1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

W32 blaster worm

Discussion in 'Members' Lounge' started by pissedoffsol, Aug 12, 2003.

  1. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    guys, there's a sick worm going around right now. it ate my entire works network today. our entire active directory is fubar...

    run norton or something tonight with the latest def's installed, and clean up your systems.
     
  2. BodyDroppedNikes

    BodyDroppedNikes ...PENDEJO.... VIP

    Messages:
    10,593
    Likes Received:
    103
    Joined:
    Sep 28, 2002
    Location:
    caught in a mosh...
    would that explain why my pc kept coming up saying that it was gonna shut down in 60 seconds and then shut down?
     
  3. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    yup. :p get rid of that shizzzz.
     
  4. 90 accord

    90 accord Chicks dig the box Moderator VIP

    Messages:
    5,008
    Likes Received:
    21
    Joined:
    Sep 29, 2002
    Location:
    Mesa, AZ
    damn. hoping that it wont get past my virus software <_<
     
  5. badk0re

    badk0re Junior Member

    Messages:
    24
    Likes Received:
    0
    Joined:
    Dec 23, 2002
    U got the virus info wrong.

    Buffer Overflows in
    Windows RPC and XP Shell
    Severity: High
    16th July 2003

    Summary:
    Today, Microsoft released security bulletins describing two buffer overflow vulnerabilities affecting multiple versions of Windows.

    The first buffer overflow arises from the Remote Procedure Call (RPC) service that ships with many versions of Windows, and allows an attacker to gain absolute control of your users' Windows machines. The second overflow only affects Windows XP and can allow an attacker to execute code with the logged-in user's privileges. There is no direct impact on WatchGuard products. Windows administrators should download, test and deploy the appropriate patches immediately.

    Exposure:
    Today, in separate bulletins, Microsoft described two new buffer overflow vulnerabilities. Each flaw affects different versions of Windows. Regardless of which versions of Windows you run, most likely one of the flaws affects you. The vulnerabilities are summarized below in order of severity, with the worst, first:Remote

    Procedure Call (RPC) is a protocol Microsoft Windows uses to allow one computer on a network to execute a task on another computer and receive back the results of that task. However, Microsoft's Security Bulletin 03-026 describes a buffer overflow vulnerability in the RPC service that ships with Windows NT 4.0, 2000, XP, and 2003. Since the service does not properly validate one type of RPC message, an attacker could send your users' machines a specially malformed RPC message to cause a buffer overflow, in turn allowing him to execute code on your system. Since the RPC service has full system privileges, the attacker could exploit this flaw to gain absolute control of your Windows machines. Patch this critical flaw as soon as you can.

    The Windows shell is essentially the core component providing Windows' recognizable GUI Unfortunately, Microsoft's Security Bulletin 03-027 warns of a new buffer overflow vulnerability in Windows XP's shell. The vulnerability involves a feature that allows XP users to individually customize the look and feel of each folder. Windows XP stores each folder's customized settings in a file called desktop.ini, and automatically loads those customizations whenever you browse to a folder. According to Microsoft, if an attacker could entice one of your users to a Windows share containing a malicious desktop.ini file, that could instigate a buffer overflow allowing the attacker to execute code on that user's machine with that user's privileges. Windows file sharing typically only works in a LAN environment, making this primarily a local insider exploit.

    Solution Path:
    Microsoft has released patches to fix both these vulnerabilities. Windows administrators should download, test, and deploy the corresponding patch as soon as possible:

    1. Windows RPC Buffer Overflow

    Windows NT 4.0 Server
    Windows NT 4.0 Terminal Server Edition
    Windows 2000
    Windows XP 32 bit Edition
    Windows XP 64 bit Edition
    Windows Server 2003 32 bit Edition
    Windows Server 2003 64 bit Edition
    2. Window XP Shell Buffer Overflow

    Microsoft Windows XP 32 bit Edition
    Microsoft Windows XP 64 bit Edition
    How Would a Hacker Exploit The Vulnerability?:
    A hacker would exploit the RPC vulnerability over TCP port 135. By default, most firewalls deny incoming access to this port. As long as you have not allowed incoming access using the SMB service, you are safe from Internet-based attackers. To avoid local attacks, apply the corresponding patches above.

    Since the second attack is mostly a local concern, the patches above are your primary recourse.

    Status:
    Patches are available.

    Direct Impact on Star Products:
    None.

    Impact on Networks Protected by Star Products:
    Remote attackers could potentially gain total control of your Windows Systems if you are allowing TCP port 135 inbound through your firewall.

    References:
    Microsoft Security Bulletin MS03-026

    Microsoft Security Bulletin MS03-027


    Now to go post my Q about my rex =P
     
  6. IDMaxGuy

    IDMaxGuy Senior Member

    Messages:
    1,479
    Likes Received:
    2
    Joined:
    Apr 8, 2003
    Location:
    MO
    okay this fucker is fucking with me,. how do i get rid of this bitch, when i open IE its triesto make me d/l something from hondaswap i havent d/led it but this is gay/.
     
