Anyone else been getting hit by this RPC worm? I got hit by it last night, and at least 3 other GS people I know were saying it was giving them shit today too.

I just hooked my router/firewall back up and updated my Windows critical update thing and that fixed it for me, but the others are still having problems. Neither were behind a firewall so they DL'd Zone Alarm and one went out and bought a router/firewall. His stopped shutting his PC down but he's been getting major lag ever since, and I dunno what happened with the other guy.

What happens is out of nowhere a box will pop up with a 1 minute countdown timer before the system restarts. It looks like this...

Putting my firewall back up fixed it for me, but I don't know why it didn't help these other people and I'm not much of a tech person, so maybe someone here can shed some light on it? Wondering if it's some loser from GS doing it or just some nationwide mass hack convention going on with a bunch of bored nerds.

nationwide, i got it too, i don't play gs anymore

No worm here. One guess.

heres what you do, once your comp starts up quickly go to start>settings>control panel>administrative tools>services
once your there scroll down to Remote Procedure Call (RPC)
double click on it and go to the "Recovery" Tab under
first failure/2nd failure/subsequent failures select "Take No Action"

now it wont restart anymore.
then simply go to

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

and download the fix then run it.

apparently theres a virus going around and it doesn't go away even if you reformat : its called MSBlast .

edit: fixed way too many typo's

[Edited on 8-12-2003 by Red Devil]

Oh man, I thought my computer was just going insane again. Nice to know it wasn't just me.

First, I thought it was just some random thing, happened last night. Then it happened this morning after like an hour. Then it started happening 3 minutes after I logged on. I finally gave up and reformatted my computer after like 2 hours of trying to figure out what the hell was going on. That didn't work, so I installed an AOL trial disc to see if maybe my internet provider was the culprit. Using AOL stopped the constant shutdowns.

When formatting your hard drive, do so using a boot disk.

If your hard drive has a virus on it, formatting without a boot disk leaves the virus on the hard drive. It happens because the virus attaches itself to the boot sector of the hard drive, so when you turn on your computer and boot from your hard drive, the virus boots with it and hides itself in RAM. Then once you're done formatting, the virus places itself back into a file and starts corrupting data again.

By formatting from a boot-disk, the virus doesn't get a chance to load and so you're safe.

BTW, methais ditch kazaa and get Imesh lite

One of my friends mentioned a problem with NT Authority... perhaps she caught this virus as well.

I'll point this out to her.

I thought this was just a thing you caught from, ah. Comcast cable... or is it not?

Are people getting it from kazaa?

it's a loophole in microsoft... people are getting it from everywhere i believe

I looked on microsoft.com... apparently only certain versions of Windows are affected, and mine (Being Windows ME, which is unstable enough, and doesn't need a worm to kill it) isn't supposedly effected.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

I thought only XP versions use RPC, could be wrong though.

<<heres what you do, once your comp starts up quickly go to start>settings>control panel>administrative tools>services
once your there scroll down to Remote Procedure Call (RPC)
double click on it and go to the "Recovery" Tab under
first failure/2nd failure/subsequent failures select "Take No Action">>

A friend of mine (Solkern) did that yesterday and he said he lost like everything on his hard drive just about. Is that expected to happen or did he just fuck it up somehow?

<<BTW, methais ditch kazaa and get Imesh lite>>

What's that?

ok, here is how to remove the virus from your system. First, ctrl-alt-del and go to the processes tab. Find msblast.exe and end it (this will stop the shut downs.) Now, click start, then run, and run regedit. Click on Edit, Find, and search for msblast. 1 file should come up, delete it. Now close regedit, and go to windows\system32 file, and delete msblast. Once this is finished, DOWNLOAD that update.

msblast is one of the best spreading viruses I've ever seen. The problem with it is, it don't need to be downloaded, or e-mailed to you..If you connect to your ISP, and its infected, your now infected, unless you have the windows update installed. I atempted to contact a GM last night in GS about it (since we connect to their server) but they seemed to not be concered.

-Adredrin, cleaning computers all day. Ugh.

[Edited on 8-12-2003 by LordAdredrin]

RedDevil, thanks. My laptop was about to be thrown off my balcony.

Oh, and to those who are just installing a firewall, please remove the virus anyways! In about 3 days, the virus is going to start doing an major Denial of Service attack, using your computer, and your ISP on microsoft.com (which not only stops others from getting the update, but also causes you to get into trouble.) Also, the firewall won't stop the attack, as most firewalls only stop incomming, not outgoing.

