage!
OMG, somebody help these poor windowsupdateless people!
anybody else hear about this, merc, honold, tannin?
anybody else hear about this, merc, honold, tannin?
RPC shutdown HACK!!!!
- Thread starter blakerwry
- Start date
Mercutio
Fatwah on Western Digital
I've had four calls already today. In fact, I'm on the phone RIGHT NOW dealing with one. Talking on two phones (desk and cell) + typing is fun.
XP: You boot up, get an error about NT Authority and RPC services and then 30 seconds later, your machine shuts down. 2000 isn't quite that so obnoxious about it, but even though news of this hack has been nation front-page type stuff for what? Two weeks? I think a lot of people are getting hit.
One of my clients is on dialup and her laptop is the only machine she has. Even though the patch is pretty small I have no idea how she could get it installed under present conditions.
XP: You boot up, get an error about NT Authority and RPC services and then 30 seconds later, your machine shuts down. 2000 isn't quite that so obnoxious about it, but even though news of this hack has been nation front-page type stuff for what? Two weeks? I think a lot of people are getting hit.
One of my clients is on dialup and her laptop is the only machine she has. Even though the patch is pretty small I have no idea how she could get it installed under present conditions.
blakerwry
Storage? I am Storage!
disable the process msblast or msblaster.. goto windows update.. if they have XP enable the firewall...
i've taken 30 or so calls on it...
i've taken 30 or so calls on it...
CougTek
Hairy Aussie
????
What happened? Windows Update sent a screwed exec that shut down Remote Procedure Call or what?
I never use Auto update and I disable it on every machine I sell, so I don't know.
What happened? Windows Update sent a screwed exec that shut down Remote Procedure Call or what?
I never use Auto update and I disable it on every machine I sell, so I don't know.
Mercutio
Fatwah on Western Digital
CC'd from what I sent my coworkers:
The Blaster worm is the latest in a long line of obnoxious worms that attack basic services on Windows computers, specifically in this case the Remote Procedure Call (RPC) service used to allow networked computers to execute programs remotely on Windows PCs.
On Windows 2000 it's merely annoying. On XP it is truly evil. 60 seconds to reboot? Messages about RPC and NT authority? That's blaster.
MS Blast does NOT affect PCs behind a firewall (even the crummy one that comes with XP will stop this!) or most internet routers unless it is installed from a trojan horse (i.e. virus). It DOES affect PCs on dialup that are NOT behind a firewall. It does NOT affect PCs running 95, 98 or ME.
Fixing blaster on XP:
Step 1. As soon as the PC starts up, doubleclick on the system time and change the date to, oh, yesterday. Doing this keeps the computer from rebooting at the 60-second mark.
Step 2. Go to start > control panel > Administrative tools > Services.
Step 3. Find the Remote Procedure Call Service (not the locator service)
Step 4. Click on on the Recovery Tab. Change the Recovery options from "Restart the Computer" to something less obnoxious like "Take no Action".
At this point, you are no longer under a timer to use your PC.
Step 5. Do a "Find Files" for msblast.exe (I've heard it can also be named "blaster.exe"). Delete that file.
Step 6. Head to WindowsUpdate for a patch. The specific update is for MS03-026. It's 1.2MB, so it'll take a few minutes to download with a modem.
Antivirus: Visit Housecall for an online virus scan that will remove MSBlast. A reasonably nice, free firewall can be had at Kerio or from Zonelabs
The Blaster worm is the latest in a long line of obnoxious worms that attack basic services on Windows computers, specifically in this case the Remote Procedure Call (RPC) service used to allow networked computers to execute programs remotely on Windows PCs.
On Windows 2000 it's merely annoying. On XP it is truly evil. 60 seconds to reboot? Messages about RPC and NT authority? That's blaster.
MS Blast does NOT affect PCs behind a firewall (even the crummy one that comes with XP will stop this!) or most internet routers unless it is installed from a trojan horse (i.e. virus). It DOES affect PCs on dialup that are NOT behind a firewall. It does NOT affect PCs running 95, 98 or ME.
Fixing blaster on XP:
Step 1. As soon as the PC starts up, doubleclick on the system time and change the date to, oh, yesterday. Doing this keeps the computer from rebooting at the 60-second mark.
Step 2. Go to start > control panel > Administrative tools > Services.
Step 3. Find the Remote Procedure Call Service (not the locator service)
Step 4. Click on on the Recovery Tab. Change the Recovery options from "Restart the Computer" to something less obnoxious like "Take no Action".
At this point, you are no longer under a timer to use your PC.
Step 5. Do a "Find Files" for msblast.exe (I've heard it can also be named "blaster.exe"). Delete that file.
Step 6. Head to WindowsUpdate for a patch. The specific update is for MS03-026. It's 1.2MB, so it'll take a few minutes to download with a modem.
Antivirus: Visit Housecall for an online virus scan that will remove MSBlast. A reasonably nice, free firewall can be had at Kerio or from Zonelabs
zx
Learning Storage Performance
Ahhh....
We have this where I work. We're one of the first entreprises in Canada to have it. And man do we have troubles. Our network was crippeled.
It's a worm that uses a security flaw in RPC to copy itself on computers and to make the computers do weird stuff. The most common symptom is an automatic re-boot of the computer triggered by the windows "system" account. However, I also say many computers that simply refuse to boot, with svchost.exe crashing.
The worm spreaded to computers, but then to servers. It's main goal is to created traffic on the network to make it unusable. We had most of our routers not respond at one time today. We could not send e-mails to send warnings to branch offices. All entreprise applications could not be used.
It's very sad, because the patch was available mid-july. If we had deployed the patch we would not have this problem. There is no deployment procedures for those kind of patches in our organisation and we do not have a deployment system like SMS.
