nscode
As you might or might not know, Blaster or Lovesan worm is causing one of the greatest internet epidemics ever.
>You should update AV software and do a complete scan.
>Download MS security patch 823980.
>Disable ports 69,135 and 4444.
The virus can cause a PC to display a window that counts down 60 seconds to restart and restarts. This can be at most unpleasant if there are 1000 people in front of you, wondering why the music stopped. If you are live and you see the countdown window there is a trick you can use to prevent restart. Set date back one month. You will get 30 days till restart. Setting date back before 16th August will also disable the virus.
The virus causes no damage. (At this time, variants may)
The virus is using bugs in Windows to infect a computer. Except downloading the menshoned patch, there is nothing you can do prevent infection. :(
>You should update AV software and do a complete scan.
>Download MS security patch 823980.
>Disable ports 69,135 and 4444.
The virus can cause a PC to display a window that counts down 60 seconds to restart and restarts. This can be at most unpleasant if there are 1000 people in front of you, wondering why the music stopped. If you are live and you see the countdown window there is a trick you can use to prevent restart. Set date back one month. You will get 30 days till restart. Setting date back before 16th August will also disable the virus.
The virus causes no damage. (At this time, variants may)
The virus is using bugs in Windows to infect a computer. Except downloading the menshoned patch, there is nothing you can do prevent infection. :(
Posté Wed 13 Aug 03 @ 12:58 pm
nscode
PS. to moderators: You should consider making this a priority post, sticking to the top.
Posté Wed 13 Aug 03 @ 1:00 pm
Redman247
Heres a little more info on the worm from your local security guy.
Symptoms of infected system.
port 69 and 4444 in use listening for incoming connections
presence of a file called msblast.exe located on infected system
Error messages about the RPC service failing, (making the system reboot)
Windows registry created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill**
Systems affected:
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003
Symptoms of infected system.
port 69 and 4444 in use listening for incoming connections
presence of a file called msblast.exe located on infected system
Error messages about the RPC service failing, (making the system reboot)
Windows registry created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill**
Systems affected:
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003
Posté Wed 13 Aug 03 @ 1:28 pm
jukesy
How do you disable a port?
Posté Wed 13 Aug 03 @ 1:39 pm
nscode
To disable use of a port u need to have a firewall program installed. Search program's help on how to do this.
Update on my little trick: If you set back the date, it will also cause demo version of VDJ to exit becouse it thinks you are doing it to prolong demo :(
Update on my little trick: If you set back the date, it will also cause demo version of VDJ to exit becouse it thinks you are doing it to prolong demo :(
Posté Wed 13 Aug 03 @ 1:53 pm
Redman247
@nscode Ouch! Hopefully the demo acts right after you turn the date forward again.
Posté Wed 13 Aug 03 @ 1:59 pm
nscode
Yea, but so does the virus! :(
Posté Wed 13 Aug 03 @ 2:23 pm
Redman247
FYI Update:
*LOVSAN (MSBLAST, BLASTER) VARIANTS CIRCULATING, ONE WITH TROJAN
Malware writers have spawned multiple variants of the Lovsan worm, the most dangerous of which installs a remote-access Trojan on infected systems.
"This attack is similar in magnitude to Code Red and Nimda, but its ramifications are much greater because it targets a wide range of Microsoft OSes instead of just Web servers--the number of systems that could potentially be infected is much greater," says Forrester analyst Michael Rasmussen. "We could have some ramifications on this extending into weeks as road warriors connect to the corporate network or come into the office with infected machines."
Antivirus experts say that script-kiddies modified W32.Lovsan.A to create two new variants: .B, which installs a remote-access Trojan and is packed using FSG, and .C, which is similar to the original worm and is packed with UPX. It's difficult to identify whether the variants were created by the same worm writer.
"There is nothing in the code, such as comments, to tell us either way," says Vincent Gullotto, VP of McAfee AVERT.
And more variants are predicted--with potentially damaging payloads.
"We will see many more modifications, the bad guys will most likely try to drop undetected backdoors so they will have another way in even after the patches have been applied," says Bruce Hughes, director of malicious code research at TruSecure/ICSA Labs.
Some may question the logic of writing new variants as users are patching and blocking port 135 to catch Lovsan.A.
"It's still not completely under control. It will be another 24 hours before we see it drop 80 percent or so from its peak," Gullotto says.
Almost two years after Code Red struck, there were still variants of it being released despite a limited pool of systems it could infect. The vast majority of users had patched their systems. That network worm targeted Microsoft's IIS Web servers, the number of which is dwarfed by all the desktops and servers that have the RPC flaw.
