Msblast.exe Could Hit YOU!
Article by Marc Liron - Microsoft MVP (2004-2010)
MSBLAST.EXE ALERT (11th August
ALL the leading antivirus software vendors have been issuing alerts today about an Remote Procedure Call (RPC) worm which is likely to cause large scale infections on Windows NT4, 2000, XP systems and Windows 2003 servers...
It doesn't spread by email, but looks for specific open ports that haven't been patched by a Microsoft security patch issued in July 2003 (which you can find here.):
This fast spreading worm called WM32 Blaster/Lovsan (msblast.exe), exploits
the Remote Procedure Call (RPC) / DOM security issue first discovered on the
16th of July and it has spread globally at an alarming rate...
Many businesses, particularly in the US and USA, have been forced to shut down their networks while they deal with the worm!
It would appear that the msblast.exe worm is expected to attack windowsupdate.com on the 16th of August 2003! (a distributed denial of service attack.) Perhaps then this new worm is the work of a Microsoft hater?
WM32 Blaster/Lovsan spreads in a 6176 byte exe file called msblast.exe to Windows XP and 2000 systems unless the most recent security patch dealing with the flaw it exploits is installed. (which you can find here.)
The worm scans IP addresses on the Internet to find vulnerable Windows machines and when it finds them, it copies and modifies the system.
The worm attacks TCP port 135 and infects it remotely, without users being aware of it... YOU may actually be infected at the moment!
The worm attempts to infect both Windows 2000 and Windows XP systems. One of the functions used by the worm must be different for each of these operating systems, in order for the exploit it uses to work.
Since the worm does not know what operating system the target machine is running, it guesses. There is an 80% chance it will attempt to exploit Windows XP, and a 20% chance it will attempt to exploit Windows 2000.
If the worm guesses incorrectly and the remote machine is vulnerable, the process svchost.exe on the target machine will crash. The system may become unstable, but the infection will fail.
When svchost.exe crashes, a message like this may appear on Windows XP:
"Generic Host Process for Win32 Services" error report...
When svchost.exe crashes, Windows may create memory dumps of the process. These files are usually called user.dmp, svchost.exe.hdmp, or svchost.exe.mdmp.
Because these files contain the exploit code that caused the crash, they may be detected as DcomRpc.exploit or MS03-026 Exploit.Trojan. These files are harmless, and can safely be deleted.
However, the existence of these files indicates that the system is vulnerable and may still need to be patched.
Microsoft has a patch to close the hole, which you can find here. Please note that many users are having difficulty installing this patch... If this happens to you read this cryptographic service article!
BUT first you MUST get rid of the WM32 Blaster/Lovsan worm! Symantec has a VERY good removal tool here ...
PLEASE read ALL of this article before doing this....
I have deliberately infected a Windows XP SP1 machine this evening (11 August 2003), that does NOT have the latest security patches on it... (To understand the issues first you must get infected :-(
ALL I did to get infected was turn off my firewall software and antivirus products! Within an hour of surfing the Net, in this vulnerable state, I was getting the following Remote Procedure Call (RPC) display box:
I had now been hit.!
As I had not invoked this service, but rather the worm, I was still surprised to see that I could stop it shutting my system down using
from a command prompt...
So I rebooted the PC and the Remote Procedure Call (RPC) was invoked again by the msblast.exe worm within minutes...
This time I let it restart my system...
I then checked my registry for ANY entries the worm had made and found this one:
The Key was:
\windows auto update
The string in this example says msblast.exe
BUT it can also say:
msblast.exe I just want to say LOVE YOU SAN!! bill
Mmmm.... not sure why!
How To Get Rid Of The Msblast.exe Worm
Symantec have a removal tool which is here. Download it and run it!... (I am assuming you are not on an infected machine as you will have not got this far without the PC rebooting....)
Then apply the Microsoft patch to close the hole, which you can find here.
UPDATE: I have received lots of emails from folks who can not install this Microsoft patch due to an error stating there is a problem with the "Cryptographic Service". If this is the case then this article on the cryptographic service will help you!
NOW, make sure you have a Firewall running on your system! Free ones here.
Make sure you have an up to date antivirus product on your system too!
This worm doesn't pose a huge risk to end users like me and you... It is just annoying. But it does pose a great risk to Microsoft if users do not plug their PC's prior to the 16th August. On that day it looks like all the infected PC's will send out a distributed denial of service attack on windowsupdate.com
I would HIGHLY recommend that if you have a firewall installed on your PC that you follow ALL the advice contained in the Microsoft Bulletin here. But ALSO block the following ports too:
It is worth bearing in mind that this type of worm can "evolve" over time and that keeping your machine up to date with security patches and installing a firewall/antivirus software is paramount!
Pass on this page to a friend as they might ALREADY be hit by the msblast.exe worm. (This worm is going to be a biggie.) The ONLY reason they will know something is up is due to the fact their PC keeps restarting after showing the Remote Procedure Call (RPC) box.
Trouble Free PC Security?
"Discover The Simple But Powerful Secrets To Keeping Out Viruses, Hackers, Trojans, Keyloggers And Many Other Online Security Threats"
CLICK HERE - For More Information Now!
>>> My FREE Windows Newsletter! >>>
Fortnightly copy of my FREE Windows
Windows XP, Vista, 7 , Microsoft Office and Windows Live Services - Sign-up TODAY!!!
Are you worried about 640-863 prep? Check out our latest resources for 70-667 dumps and itil certification questions for practice with definite guarantee. Remarkable online 350-018 training programs will lead you to success in oracle certification dumps exam. We also offer latest cisco braindumps with 100% success guarantee.
Trouble Free PC Security?
"Discover The Simple But Powerful Secrets To Keeping Out Viruses,
Hackers, Trojans, Keyloggers And Many Other Online Security Threats"