Dyre Straits

SAN FRANCISCO (Reuters) - An Internet worm that takes advantage of a recently discovered, widespread security hole in Microsoft Corp.'s Windows software emerged around the United States on Monday, crashing systems and spreading to vulnerable computers, security experts said.

The worm, dubbed LoveSan, Blaster, or MSBlaster, exploits a vulnerability in the Distributed Component Object service that is hosted by a Remote Procedure Call feature in Windows 2000 and Windows XP that lets computers share files, among other activities.

Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself. Then, it scans the Internet for other vulnerable machines and attacks them, said Johannes Ullrich, chief technology officer at the Internet Storm Center at the SANS Institute.

By Elinor Mills Abreu

More Here

BiGBrOwNPimpsta

this IS be the problem i jus posted in the windows forum, possible solution which i found:

goto administrative tools goto services
open Remote Procedure Call (RPC)
goto logon press disable at the bottom
then in Recovery Set First,Second,Subsequent Failurs to TAKE NO ACTION
press ok, logoff and logon

__________________
Sound Blaster X-Fi Xtreme Music | Logitech Z-5500 THX 5.1 Surround Sound Speakers | 2 Lite-On 20x S-ATA Burners | Logitech G700 Mouse | Logitech MX5500 Bluetooth Keyboard

BWX

My mom just got this damn thing on her machine- or something like it. She runs antivirus, but didn't update windows lately, I think that's how she got it. I'll be reformatting that machine when I go back home in a few weeks.

__________________

BiGBrOwNPimpsta

do my solution right now

__________________
Sound Blaster X-Fi Xtreme Music | Logitech Z-5500 THX 5.1 Surround Sound Speakers | 2 Lite-On 20x S-ATA Burners | Logitech G700 Mouse | Logitech MX5500 Bluetooth Keyboard

Dyre Straits

I ran through the 'solution' and have a 'situation' now:

When I minimize WEB pages or open up directories/windows on the Desktop, the item/s no longer appear in my Task bar. I've gone through several options trying to restore this.

Any suggestions?

I'm using XP Home.

__________________

BiGBrOwNPimpsta

crap its messing up lotta ppls comps. my friend cant do ANYTHING cant even get a start menu now. another cant launch I.E. its whack man! i dont know ill research this somemore Dyre if u can post that solution or protection (which i would say) cause i havent been touched by it and the ppl that did it havent either. so post as news if u feel it is neccessary

__________________
Sound Blaster X-Fi Xtreme Music | Logitech Z-5500 THX 5.1 Surround Sound Speakers | 2 Lite-On 20x S-ATA Burners | Logitech G700 Mouse | Logitech MX5500 Bluetooth Keyboard

BWX

I would, but I am 200 miles away. Every time she starts the PC, it asks here for the windows CD because "certain windows files" were replaced with bla, bla, bla versions........


Then it replaces the files, then the next time she restarts windows, it does the same thing. I dunno- I had her put the important stuff on a CD, and that's as far as I got walking her through things.


I think norton detected the worm as a "spybot -something -something worm, or something like that, And said the affected file was iexplorer in windows/system32, and that quarantine was not successful and to delete the file in safe mode -eek.

Norton had a huge list of things to do including manual registry repairs and deleting many files in safe mode. I have to call her back and find out the exact name and research it to see what to do and how to avoid it in the future. It did say it has something to do with the RPC service too- It happened yesterday afternoon, so I'm thinking it's a variant of this thing because I know it didn't get in through e-mail.

__________________

BiGBrOwNPimpsta

its messing up everyone man im geting msgs on msn on how to fix it and stuff going crazy Dyre i would recommend posting that as a possible prevention because so far ppl that have done it are ok others that havent are getting messed and have their comps reseting. after doing my solution their comp is screwed

__________________
Sound Blaster X-Fi Xtreme Music | Logitech Z-5500 THX 5.1 Surround Sound Speakers | 2 Lite-On 20x S-ATA Burners | Logitech G700 Mouse | Logitech MX5500 Bluetooth Keyboard

Dyre Straits

After running that solution, I'm having a bit of a situation on my own computer. I can't Copy/Paste, I can't see any icons in my Taskbar of items opened/minimized, and my Services options only show up when I click on Extended.

I've been trying to post this solution and am having some difficulty doing so as it appears certain areas of my own system are now 'hidden' to me.

__________________

HsuGotaQ

Here is another solution (a bit long, but successful) :

1- Boot with your Windows XP CD and enter in the Recovery Console.
2- In the console, Type "disable RpcSs" then "exit"
3- Boot in Windows
4- Download the the Windows XP patch here (MS03-026).