-Adredrin

Welp. Heres my problem, Using my friends computer to get access to the web. since my computer doesnt allow me too at this time due to the virus or something i currently have the RPC worm, I can't access the web, to downlaod the patch, I've done the Msblast thing listed above, the take no action thru adminstraive tools, I've gotten a firewall, Yet my computer is still messed up, was quite fine a few days ago, I can't do anything, I cant access any websites, so I can't get the patch, Nor can I have it sent via AIM connect due to the fact my AIM disconnects every 3 mins, and my AOL shuts down every 3 mins. I've lost ALOT of data, pretty much everything on my computer somehow, I'm running WIndows XP...So theres one problems...So if anyone wants to give me some help please do so

[Edited on 8-12-2003 by Solkern]

Solkern, I posted above the exact steps to remove the virus, if you can pull it off before the computer restarts, it should at least fix the shut down problem.

-Adredrin

All that happens is my computer freezes..dunno what the fuck is wrong, but my computer is going out the window pretty soon

Is this where it shuts down your computer by the NT/Authority or whatever it is. MY computer did it twice, and then I loaded zone alarm and nothing has happened since, I have even run it a few times without zone alarm and it didn't happen again. Although it did hit my roomates computer last night, and the three of us are all connected to the same router. I am on wireless though, does that make a difference? and even though it hasn't happened to me in about a week, should I still try and fix it, or am i in the clear?:flamed:

Originally posted by Carl Spackler
Is this where it shuts down your computer by the NT/Authority or whatever it is. MY computer did it twice, and then I loaded zone alarm and nothing has happened since, I have even run it a few times without zone alarm and it didn't happen again. Although it did hit my roomates computer last night, and the three of us are all connected to the same router. I am on wireless though, does that make a difference? and even though it hasn't happened to me in about a week, should I still try and fix it, or am i in the clear?:flamed:

Thing is, this RPC/msblast virus is brand new..it came out, and hit last night. Its not in any virus scanners yet. So it sounds like your error is/was a fluke error. As for your roomie and your network, you need to remove all your computers from the network, do the steps I posted on all of them (even just to check if the files are NOT there) then reconnect the network and get that update patch asap. What people are not understanding, is just cleaning off your computer does not solve the problem. This is a server virus.

To give you all an example. My girlfriend lives in Aussieland. She woke up, booted up her computer, and logged into her ISP. Unknown to her, her ISP was infected with msblast. As soon as she logged into the ISP, the virus checked her system, saw that she was not protected, and sent itself to her. Once taking affect, her system kept shutting down. She called me, and I took her through the steps to remove it. Then she connected to her ISP again, and got the bloody virus again. So she shut down, called her ISP, informed them of the problem, and told them how to fix it. They took the steps, removed the virus from their server, and then set it back up. She removed the virus from her system again, and then logged onto her ISP, again. The problem was, someone else who logged on and got the virus from the server did not know what was going on. Their computer shut down, then they restarted and reconneced to the ISP, sending the virus BACK to the ISP and BACK to my girlfriend. Its a hugely NASTY virus that can only be stopped one way..you must download and use that windows update.

-Adredrin

See we don't have a network hub or anything, we're all just connected through the same router. Im not a network guy or anything, we don't share files or printers. Im still a little lost, but If it happened to me once, I still need to take the steps to remove it right? and since I can't unplug from the router, should I just disable my connection and then enable after I'm done?

You should be able to remove your computer from the router? Network cable? Thats what I was using from my computer to our router. You lose net access..but you need to remove msblast before it spreads. I know a lot of people at college that are completely unplugging from the college network untill they get a green light from the college tech heads (I bet that would be me, if I was in college, heh!).

-Adredrin

PS Remember, sharing an internet access is sharing a network, just because you can't view eachothers files does not mean the computers are not talking to eachother.

Ok, I have wireless thats why i can't unplug, If unplug the router from the cable modem should i be good to go?

Running a wireless, you should have a wireless network card and a wireless jack that plugs into the card. Can you remove that jack? I've not yet worked with a wireless connection. You have a wireless something or another that plugs into the router no? You could remove that I think..

-Adredrin

yeah my problem is that, I have a desktop, and unplugging the card isn't like a laptop I have to open the fucker up, I imagine disabling my wireless connection is the same thing, it cuts the transmission, and I'll unplug the router too, I'll just take the whole thing apart and deal with it, I think thats the best bet.

