DCOM RPC Worm in the Wild!

[Dexter]

If you're running a Windows system please go to windows update and make sure you have downloaded and installed every critical patch listed. Don't be lazy, just do it right now! There is officially a worm out there that is taking control of windows based system right now.

Here's the short and skinny on the worm.

1) It's being called "W32.Blaster.Worm" by Symantec, "W32/Lovsan.worm" by Mcafee, and "WORM_MSBLAST.A" by Trend.
2) It exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
3) If infected a program called msblast.exe will be running.
4) It causes system instability and opens your computer to remote access.
5) It cannot automatically spread to windows NT or 2003 systems but they will crash if the worm tries to access them. If the worm is installed manually it will run in windows NT and 2003 though.
6) The worm also attempts to perform a DoS attack on the Windows Update site.

[futz255]

does "crash" mean an epc error box with the msg of saying save your stuff now at this given amount of time (30-45 secs, i forget)?

if that's the crash you're talking about then i was a victim.  seems strange to me that i have a firewall and an ids set at high lvl, that port 135 doesn't respond to anyone, would trigger this "crash."

i just updated from ms and friends, this thing is serious.

[Dexter]

not really sure on the effects...  I run only winxp boxes and they've been patched since it was released.

[Guest_Chris]

In windows XP machines it causes a the RPC (Remote procedure Call) to terminate,  You should get amsg saying something like this  "RPC will Terminate - rebooting is 30 secs"  there is a Blaster fix tool on the Norton site and you obviously know about the patch

This error msg only occurs in Windows XP Machines

[Dexter]

from the AlanBarber.Org blog:

This is downright goofy folks! 

There's a new DCOM RPC worm running the rounds.  Officially tagged as
"W32.Welchia.Worm" by Symantec, "WORM_MSBLAST.D" by Trend, and "W32/Nachi.worm" by McAfee it's pretty much the same as the other DCOM RCP worms with one big difference.  It's designed to fix the problem!

Get this people.  When the worm finds an open system it infects the system and runs the worm on the new system.  On the new system the worm searches for the original MSBLAST worm and removes it if found.  It then automatically downloads the Microsoft patch to fix the DCOM RPC hole, installs the patch and reboots the machine.  It then runs in the background searching out other open systems to spread to until January 1st, 2004.  At that time it will delete itself.

There doesn't seem to be any trojan horse or payloads but as a virus/worm it should be considered dangerous.  However this has to be the first time in the history of computing that a virus/worm actually fixes the very hold it exploits.

The person that wrote this should get nominated for misguided humanitarian of the year or something.

This security hole is turning into a three ring circus!   http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

[Guest]

Make sure u turn on firewall and then goto start control panel admin tools services right click remote procedure call the first lien and goto properties go to recovery tab and set to nto reboot or take way longer. then downlaod the symantec removal tool or manualy remove form msconfig startup tab it will say windowsupdates and to right at en will say msblast.exe reboot and patch your baby.

havea nice one.

[Guest]

ok, just somethin that i found out...
when you receive the notification that your computer is shutting down (with the timer of 30 seconds. or how ever many it is) all you have to do is:
1.  open command prompt
2.  type the following string in:
       shutdown -a
3.  the shutdown notification will close, and you can close the command prompt window

mind folks, that this does NOTHING for the removal of teh worm, it just gets rid of the shutdown notification...

(aim: sonofdad123)
(yahoo: sonofdad123)