NOTE : At this point, you do not have access to the taskbar. Use therefore the Windows Key + R to pop-up the Run screen or the Windows Key + E to pop-up Window Explorer. Also, it is impossible to update your system with the patch at this point because the patch itself needs the Cryptography service to function (cuz this service needs RPC service to run in order to function).

5- Use a Trojan Removing software to verify your system and/or filenames that are corrupted. If you cannot seem to remove certain trojans, do it in the Recovery Console.
6- Restart the computer and boot in the Recovery Console.
7- In the console, type "enable RpcSs SERVICE_AUTO_START", remove any connections to the internet (network cable, telephone cable, coax... lol) and then type "exit"
8- Upon reboot, I'd heavily suggest running to the newly downloaded patch ASAP. When done reboot (with your network connection).

If you can successfully use your computer without the damn "RPC created an error and will reboot" then you are ok. In a case I've seen today, I had no choice, but to do and "upgrade" of Windows XP after following these steps (the system rebooted continuously). Everything worked after this point.

Data1232

There is a way to solve this, i just happened to help a friend, with something pretty similar. First go alt-ctrl-delte, and go to "processes" if you find MSBlaster or something like that (i.e. --blaster) end it's process. Then download MS03-026 Update which will plug up the hole (http://www.microsoft.com/technet/tre...n/MS03-026.asp ) Then go here, http://vil.nai.com/vil/content/v_100547.htm, this has actual information on the virus, but McAfee created a remover that does not require any sort of previous virus scanner. Download here (it's called Stinger http://vil.nai.com/vil/stinger/), and run it. Good luck guys! Hope it helps

__________________
Windows XP Pro 32-bit
Intel Core 2 Duo E6850
2 GB DDR2-800
eVGA 680i
XFX GeForce Ultra 8800 ()
Creative X-Fi Gamer

HsuGotaQ

Another removal Procedure from Mcafee

BWX

http://www.blkviper.com/AskBV/tech10.htm

To stop your computer from shuting down ONLY WHILE you are trying to fix it. From BlackViper

__________________

Dyre Straits

I'm thankful I have a 2nd system still running on 98SE.

__________________

Dyre Straits

Is anyone else running into, 'unable to install patch....make sure cryptographic services is on' when trying to install this patch?

__________________

FuNsTeR

"RPC created an error and will reboot" thats all i got yesterday everytime i logged onto internet explorer

so i formated and now im back with 98se ... screw XP ... at first i thought it was the sp1a i recently installed as i was getting longhorn pictures in my folders ... the pics are in the windows forum

__________________
"They say when you play a Microsoft CD backwards you can hear satanic messages ..... but that's nothing, if you play it forward it will install Windows"

BWX

Mt machine is fine because I keep it UP-TO-DATE, like everyone else should. :-/

__________________

Dyre Straits

Apparently it's not a 100% guarantee against this kind of thing. I keep mine up-to-date, too.....but I'm struggling with this situation and will likely wind up reformatting before the night's over. UGH!

__________________

BWX

You mean you had all the updates from july and have the RPC buffer problem? I don't see how that can happen. I mean, if it's patched, it's patched. Right?

__________________

FuNsTeR

i forgot to add i had all the updates as well ... updated my anti virus on Sunday and i still got it yesterday after playing spearhead on the {DH} server i clicked on internet explorer ... thats when i got the error messages

__________________
"They say when you play a Microsoft CD backwards you can hear satanic messages ..... but that's nothing, if you play it forward it will install Windows"

zerodamage

This is what happens when people do not update their OS regularly. The patch for this has been out for a month. It also helps if you use a firewall, preferably hardware if using broadband. Tiny Personal Firewall or Zonealarm if on dial up because MANY people are also getting that have dial up. No one has anyone to blame but themselves.

HsuGotaQ

Yeouch... That means your RPC service is not running. Therefore you cannot apply the patch (way to go MS for there great intelligence). You've got to re-enable the service in order to apply the patch. Your best chance is to put the XP cd and choose to update your system (therefore downgrading to revision 2600 if you don't have a slipstreamed version of SP1). Then apply the patch...

damn this worm is really doing some hefty damage. I've gotten about 35 calls this morning from friends and relatives all connected with Videotron Cable internet and all infected with the same worm (here in Quebec). Thank god I re-ghost my machine every 2 months.