"Pretty much the entire world will have to run the update to Windows XP and 2000," said David Perry, global director of education for antivirus software vendor Trend Micro. "I think it will take a year or more to get the word out to people."
Computer Economics estimates that Lovsan.A has already caused $500 million globally and $100 million in the U.S. in damages and lost productivity.
The Lovsan network worm targets the RPC vulnerability in Windows NT/XP/2000/Server 2003, though not all versions are susceptible to infection. The worm is also called MSBlast and Blaster.
For other Lovsan coverage, please visit: http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci917276,00.html?Offer=swd5_61
*EXPERTS RECOMMEND LOVSAN FIX
A surge in Lovsan worm infections prompted the Computer Emergency Response Team and other experts to recommend the following remediation steps for infected machines:
--Physically disconnect from the network.
--If you can't stop your system from rebooting, use the shutdown timer: click Start, Run and Shutdown-a.
--Kill the "msblast.exe" process in the Task Manager by pressing "CTRL-ALT-DELETE," click "Task Manager" button, select the "Processes" tab, highlight "msblast.exe," and click the "End Process" button (CERT notes that this will bring up a Warning dialog box which a user needs to answer "Yes").
--Delete "HKLMsoftwarewindowscurrentversion1runwindowsautoupdate."
--Search the machine for any files named msblast.exe, p-e-n-i-s32.exe (without hyphens), teekids.exe and root32.exe." For each match, right-click and select delete.
--Disable DCOM on all affected machines, but not until all effects have been fully tested. (http://microsoft.com/technet/security/bulletin/MS03-026.asp).
--Reboot the machine and reconnect to the network.
--Install the patch from Windows Update or MS03-026 (http://microsoft.com/technet/security/bulletin/MS03-026.asp).
For other Lovsan coverage, please visit: http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci917276,00.html?Offer=swd5_61
Thanks goes to the fine people at SECURITY WIRE DIGEST for this piece.
Regards;
Redman247
*LOVSAN (MSBLAST, BLASTER) VARIANTS CIRCULATING, ONE WITH TROJAN
Malware writers have spawned multiple variants of the Lovsan worm, the most dangerous of which installs a remote-access Trojan on infected systems.
"This attack is similar in magnitude to Code Red and Nimda, but its ramifications are much greater because it targets a wide range of Microsoft OSes instead of just Web servers--the number of systems that could potentially be infected is much greater," says Forrester analyst Michael Rasmussen. "We could have some ramifications on this extending into weeks as road warriors connect to the corporate network or come into the office with infected machines."
Antivirus experts say that script-kiddies modified W32.Lovsan.A to create two new variants: .B, which installs a remote-access Trojan and is packed using FSG, and .C, which is similar to the original worm and is packed with UPX. It's difficult to identify whether the variants were created by the same worm writer.
"There is nothing in the code, such as comments, to tell us either way," says Vincent Gullotto, VP of McAfee AVERT.
And more variants are predicted--with potentially damaging payloads.
"We will see many more modifications, the bad guys will most likely try to drop undetected backdoors so they will have another way in even after the patches have been applied," says Bruce Hughes, director of malicious code research at TruSecure/ICSA Labs.
Some may question the logic of writing new variants as users are patching and blocking port 135 to catch Lovsan.A.
"It's still not completely under control. It will be another 24 hours before we see it drop 80 percent or so from its peak," Gullotto says.
Almost two years after Code Red struck, there were still variants of it being released despite a limited pool of systems it could infect. The vast majority of users had patched their systems. That network worm targeted Microsoft's IIS Web servers, the number of which is dwarfed by all the desktops and servers that have the RPC flaw.
"Pretty much the entire world will have to run the update to Windows XP and 2000," said David Perry, global director of education for antivirus software vendor Trend Micro. "I think it will take a year or more to get the word out to people."
Computer Economics estimates that Lovsan.A has already caused $500 million globally and $100 million in the U.S. in damages and lost productivity.
The Lovsan network worm targets the RPC vulnerability in Windows NT/XP/2000/Server 2003, though not all versions are susceptible to infection. The worm is also called MSBlast and Blaster.
For other Lovsan coverage, please visit: http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci917276,00.html?Offer=swd5_61
*EXPERTS RECOMMEND LOVSAN FIX
A surge in Lovsan worm infections prompted the Computer Emergency Response Team and other experts to recommend the following remediation steps for infected machines:
--Physically disconnect from the network.
--If you can't stop your system from rebooting, use the shutdown timer: click Start, Run and Shutdown-a.
--Kill the "msblast.exe" process in the Task Manager by pressing "CTRL-ALT-DELETE," click "Task Manager" button, select the "Processes" tab, highlight "msblast.exe," and click the "End Process" button (CERT notes that this will bring up a Warning dialog box which a user needs to answer "Yes").
