W32 blaster worm

We may earn a small commission from affiliate links and paid advertisements. Terms

posol

RETIRED
guys, there's a sick worm going around right now. it ate my entire works network today. our entire active directory is fubar...

run norton or something tonight with the latest def's installed, and clean up your systems.
 
damn. hoping that it wont get past my virus software <_<
 
U got the virus info wrong.

Buffer Overflows in
Windows RPC and XP Shell
Severity: High
16th July 2003

Summary:
Today, Microsoft released security bulletins describing two buffer overflow vulnerabilities affecting multiple versions of Windows.

The first buffer overflow arises from the Remote Procedure Call (RPC) service that ships with many versions of Windows, and allows an attacker to gain absolute control of your users' Windows machines. The second overflow only affects Windows XP and can allow an attacker to execute code with the logged-in user's privileges. There is no direct impact on WatchGuard products. Windows administrators should download, test and deploy the appropriate patches immediately.

Exposure:
Today, in separate bulletins, Microsoft described two new buffer overflow vulnerabilities. Each flaw affects different versions of Windows. Regardless of which versions of Windows you run, most likely one of the flaws affects you. The vulnerabilities are summarized below in order of severity, with the worst, first:Remote

Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and receive back the results of that task. However, Microsoft's Security Bulletin 03-026 describes a buffer overflow vulnerability in the RPC service that ships with Windows NT 4.0, 2000, XP, and 2003. Since the service does not properly validate one type of RPC message, an attacker could send your users' machines a specially malformed RPC message to cause a buffer overflow, in turn allowing him to execute code on your system. Since the RPC service has full system privileges, the attacker could exploit this flaw to gain absolute control of your Windows machines. Patch this critical flaw as soon as you can.

The Windows shell is essentially the core component providing Windows' recognizable GUI Unfortunately, Microsoft's Security Bulletin 03-027 warns of a new buffer overflow vulnerability in Windows XP's shell. The vulnerability involves a feature that allows XP users to individually customize the look and feel of each folder. Windows XP stores each folder's customized settings in a file called desktop.ini, and automatically loads those customizations whenever you browse to a folder. According to Microsoft, if an attacker could entice one of your users to a Windows share containing a malicious desktop.ini file, that could instigate a buffer overflow allowing the attacker to execute code on that user's machine with that user's privileges. Windows file sharing typically only works in a LAN environment, making this primarily a local insider exploit.

Solution Path:
Microsoft has released patches to fix both these vulnerabilities. Windows administrators should download, test, and deploy the corresponding patch as soon as possible:

1. Windows RPC Buffer Overflow

Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32 bit Edition
Windows XP 64 bit Edition
Windows Server 2003 32 bit Edition
Windows Server 2003 64 bit Edition
2. Window XP Shell Buffer Overflow

Microsoft Windows XP 32 bit Edition
Microsoft Windows XP 64 bit Edition
How Would a Hacker Exploit The Vulnerability?:
A hacker would exploit the RPC vulnerability over TCP port 135. By default, most firewalls deny incoming access to this port. As long as you have not allowed incoming access using the SMB service, you are safe from Internet-based attackers. To avoid local attacks, apply the corresponding patches above.

Since the second attack is mostly a local concern, the patches above are your primary recourse.

Status:
Patches are available.

Direct Impact on Star Products:
None.

Impact on Networks Protected by Star Products:
Remote attackers could potentially gain total control of your Windows Systems if you are allowing TCP port 135 inbound through your firewall.

References:
Microsoft Security Bulletin MS03-026

Microsoft Security Bulletin MS03-027


Now to go post my Q about my rex =P
 
okay this fucker is fucking with me,. how do i get rid of this bitch, when i open IE its triesto make me d/l something from hondaswap i havent d/led it but this is gay/.
 
Originally posted by IDMaxGuy@Aug 12 2003, 04:37 AM
okay this fucker is fucking with me,. how do i get rid of this bitch, when i open IE its triesto make me d/l something from hondaswap i havent d/led it but this is gay/.

it is NOT coming from hondaswap. just an FYI.
 
Originally posted by sisteve@Aug 12 2003, 07:20 AM
for the guys that dont have it:

download this patch from MS

http://www.microsoft.com/technet/treeview/...in/MS03-026.asp

that is from mid july. it DOESN'T work. trust me. I spent all last night fucking with this virus on our 100+ workstations.

Microsoft can eat a fat dick on this one. the patch they released doesn't fix the UDP nor the TCP open ports.

what's REALLY fucked up, is that its some linux nerd who made this.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!



between 1am and 6am est, symantic released 19 updates to their patch. this isn't over yet folks.

DL this tool: http://securityresponse.symantec.com/avcen...er/FixBlast.exe

Close all the running programs before running the tool.
If you are running Windows XP, then disable System Restore. http://service1.symantec.com/SUPPORT/tsgen...001111912274039 for more info on that if needed...
Restart the computer.
Run the removal tool again to ensure that the system is clean.
If you are running Windows XP, then re-enable System Restore.
Run LiveUpdate on your virus scan software to make sure that you are using the most current virus definitions.

if anyone needs help getting clean, please feel free to ask... i think i got it down now. lol i just got home from work.. 10:30. was supposed to be home at 8:15
 
ahh shit, my brother came over last night and was like "Hey, I'm trying to use my computer and it says blah blah windows systems will shut down in 60 seconds" My brother is a mechanical guy, not a computer guy, he gets pissed real quick with computers. I guess it almost went out the window LOL. I figured it was a virus.
 
haxor.jpg


More LInks:

http://vil.nai.com/vil/content/v_100547.htm

Go Here to see if your PC is teh clean:

https://grc.com/x/portprobe=135 (stealth is good)

So far so good. I'm hoping my router at home has knocked off any attempts fo that shizzy to get into my home network. Thats all that I would need to complete this shizzy of a week :(
 
holy shiat...

i am fucking stupid. i am using a free dial up account that came with the computer purchase and i thought it was doing stupid shit, so i went into systems and disabled restart for remote procedure protocol....now every page i go to it says cannot be displayed and i have to reload 10 times for it to show.... :ph34r:

i'm a dumbass, but i'm on a pc so it shouldnt matter ALL that much....just a lotta porn on here :D
 
we had this virus yesterday at work

--------------------------------------------------------------------------------

Virus/Exploit Alert!

8/11/2003 3:25:00 PM Posted By: IT Helpdesk
If you are currently unable to click on links or are experiencing SVCHOST.EXE failures please download the following patch:
 
happened to me too I think it came from something on kazaa. :ph34r:
 
Back
Top