HsuGotaQ

Kinda, but considering how the Windows operating system has been punctured recently, I'm starting to believe that a Lada or a Pinto has less holes than this OS. I think I'll be going to the dark side after this if I like the new G5 my sister has ordered.

krazy1

I got this when I installed this patch on all my systems a few weeks ago. Reboot your system and make sure you log in as admin or a user that has admin rights and then it should install fine. Just make sure the first thing you do when the system finishes booting is install the patch.

__________________

Dyre Straits

Let's reiterate and update:

1. I have kept my XP Home up-to-date via the Updates and especially the security patches;
2. My LAN is behind a router connected to Comcast Broadband Cable;
3. My McAfee is set to automatically update;
4. My serious problems started when I followed the above 'solution' to Disable RPC Services;
5. I'm the only user on my XP Home -- therefore I have Adminstrative Rights;
6. I could NOT restore functionality of RPC or Cryptograhic Services no matter how I tried;
7. I attempted to do a Windows XP Home Update from the CD and the Setup Failed due to 'unable to install catalogs'.....'signature invalid' (The Setup attempts to restart on each reboot and fails for the same reason);
8. Attempting to boot from the Windows XP CD fails due to 'NTLDR not found' (I have tried setting the BIOS only to boot from CDROM....it won't do it);
9. Attempting ro reboot from a 98SE Startup Floppy works, but it fails to recognize my NTFS drive.
10. Attempting to boot from my Seagate HD Install CD simply causes the Windows Setup to try to restart again.
11. The saga continues.......

__________________

krazy1

Sounds like it is time to format and redo your system......

__________________

Luck

Whoa, isn't Longhorn the new operating system for Windows?

Lock

Double click on Administrative Tools and double click on Services.
Note: Some people may find it quicker to start the Services tool by clicking on Start > Run. Typing services.msc and pressing Enter.
Double click on the service called Remote Procedure Call (RPC) and click on the Recovery tab.
Within the recovery tab is three sections, these will all say 'Restart the computer'
Each one of these must be changed using the drop down box to say 'Take No Action'

Once done, immediately click on Apply followed by OK. Your computer may restart anyway at this point. Once it has completed restarting, continue with the rest of these instructions.

Disable System Restore. To do this click Start followed by right clicking on My Computer. Choose Properties, then the System Restore tab. Put a tick into the box 'Turn off System Restore'. (If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.)

Open Internet Explorer and connect to the Internet in your normal manner.

Download Microsoft patch (http://download.microsoft.com/downlo...80-x86-ENU.exe).
Download the following patch - http://securityresponse.symantec.com...r/FixBlast.exe

OnDborder

How does this worm invade your computers??

__________________
"I was so insane with wanting to get even, I willingly believed anything"
“Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one.”





Asus P5B-deluxe/6400/wc
2gigZ Crucial 6400
Evga8800gtx
X-Fi Elite Pro
150gb Raptor/WDsata250
Silverstone 750

Desert_Siege

I had also applied that patch from MS, as I went to download it again last night and it said the file already existed and I was hit with this thing last night. When booting I got the message from Zonealarm that "msblast.exe" was trying to access the internet and upon clicking "more info" Zonealarms page gave me the entire spill on denying it, restricting it and the name of the worm. So apparently the patch doesn't always work. Symatec had very easy instructions for removing it right on their front page, but unfortunately their virus definitions didn't detect it properly until yesterday. I have to reason that I picked up this worm some time Sunday night, as I turn off Zonealarm to play BF1942 online and thats probably when someones machine generated my "lucky" IP address and infected my machine. As near as I can tell, I downloaded this patch last Friday night and yet still got hit with the worm 2 days later. I had received no warnings from Zonealarm until Monday night, but did experieince the "RPC error message" twice.

TO GET RID OF IT:

I just disabled the MSblast.exe process, disabled system restore completely deleting all restore points.

Deleted its reg entry in HKLM/software/microsoft/windows/currentversion/run and in the right pane you will see an entry relating to windows auto update and msblast.exe. Delete it.

Update your AV signatures, download and install the patch from MS.

Reboot and run the virus scanner and it should find and delete msblast.exe.

It worked for me and that Stinger program from McAffee and Nortons both report clean.

NOTE: My machine had NOT gotten to the point that it was totally unusable as Zonealarm runs at startup and gave me the option of blocking access to the internet for msblast.exe. Had it not, I would still be banging my head trying to figure it out. Do yourself a favor and install a decent firewall. Had i not disabled the firewall to play online games, I probably would never have gotten it to start with, but I have corrected that issue :-)