A new worm discovered in the wild this morning called Msblaster,
or Lovesan is spreading quickly in the wild. The worm writes
to the run registry, and drops a file called msblast.exe
to the windows system folder. Symptoms include XP machines
rebooting. "This system is being shut down in 60
seconds by NT Authority/System due to an interrupted Remote
Procedure Call (RPC)"
The worm attempts to perform a DOS attack (denial of service)
to Microsoft Windows update site. The worm contains 11kB
of code, which exploits the MS03-026 DCOM/RPC hole (information
on a Microsoft's fix to this is below) .
IV's interceptor blocks the operation of the file msblast.exe
as 'PE Infected File' as seen below from a copy of a realtime.rpt
file that the IV Interceptor writes to:
----------------------------------------------------------------------
C:\WINDOWS\system32\msblast.exe
IV Interceptor: Suspect PE code - Operation aborted.
Current date: 12-08-03 9:33 AM, User: USERNAME
----------------------------------------------------------------------
The worm writes to the registry as 'msblast.exe' You can
use IVAdmin to delete the registry key, or using IV locally
you can remove the run registry entry through the IV startup
applications list, and delete this entry from:
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows
auto update'
Using your firewall you can block access to TCP port 4444
at the firewall level. Also block the following ports, if
they do not use applications listed:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"
Msblast exploits a vulnerability, "Buffer Overrun
In RPC Interface" which is also known as DCOM/RPC and
MS03-026. This vulnerability was discovered on July 16th,
2003. More information is available on this vulnerability
at
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Removal Instructions for Infected pc's:
Note: The following procedure will ONLY work for users
that have InVircible
installed on their computer!
1. Download to the desktop http://www.virusdefence.com.au/dl/client/client_files/gateway/xblaster.exe
and http://www.virusdefence.com.au/dl/client/client_files/togglmod.exe
If the computer is already infected, then download the
above files to floppy on another PC, then copy the files
from the floppy to the affected computer's desktop.
2. Run TogglMod.exe by double clicking its icon on the
desktop, and
select to restart the computer in "safe" mode.
Reboot, and Windows
NT / W2k / XP will restart in command prompt mode.
3. When at the command prompt, type XBLASTER and press
Enter.
This will kill the worm's driver. Type now TOGGLMOD, press
Enter,
and select to restart in "Normal" mode. Reboot
the computer.
4. Windows will now restart normally, clean from the
worm, and InVircible
will load as usual. It's important that InVircible keeps
running throughout
the entire process that follows, or Blaster will gain
foothold the moment
that IV is deactivated!
5. Go to http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
then follow the link for the patch that suits your system.
Before downloading the update setup file, you need excluding
the patch file in Interceptor, or InVircible will block
it on download (Windows setup files have a bizarre construction
that causes IV to intercept and block them). To immune
the setup file from IV's rage, click the IV icon, select
'Interceptor options' and select 'Executables Exclude
List'. To download the patch for NT4, add the following
entry to the list: Q82*.EXE (note the asterisk!). Similarly,
add WINDOWS2000*.EXE if you download the patch for W2K,
or WINDOWSXP*.EXE for XP. You are now ready to download
the update setup file.
6. Download the patch setup file to the desktop. You
will see IV messages when downloading, indicating that
"msblast.exe" is attempting to execute. Ignore
the messages by pressing 'OK', and go on with the download
until it completes. Msblast.exe is the worms driver, and
IV alerting means that the computer is under attack, being
online, and IV is holding the attacker back.
7. When the download completes, DISCONNECT from the Internet,
and
install the patch by double clicking its icon on the desktop.
Before
restarting Windows, run once more xBlaster by double clicking
its icon, to kill the leftover of the worm driver.
8. Restart Windows when done, and you may now go back
online without becoming infected. When finished with the
upgrade, delete the three files that you added to the
desktop.
Lastly, you may be interested in knowing that a TWO years
old version of InVircible stops the brand new Blaster worm.
just as well as the latest version!
Back