--Delete "HKLMsoftwarewindowscurrentversion1runwindowsautoupdate."
--Search the machine for any files named msblast.exe, p-e-n-i-s32.exe (without hyphens), teekids.exe and root32.exe." For each match, right-click and select delete.
--Disable DCOM on all affected machines, but not until all effects have been fully tested. (http://microsoft.com/technet/security/bulletin/MS03-026.asp).
--Reboot the machine and reconnect to the network.
--Install the patch from Windows Update or MS03-026 (http://microsoft.com/technet/security/bulletin/MS03-026.asp).
For other Lovsan coverage, please visit: http://searchsecurity.techtarget.com/featuredTopic/0,290042,sid14_gci917276,00.html?Offer=swd5_61
Thanks goes to the fine people at SECURITY WIRE DIGEST for this piece.
Regards;
Redman247
Posté Thu 14 Aug 03 @ 10:15 am
DJ Coco
I had this trojan in my 2 pcs. I received a message saying that svchost.exe has generated many errors and will shoutdown. Then, my pc was almost unusable.
I formated my both pcs, installed Windows 2000 (i had xp before) on both but the same thing appeared.
I installed the latest SPacks and then the microsoft patch. Besides enter in www.symantec.com to get their last patch too. You don`t need to have norton to run their last patch (guess.. because i have it)..
Now i`m waiting to see what happens..
Good luck
I formated my both pcs, installed Windows 2000 (i had xp before) on both but the same thing appeared.
I installed the latest SPacks and then the microsoft patch. Besides enter in www.symantec.com to get their last patch too. You don`t need to have norton to run their last patch (guess.. because i have it)..
Now i`m waiting to see what happens..
Good luck
Posté Thu 14 Aug 03 @ 2:58 pm
jukesy
ahhhh. F-ing blaster worm. Just spent 5 hours removing it.
Posté Fri 05 Sep 03 @ 7:59 pm
jukesy
Still AHHHH.
Reformated my c:\ --- Still rebooting from affects of worm
Ran Symnatecs fixtool. Which said. "Blasterworm not found on this computer"
Still I get the remote reboot. Tried to update XP but system reboots.
Anyone know how to get rid of this worm cause its driving me crazy.
All my virus softwares say im clean (and they are all update as of yesterday) but I still suffer the effects of the dreaded blaster worm. :(
Reformated my c:\ --- Still rebooting from affects of worm
Ran Symnatecs fixtool. Which said. "Blasterworm not found on this computer"
Still I get the remote reboot. Tried to update XP but system reboots.
Anyone know how to get rid of this worm cause its driving me crazy.
All my virus softwares say im clean (and they are all update as of yesterday) but I still suffer the effects of the dreaded blaster worm. :(
Posté Fri 05 Sep 03 @ 8:50 pm
jukesy
Yeh. :)
8 hours later and the buggers gone
8 hours later and the buggers gone
Posté Fri 05 Sep 03 @ 9:38 pm
DJ Rick
Don't know if this will help... My Mom had it bad...
first, enable your internet firewall. Then using a file search find and delete all of the blaster files... that enabled her to get on the internet again without imediate re-infection. After thet she went to the MS update page and did all available updates. She hasn't had any problems at all since.
first, enable your internet firewall. Then using a file search find and delete all of the blaster files... that enabled her to get on the internet again without imediate re-infection. After thet she went to the MS update page and did all available updates. She hasn't had any problems at all since.
Posté Sat 06 Sep 03 @ 5:51 pm
jukesy
also check your registration keys.
Localmachines -software-microsoft- windows - current- run
and delete any values that auto look-up files.
I formatted my c:\ 5 times and each time I couldnt work out why the infected svchost.exe and dllhost.exe kept appearing in my system32/win folder.
I realised that it was cause everytime I started my computer with the internet connected my registry was downloading the virus from the internet.
If you need to stop your computer rebooting you can change your RCL settings so that it doesnt restart.
This gives you enough time to download mcafees Stinger to get rid of the virus.
I had lovesan.worm and symnatecs fix program couldnt find it.
Localmachines -software-microsoft- windows - current- run
and delete any values that auto look-up files.
I formatted my c:\ 5 times and each time I couldnt work out why the infected svchost.exe and dllhost.exe kept appearing in my system32/win folder.
I realised that it was cause everytime I started my computer with the internet connected my registry was downloading the virus from the internet.
If you need to stop your computer rebooting you can change your RCL settings so that it doesnt restart.
This gives you enough time to download mcafees Stinger to get rid of the virus.
I had lovesan.worm and symnatecs fix program couldnt find it.
Posté Sat 06 Sep 03 @ 6:40 pm