  7. IDMaxGuy

    IDMaxGuy Senior Member

    Messages:
    1,479
    Likes Received:
    2
    Joined:
    Apr 8, 2003
    Location:
    MO
  8. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home

    it is NOT coming from hondaswap. just an FYI.
     
  9. Capt. Orygun

    Capt. Orygun Win the Day

    Messages:
    7,180
    Likes Received:
    121
    Joined:
    Nov 11, 2002
    Location:
    Oregon
  10. Bob Vila

    Bob Vila ɐןıʌ qoq Admin VIP

    Messages:
    4,670
    Likes Received:
    57
    Joined:
    Jul 4, 2003
    Location:
    Bristol, Ct.
  11. phunky.buddha

    phunky.buddha Admin with a big stick Admin VIP

    Messages:
    28,465
    Likes Received:
    228
    Joined:
    Sep 30, 2002
    Location:
    Dallas / Fort Worth, TX
  12. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home

    that is from mid july. it DOESN'T work. trust me. I spent all last night fucking with this virus on our 100+ workstations.

    Microsoft can eat a fat dick on this one. the patch they released doesn't fix the UDP nor the TCP open ports.

    what's REALLY fucked up, is that its some linux nerd who made this.




    between 1am and 6am est, symantic released 19 updates to their patch. this isn't over yet folks.

    DL this tool: http://securityresponse.symantec.com/avcen...er/FixBlast.exe

    Close all the running programs before running the tool.
    If you are running Windows XP, then disable System Restore. http://service1.symantec.com/SUPPORT/tsgen...001111912274039 for more info on that if needed...
    Restart the computer.
    Run the removal tool again to ensure that the system is clean.
    If you are running Windows XP, then re-enable System Restore.
    Run LiveUpdate on your virus scan software to make sure that you are using the most current virus definitions.

    if anyone needs help getting clean, please feel free to ask... i think i got it down now. lol i just got home from work.. 10:30. was supposed to be home at 8:15
     
  13. liquid00meth

    liquid00meth Senior Member

    Messages:
    3,201
    Likes Received:
    0
    Joined:
    Nov 26, 2002
    Location:
    Laconia, NH
    ahh shit, my brother came over last night and was like "Hey, I'm trying to use my computer and it says blah blah windows systems will shut down in 60 seconds" My brother is a mechanical guy, not a computer guy, he gets pissed real quick with computers. I guess it almost went out the window LOL. I figured it was a virus.
     
  14. Bob Vila

    Bob Vila ɐןıʌ qoq Admin VIP

    Messages:
    4,670
    Likes Received:
    57
    Joined:
    Jul 4, 2003
    Location:
    Bristol, Ct.
  15. word

    word Senior Member

    Messages:
    365
    Likes Received:
    0
    Joined:
    Feb 10, 2003
    holy shiat...

    i am fucking stupid. i am using a free dial up account that came with the computer purchase and i thought it was doing stupid shit, so i went into systems and disabled restart for remote procedure protocol....now every page i go to it says cannot be displayed and i have to reload 10 times for it to show.... :ph34r:

    i'm a dumbass, but i'm on a pc so it shouldnt matter ALL that much....just a lotta porn on here :D
     
  16. Bob Vila

    Bob Vila ɐןıʌ qoq Admin VIP

    Messages:
    4,670
    Likes Received:
    57
    Joined:
    Jul 4, 2003
    Location:
    Bristol, Ct.
    werd

    no pun intended.
     
  17. cxjon

    cxjon Senior Member

    Messages:
    5,162
    Likes Received:
    1
    Joined:
    Sep 28, 2002
    Location:
    man+k+toe
    we had this virus yesterday at work

    --------------------------------------------------------------------------------

    Virus/Exploit Alert!

    8/11/2003 3:25:00 PM Posted By: IT Helpdesk
    If you are currently unable to click on links or are experiencing SVCHOST.EXE failures please download the following patch:
     
  18. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    yup svc host gets attacked on 2k, the 60 sec till reboot thign happens on xp
     
  19. h82w8

    h82w8 Senior Member

    Messages:
    334
    Likes Received:
    0
    Joined:
    Dec 18, 2002
    Location:
    orlando,florida
    happened to me too I think it came from something on kazaa. :ph34r:
     
  20. pissedoffsol

    pissedoffsol RETIRED

    Messages:
    49,693
    Likes Received:
    54
    Joined:
    Sep 28, 2002
    Location:
    Retirement Home
    nope, its coming from your ISP. it attacks IP's
     
Verification:
Draft saved Draft deleted

Share This Page