If anyone else needs help with the bug, let me know..I'm starting to feel like an expert. I even manage to decode it and poke around inside the virus (since it can't affect my system.) and who ever programmed it even left a little text message in it, rather amusing.

-Adredrin

Hey! Look who's not starting up her computer when she gets home today! Thanks for the head's up.

<<and who ever programmed it even left a little text message in it, rather amusing.>>

What'd the message say?

OMG I ju$t pwned the !nt3rn3t!!!!!!11

I want the blaster worm update for XP right?

The message says :

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!


-Adredrin

PS. I've figured out how its spreading, It scans any computer connected to the internet via port 133, and if your open, it nails ya.

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

Thats the patch you need to update with.

-Adredrin

Here's a removal tool for Blaster ..

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html


-P

You can use that too, the problem I find is that I don't trust something I can't see work :-P

-Adredrin

<<The message says :

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!>>

ROFL

Originally posted by Methais
<<The message says :

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!>>

ROFL


Yah, thats about the reaction I had too :smilegrin:

I love Symantec.

They always have freely available virus removal tools like 2 hours after any newly reported virus.

I wrote to feedback a couple days ago about it as well. Here's the response for those that care....


Good day,
Thank you for bringing your concerns to my attention. Below is a copy of the letter which has been sent through the staff lists regarding this particular situation as it has been occurring. I am providing the full e-mail, minus any NDAd materials, below for your viewing and to pass along to other members of the community you are aware of.
Should you have any further questions, please let me know. Thank you.

----------------

I'm hearing that a worrying number of people aren't aware of the latest
Windows vulnerability detailed on July 16th: a bug in the RPC/DCOM service
allows REMOTE ROOT ACCESS to your system. Exploits are already in the wild and
I can pretty much guarantee it won't be long before a worm comes out that auto
exploits this and causes a huge mess.

If you use Windows NT, 2000 or XP you are vulnerable. If you have a router or
firewall, you likely cannot be exploited over the Internet but you should
patch this all the same. The exploit can be delivered via port 135, 139 or
445 - these are all usually listening by default on Windows.

The current exploits are rather crude and usually result in RPC services
crashing and the machine auto-rebooting - if you've seen a message informing
you the system will auto-restart in 60 seconds or something similar, this is
the exploit hitting your machine. If the attacker guessed your operating
system correctly, they likely are already connected with full access to your
system. You should install the patch ASAP and do an up to date virus scan and
look for any suspicious programs running. It won't be long though before more
sophisticated exploits take the form of worms that won't crash RPC services
and attempt multiple times to gain access to your box.

You can get the patch from Microsoft in the following places for the following
Operating Systems:

Windows NT 4.0 Server - http://microsoft.com/downloads/details.aspx?
FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en

Windows 2000 - http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-
F541-4C15-8C9F-220354449117&displaylang=en

Windows XP - http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-
C5B6-44AC-9532-3DE40F69C074&displaylang=en

Of if you prefer, visit Windows Update and install all Critical Updates (which
you should be checking all the time anyway) -
http://windowsupdate.microsoft.com/

For more information, read this Microsoft TechNet Bulletin:
http://www.microsoft.com/technet/treeview/default.asp?
url=/technet/security/bulletin/MS03-026.asp

To clarify: This bug can let an attacker run code on your system under the
highest privileged account (SYSTEM) if your computer is connected directly to
the Internet. Grab the patch now to avoid pain later.

NOTE: If you are getting DCOM/RPC/svchost.exe crashes after installing the
patch, it might not have installed properly. Reboot and try again.

NOTE 2: Test if you are vulnerable: http://secur1ty.net/dcom.cgi (will not
work if you have a firewall/router blocking port 135 or a transparent web
proxy).

As of today, it looks like the worms are already in the wild...
http://secur1ty.net/dcom.cgi updated with more information.


GameMaster Antavian Giantwind
Feedback, Simutronics Corporation

(If you are replying to this letter, please be sure to include the full text of your previous correspondence)

Hmm..I read port 133..oh well :-P

-Adredrin

Heh - I knew Windows ME had some redeeming qualities!

Windows ME, firewall with stealth enabled..

No vulnerability.

But it does explain all those MSRPC TCP port probes I've been getting for the past 3 weeks. That means I can confirm that yes, people have known about this hole in MS OS since at least July 21st, since that's when my firewall monitor started alerting me to the sudden onslaught of probes.

