Author: C McClain Morris, Jr.
Date: 09:02:33 08/12/03
Go up one level in this thread
On August 12, 2003 at 10:13:24, Omid David Tabibi wrote:
>On August 11, 2003 at 21:07:58, C McClain Morris, Jr. wrote:
>
>>I was greeted by a remote procedure call failure while playing a Shredder 7.04
>>comp on the playchess.com server today. I was using the Fritz 7 engine in a 3
>>minute + 2 blitz game and upon the start of the game the Shredder 7.04 opponent
>>failed to make a move for the 2 minutes. All of a sudden I was greeted with a
>>"Remote Procedure Call has unexpectly shut down, Windows will shut down in 45
>>seconds" and the countdown began. From that point on, each time connected to the
>>net, I would receive the same rpc message and windows shuts down and restarts
>>again. This was the first time I had experienced a DOS attack and I noticed that
>>I had an executable running the the name of msblast.exe. It was found in
>>c:\windows\system32. After deleting it, it continued to appear after the rpc
>>shutdowns. I would appreciate some feedback regarding the possiblity of running
>>code on a computer, while playing another comp on the playchess server. My
>>system was virus and trojan free before playing on the playchess server. Is it
>>possible to get code run on your computer if you are playing another engine on
>>playchess.com? Any expert feedback would be greatly appreciated.
>
>Exactly the same here. I even reinstalled the Windows OS, but as soon as I
>connect to the internet, that message appears together with countdown for shut
>down, so it seems that it is an ISP issue (also infected?!)
I fdisk my hard drive and did a clean install of winxp, installed pc- cillin,
got my firewall going and all is well. Antivirus.com has the remedys for this
worm at their web site. It appears to create a mutex called "Billy." This is
from their website:
Creates a Mutex named "BILLY". If the mutex exists,
the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Calculates the IP address, based on the following
algorithm, 40% of the time:
Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value less than 20.
Once calculated it will start attempting to exploit
the computer based on A.B.C.0 and count up.
NOTE: This means the Local Subnet will become
saturated with port 135 requests prior to exiting the
local subnet.
Calculates the IP address, based on many random
numbers, 60% of the time:
A.B.C.D
set D equal to 0.
sets A, B, and C to random values between 0 and 255.
Sends data on TCP port 135 that may exploit the DCOM
RPC vulnerabilty to allow the following actions to
occur on the vulnerable computer:
Create a hidden Cmd.exe remote shell that will listen
on TCP port 4444.
NOTE: Due to the randomness with how it constructs the
exploit data, it may cause computers to crash if it
sends incorrect data.
Listens on UDP port 69. When it recieves a request, it
will send back the Msblast.exe binary.
Sends the commands to the remote computer to connect
back to the infected host and download and run the
Msblast.exe.
If the current month is after August, or if the
current date is after the 15th it will perform a
denial of service on "windowsupdate.com"
With the current logic, the worm will activate the
Denial of Service attack on the 16th of this month,
and continue until the end of the year.
The worm contains the following text which is never
displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making
money and fix your software!!
Symantec ManHunt
Symantec ManHunt Protocol Anomaly Detection technology
detects activity associated with this exploit as
"Portscan". Although ManHunt can detect activity
associated with this exploit with the Protocol Anomaly
Detection technology, the "Microsoft DCOM RPC Buffer
Overflow" custom signature, released in Security Update
can be used for exactly identifying the exploit being
sent.
This is their remedy:
Important Note: W32.Blaster.Worm exploits the DCOM RPC
vulnerability. This is described in Microsoft Security
Bulletin MS03-026, and a patch is available from that
location. You must download and install the patch. In
many cases, you will have to do this before you can
continue with the removal instructions. If you are not
able to remove the infection or prevent reinfection
using the instructions that follow, first download and
install the patch.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Do one of the following:
Windows 95/98/Me: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
Run a full system scan and delete all the files
detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made to the
registry.
For details on each of these steps, read the following
instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we
recommend that you temporarily turn off System Restore.
Windows Me/XP uses this feature, which is enabled by
default, to restore the files on your computer in case
they become damaged. If a virus, worm, or Trojan infects
a computer, System Restore may back up the virus, worm,
or Trojan on the computer.
Windows prevents outside programs, including antivirus
programs, from modifying System Restore. Therefore,
antivirus programs or tools cannot remove threats in the
System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your
computer, even after you have cleaned the infected files
from all the other locations.
Also, a virus scan may detect a threat in the System
Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read
your Windows documentation, or one of the following
articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to
disabling Windows Me System Restore, see the Microsoft
Knowledge Base article, "Antivirus Tools Cannot Clean
Infected Files in the _Restore Folder," Article ID:
Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus
definitions for quality assurance before they are posted
to our servers. There are two ways to obtain the most
recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain
virus definitions: These virus definitions are posted
to the LiveUpdate servers once each week (usually on
Wednesdays), unless there is a major virus outbreak.
To determine whether definitions for this threat are
available by LiveUpdate, refer to the Virus
Definitions (LiveUpdate).
Downloading the definitions using the Intelligent
Updater: The Intelligent Updater virus definitions are
posted on U.S. business days (Monday through Friday).
You should download the definitions from the Symantec
Security Response Web site and manually install them.
To determine whether definitions for this threat are
available by the Intelligent Updater, refer to the
Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are
available: Read "How to update virus definition files
using the Intelligent Updater" for detailed
instructions.
3. Restarting the computer in Safe mode or ending the
Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows
32-bit operating systems, except for Windows NT, can
be restarted in Safe mode. For instructions on how to
do this, read the document, "How to start the computer
in Safe Mode."
Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to
alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End
Process.
Exit the Task Manager.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure
that it is configured to scan all the files.
For Norton AntiVirus consumer products: Read the
document, "How to configure Norton AntiVirus to scan
all files."
For Symantec AntiVirus Enterprise products: Read the
document, "How to verify that a Symantec Corporate
antivirus product is set to scan all files."
Run a full system scan.
If any files are detected as infected with
W32.Blaster.Worm, click Delete.
5. Reversing the changes made to the registry
CAUTION: Symantec strongly recommends that you back up
the registry before making any changes to it. Incorrect
changes to the registry can result in permanent data
loss or corrupted files. Modify the specified keys only.
Read the document, "How to make a backup of the Windows
registry," for instructions.
Click Start, and then click Run. (The Run dialog box
appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.
Write-up by: Douglas Knowles
Hope this does the trick.
This page took 0 seconds to execute
Last modified: Thu, 15 Apr 21 08:11:13 -0700
Current Computer Chess Club Forums at Talkchess. This site by Sean Mintz.