To fix the problem, you must :
1. Get the latest definitions for you anti-virus (symantec's 08/11/2003 definitions)
2. Clean the virus using symantec's tool (see link below)
3. Apply Microsoft's security patch (823980)
The patch alone will not rid the computer of the worm.
Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Symantec Alert:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Symantec tool to remove the worm :
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Trend Micro security alert :
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Free anti-virus software :
http://housecall.trendmicro.com/
We have this where I work. We're one of the first entreprises in Canada to have it. And man do we have troubles. Our network was crippeled.
It's a worm that uses a security flaw in RPC to copy itself on computers and to make the computers do weird stuff. The most common symptom is an automatic re-boot of the computer triggered by the windows "system" account. However, I also say many computers that simply refuse to boot, with svchost.exe crashing.
The worm spreaded to computers, but then to servers. It's main goal is to created traffic on the network to make it unusable. We had most of our routers not respond at one time today. We could not send e-mails to send warnings to branch offices. All entreprise applications could not be used.
It's very sad, because the patch was available mid-july. If we had deployed the patch we would not have this problem. There is no deployment procedures for those kind of patches in our organisation and we do not have a deployment system like SMS.
To fix the problem, you must :
1. Get the latest definitions for you anti-virus (symantec's 08/11/2003 definitions)
2. Clean the virus using symantec's tool (see link below)
3. Apply Microsoft's security patch (823980)
The patch alone will not rid the computer of the worm.
Microsoft Security Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Symantec Alert:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Symantec tool to remove the worm :
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Trend Micro security alert :
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Free anti-virus software :
http://housecall.trendmicro.com/
Mercutio
Fatwah on Western Digital
zx, if you've got a domain controller or netware login, there's no excuse for not having the patch install itself from a login script.
Cripes. News about this security problem made CNN and stuff.
Cripes. News about this security problem made CNN and stuff.
zx
Learning Storage Performance
Mercutio said:
You can also unplug the computer from the network to prevent the auto shutdown...it's simpler but I don't know if it works all the time.
Also, I think that it's not all the computers that have problems (rebooting) that have the actual worm (msblast.exe). However, the computer that has that files send the RPC commands to shut down the computer.
Mercutio
Fatwah on Western Digital
It hits dialup users, too, so it can't always be that simple. I've had about 20 calls on it now... Also, doing this via phone support, telling someone to pull a plug on the back of a computer is a recipe for immense amounts of pain.
Deleting msblast.exe does seem to solve the immediate problem. Housecall can take care of the rest.
Deleting msblast.exe does seem to solve the immediate problem. Housecall can take care of the rest.
zx
Learning Storage Performance
Mercutio said:
I agree with you.
But we have about 44 domains all administered by different technicians. I don't have a major role where i work, because i'm a student and i'll be gone in two weeks. But I hope that those in charge of the IT infrastructure will find a way to deploy those patches.
Where I don't agree is with servers. You can't install the patch without rebooting the server. We have people working on those servers 24/7 so the best time to apply those patches is between 9 PM and 6AM. This requires overtime, and because of recent government budget cuts, the IT people can't do much overtime to apply the patches. I guess that for now, this decision did not save money...
The situation could have been prevented and I hope that they will find a way to deploy those patches. Because we knew about the problem and the patch...but no action was really taken to inform technicians in branch offices about the problem and about the patch.
Buck
Storage? I am Storage!
zx said:
Since I am a bit IT challenged, I must ask: Would it be possible to push the patch unattended during those hours and initiate a restart of the servers?
Mercutio
Fatwah on Western Digital
Yes.
zx
Learning Storage Performance
Buck said:
Push? You need System Update Services or SMS to "Push" patches (unattended install).
You need to login to run a login script, no? Many people are on vacation at this time of the year. For servers, some never get logged on. And some have many people log in them (windows terminal server), in that case the patch will re-install each time... I don't know if it's a viable solution, except if you use a script management utility like ScriptLogic. However, i'm not familiar with advanced scripting capacities of windows. I only use very basic scripting (map drives
).
Howell
Storage? I am Storage!
It's being called the lovsan worm.
On 2000, the problem is most evident when you receive program errors with svchost.exe.
On 2000, the problem is most evident when you receive program errors with svchost.exe.
zx
Learning Storage Performance
Still working on it this morning. We made headlines in the local newspaper . It's getting better though.
. It's getting better though.
Tea
Storage? I am Storage!
We do our best to talk people out of installing XP, so we have not had that many calls, and while we encourage corporates to use 2000, we also encourage them to use Smoothwalls, so all in all, it's relatively quiet for us.
Mind you, I'm saying relatively quiet - there are still plenty of people got infected.
Mind you, I'm saying relatively quiet - there are still plenty of people got infected.
blakerwry
Storage? I am Storage!
Tea, i tried to install smoothwall, but was unable to.. i then tried to install the linux router project and was also unable to... have you had any problems installing smoothwall to older machines (like 486 class machines?)
LRP w/ 2.2 refuses to boot, throwing a kernel panik error because it was compiled on a pentium.. LRP w/ 2.0 just hangs on boot...
Smoothwall 2.0 will not detect any of my several NICS in the machine and will not let me specify manually... perhaps I should try 1.0 and just get the patches...
LRP w/ 2.2 refuses to boot, throwing a kernel panik error because it was compiled on a pentium.. LRP w/ 2.0 just hangs on boot...
Smoothwall 2.0 will not detect any of my several NICS in the machine and will not let me specify manually... perhaps I should try 1.0 and just get the patches...
Pradeep
Storage? I am Storage!
Apparently 2003 Server won't shutdown, but it will infect other systems. And it'll still crawl under the network traffic.