It also explains why sometimes those probes will come from a single computer multiple times - as in, well over 100 times in a 5-hour period. THAT person's computer has been corrupted and it's being set to try to enter other computers, and the loop doesn't allow them to get out of the probe attempt.

At least, that's what it seems is happening.
As usual, I could be wrong. But that's what it looks like in any case.

Holy shit.

I've blocked over 5,000 probes.

Does this thing affect DSL? My roommate and I both run programs that aren't supposed to be suceptible. But I'm also told that ME is just a different version of NT.

Think I should patch?

Eh. I ran the de-worm program and it gave me a screen about turning my automatic reboot off. Ran the scan, didn't have it, went to install the patch and was told (In a more clear manner) by microsoft.com that Windows ME is NOT affected at all. The real question is, do we trust Microsoft.

Originally posted by Methais
<<heres what you do, once your comp starts up quickly go to start>settings>control panel>administrative tools>services
once your there scroll down to Remote Procedure Call (RPC)
double click on it and go to the "Recovery" Tab under
first failure/2nd failure/subsequent failures select "Take No Action">>

A friend of mine (Solkern) did that yesterday and he said he lost like everything on his hard drive just about. Is that expected to happen or did he just fuck it up somehow?

<<BTW, methais ditch kazaa and get Imesh lite>>

What's that?

it's same thing as kazaa it just has a better interface and no ads

and no that isn't supposed to happen he fucked up

[Edited on 8-12-2003 by Red Devil]

Heh, solution to all the problems. If you own a Mac, you just won't get viruses like these.

<< If you own a Mac, you just won't get viruses like these. >>

You won't get much of anything either.

<< it's same thing as kazaa it just has a better interface and no ads >>

May as well go with KaZaa lite then.

No ads, fastest downloads, newest movies and games available. Heck I just download Matrix Reloaded DVD in 18 hours.

Go with KaZaa lite, it's so much better.

It also destroys your computer. The latest version of KaZaA K++ blocks RIAA from accessing your computer.

>> went to install the patch and was told (In a more clear manner) by microsoft.com that Windows ME is NOT affected at all. The real question is, do we trust Microsoft. <<

W32.Blaster affects Win2000 (server and workstation) and WinXP only. Windows ME is a rather crappy update to Windows 98 and not impacted.

-P

Good. I'm using Windows ME. I think it's much better than the previous, and I prefer it over XP.

KaZaa Lite makes my computer freeze up. So does Overnet. I thought it was just a "Windows ME blows" thing.

Windows ME causes so many of its own problems that I don't think even the virus wanted to get involved. :D

Originally posted by Kranar
<< it's same thing as kazaa it just has a better interface and no ads >>

May as well go with KaZaa lite then.

No ads, fastest downloads, newest movies and games available. Heck I just download Matrix Reloaded DVD in 18 hours.

Go with KaZaa lite, it's so much better.

they all run on the same servers, the stuff you download from kazaa is the same from imesh

What format did matrix reloaded come in as Kranar? was it an rar file or what, and what program did you get so you can run them all together

I just went to kazaa lite and i'm d/ling the movie now..only gonan take me 55 mins heh

OK, some quick questions.

My computer is still working ok but some of my roomates are hit with this thing.

I downloaded the removal tool from Symantec, put it on a disk and used it to clean one computer but almost as soon as we started to go to Microsoft to get the patch he got that ugly messgae about shutting down again.

Can I download the patch for his OS and save it on a disk and then after running the removal tool once more then install the patch on his system? This is doable? Or are there potential problems involved?


Any ideas from our more well computer versed members will be greatly appreciated.

Anyone know where I can get an AVI player?

KaZaA Lite/K++ comes with a seperate program for AVIs.

Originally posted by Solkern
What format did matrix reloaded come in as Kranar? was it an rar file or what, and what program did you get so you can run them all together

im almost positive it was avi..

Yeah relized that, I still don't have an AVI player, my windows media player wont RUN avis for some reason. Yeah only got 35 mins left till i can watch the movie

The format was DivX MPEG 4v3.

You need to make sure that it's the real movie though, because the studios flood KaZaa with fake files that are masked to make you think you're downloading the real thing.

The correct file size for The Matrix Reloaded is this:

File 1) 710, 250 KB
File 2) 713, 064 KB

If you need a DivX coded to play it, let me know.

