Published
By Marc Liron - Microsoft MVP In Digital Media
MSBLAST.EXE ALERT (11th August
2003)
ALL the leading antivirus software vendors have
been issuing alerts today about an Remote Procedure Call (RPC) worm
which is likely to cause large scale infections on Windows NT4,
2000, XP systems and Windows 2003 servers...
It doesn't spread by email, but looks for specific open ports that
haven't been patched by a Microsoft security patch issued in July
2003 (which you can find
here.):
This fast spreading worm called WM32 Blaster/Lovsan
(msblast.exe), exploits the Remote Procedure Call (RPC) / DOM
security issue first discovered on the 16th of July and it has
spread globally at an alarming rate...
Many businesses, particularly in the US and USA, have been forced to
shut down their networks while they deal with the worm!
It would appear that the msblast.exe worm is expected to attack
windowsupdate.com on the 16th of August 2003! (a distributed denial
of service attack.) Perhaps then this new worm is the work of a
Microsoft hater?
WM32 Blaster/Lovsan spreads in a 6176 byte exe file called
msblast.exe to Windows XP and 2000 systems unless the most recent
security patch dealing with the flaw it exploits is installed.
(which you can find
here.)
The worm scans IP addresses on the Internet to find vulnerable
Windows machines and when it finds them, it copies and modifies the
system.
The worm attacks TCP port 135 and infects it remotely, without users
being aware of it... YOU may actually be infected at the moment!
-----------------
Side Note:
The worm attempts to infect both Windows 2000 and Windows XP
systems. One of the functions used by the worm must be different for
each of these operating systems, in order for the exploit it uses to
work.
Since the worm does not know what operating system the target
machine is running, it guesses. There is an 80% chance it will
attempt to exploit Windows XP, and a 20% chance it will attempt to
exploit Windows 2000.
If the worm guesses incorrectly and the remote machine is
vulnerable, the process svchost.exe on the target machine will
crash. The system may become unstable, but the infection will fail.
When svchost.exe crashes, a message like this may appear on Windows
XP:
"Generic Host Process for Win32 Services" error report...
When svchost.exe crashes, Windows may create memory dumps of the
process. These files are usually called user.dmp, svchost.exe.hdmp,
or svchost.exe.mdmp.
Because these files contain the exploit code that caused the crash,
they may be detected as DcomRpc.exploit or MS03-026 Exploit.Trojan.
These files are harmless, and can safely be deleted.
However, the existence of these files indicates that the system is
vulnerable and may still need to be patched.
--------
Microsoft has a patch to close the hole, which you can find
here.
Please note that many users are having difficulty installing this
patch... If this happens to you read this
cryptographic service
article!
BUT first you MUST get rid of the WM32 Blaster/Lovsan worm! Symantec
has a VERY good removal tool
here ...
PLEASE read ALL of this article before doing this....
Msblast.exe Infection
I have
deliberately infected a Windows XP SP1 machine this evening (11
August 2003), that does NOT have the latest security patches on
it... (To understand the issues first you must get infected :-(
ALL I did to get infected was turn off my firewall software and
antivirus products! Within an hour of surfing the Net, in this
vulnerable state, I was getting the following Remote Procedure
Call (RPC) display box:
I had now been hit.!
As I had not invoked this service, but rather the worm, I was still
surprised to see that I could stop it shutting my system down using
shutdown -a
from a command prompt...
So I rebooted the PC and the Remote Procedure Call (RPC) was invoked
again by the msblast.exe worm within minutes...
This time I let it restart my system...
I then checked my registry for ANY entries the worm had made and
found this one:
The Key
was:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows
auto update
The string in this example says msblast.exe
BUT it can also say:
msblast.exe I just want to say LOVE YOU SAN!! bill
Mmmm.... not sure why!
How To
Get Rid Of The Msblast.exe Worm
Symantec
have a removal tool which is
here. Download it and run it!... (I am assuming you are not on
an infected machine as you will have not got this far without the PC
rebooting....)
Then apply the Microsoft patch to close the hole, which you can find
here.
UPDATE: I have received lots of
emails from folks who can not install this Microsoft patch due to an
error stating there is a problem with the "Cryptographic Service".
If this is the case then this article on the
cryptographic service will help you!
NOW, make sure you have a Firewall running on your system! Free ones
here.
Make sure you have an up to date antivirus product on your system
too!
Msblast.exe Comment:
This worm doesn't pose a huge risk to end users like me and you...
It is just annoying. But it does pose a great risk to Microsoft if
users do not plug their PC's prior to the 16th August. On that day
it looks like all the infected PC's will send out a distributed
denial of service attack on windowsupdate.com
I would HIGHLY recommend that if you have a firewall
installed on your PC that you follow ALL the advice contained in the
Microsoft Bulletin here. But ALSO block the following ports too:
It is worth bearing in mind that this type of worm can "evolve" over
time and that keeping your machine up to date with security patches
and installing a firewall/antivirus software is paramount!
Well, I hope this article helps.....
Pass on this page to a friend as they might ALREADY be hit by the
msblast.exe worm. (This worm is going to be a biggie.) The ONLY
reason they will know something is up is due to the fact their PC
keeps restarting after showing the Remote Procedure Call (RPC) box.
The DVD XPack instantly adds DVD playback to
Windows Media Player 9 & 10. It Installs the
same theatre-quality video and audio decoders
proven by over 45 million users of WinDVD -
the world's leading software DVD player.
Why Use It? BECAUSE:
It's FAST, cheap, no-fuss use and Microsoft approved!
Enjoy the rest of site and
remember if you have a query or a comment to make then drop me a
line at the
Contact Page
and remember to sign up for my free newsletter
Subscribe Now!.
I hope this page
about msblast.exe was useful. If so why not sign up for
my FREE Windows XP newsletter
below!
Kind Regards
Marc Liron -
Bio
Microsoft Digital Media MVP
Your Guide to using Windows XP
A Unique Windows XP Newsletter?
Sign Up Now!
- Make sure you get your
FREE tips and advice...
Finally a quality XP Newsletter!
FACT:
There are dozens of Windows XP newsletters - BUT this one is
different!
First name
E-mail address
Subscribe
Unsubscribe
I HATE SPAM AS MUCH AS YOU DO!
That is why you'll get none from me...
NB -
You will need to click the special link in the
confirmation
email I send you to activate YOUR subscription and
receive the newsletter!
This is called double opt-in and is an anti spam
measure...
"Dear Marc, very glad to access your e-zine, it's
really a "Gem". I've just
learnt the 'Scannow sfc" tool & put it to work as in your guide.
I now know how to use it, many thanks indeed."
Alex -
New Zealand
NB - I am
currently changing to a "new look" for this website, some pages may
still be in the old style
The views on this website are
my own and
NOT that of Microsoft!
I am not responsible for the content of any sites linked to.
ALL Trademarks are freely acknowledged
ALL information is provided "As
Is"