DivX Pro plays AVIs. You can get it from Kazaa....and if you're using KaZaA, get the latest K++ version. Lets you block RIAA servers, and set yourself at 1000 points so people don't shut you off.

Originally posted by Skirmisher
OK, some quick questions.

My computer is still working ok but some of my roomates are hit with this thing.

I downloaded the removal tool from Symantec, put it on a disk and used it to clean one computer but almost as soon as we started to go to Microsoft to get the patch he got that ugly messgae about shutting down again.

Can I download the patch for his OS and save it on a disk and then after running the removal tool once more then install the patch on his system? This is doable? Or are there potential problems involved?


Any ideas from our more well computer versed members will be greatly appreciated.

That should work just fine..if you can figure out a way to download it as a file, insted of downloading and installing right away. My girlfriend has the same problem..she has the only computer in the house, and even after she gets the virus removed, it hits again before the download is finished :no:

-Adredrin

As for what I watch my files with (I'm a member of a online group that gets, subs, and distributes Anime) I tend to just use my windows media player, and the K-Lite Codec (which covers DivX, XviD, and lots of other formats).

-Adredrin

<<and if you're using KaZaA, get the latest K++ version.>>

Got a link to K++? Would be nice ot set mine to Supreme Being or whatever the 1000 rating is.

K++ (http://home.hccnet.nl/h.edskes/mirror.htm#klitekpp241e)

Lots of spiffy features on it.

kazaa = complete access to your harddrive

That's why I never leave it on for more than an hour or two, and have a firewall.

I use fileshare for my movies, not as fast as kazaa but at least i won't download some gay disney movie renamed


btw kranar is a pirate, lets laugh at him, we all know ninjas are the real ultimate power

DONT EDIT MY POSTS KARNAR!!
[Edited on 8-13-2003 by Kranar]

[Edited on 8-13-2003 by Red Devil]

Just wanted to say thanks for the working advice on how to deal with the worm.

>> Can I download the patch for his OS and save it on a disk and then after running the removal tool once more then install the patch on his system? This is doable? Or are there potential problems involved? <<

Yeah you can. My advice is to drop the patch and the cleaning tool onto a diskette or CD and disconnect the PC you are cleaning/patching from the network temporarily. This will stop other machines from attempting to infect it while you are patching.

FWIW, I work in an organization with about 800 PC's in my department and probably 50,000 devices organization-wide. None of the servers got hit, but about 10% of the desktops in my area alone were unpatched. Guess what I did yesterday and will be doing today?

<groan>

But .. the method above is how we are doing it.

-P

Yes, let me second Beth's thanks to Prestius and Adredrin and everyone else who shared their expertise in dealing with this pain in the neck Blaster worm.

This isn't about the worm but I have a question maybe someone can answer. Using AOL as an ISP, I try to download mp3s or mpegs from websites, and when it saves it always tries to save it as mpa or mpega and the file size is reduced. Anyone know what this shit is?

I think That's AOL screwing with yer files. When I used AOL I had lots of problem trying to save jpegs and gifs as well. It kept trying to turn them into AOL picture files.

Best bet is to try loading the page with IE and then using Save As...

"Best bet is to try loading the page with IE and then using Save As... "

Yep, tried that already. Still trying to save my media files with fucked up extensions. I think it's probably some lame preventive measure from keeping AOL users from pirating music.

Down with AOL!! Rawr!!

-Adredrin

<< Yep, tried that already. Still trying to save my media files with fucked up extensions. I think it's probably some lame preventive measure from keeping AOL users from pirating music.>>

There's some setting in AOL that you have to disable to get it to save them normally (so it'll save jpgs as jpgs instead of AOL picture files for example). Unfortunately I haven't used AOL in forever and forgot how to change it, but there is a way to do it.

If nothing else, harass AOL tech support about it. If they're too stupid to help, call them back but speak to them with this:

http://www.funnyjunk.com/pages/arnold.htm

>> I was going to ask you how you all got worm viruses with your top notch security... but I'm not gonna be that distrustful and disbelieving. Good luck cleaning up. <<

In our case, it was just a matter of timing. We knew this one was coming, and applied the patches to our servers immediately .. and we began applying patches to our user PC's - remember we have over 500 PC's in our department alone). We were pushing the updates out as fast as we could using AD Group Polocies and were about 20% done with the patching when all hell broke loose on Tuesday.

I'm still trying to find out how this thing snuck into our firewalled network.

-P

I got spared. <cheers>