+- VadaVaka (https://vadavaka.com/forums)
+-- Forum: General Forums (https://vadavaka.com/forums/forumdisplay.php?fid=5)
+--- Forum: General Stuff (https://vadavaka.com/forums/forumdisplay.php?fid=38)
+--- Thread: Fix for reboot worm (/showthread.php?tid=564)
Fix for reboot worm - Gwarsbane - 08-12-2003
There is a worm going around at the moment that is pretty annoying. It does a popup box that give you 1 minute to close down all your stuff you are working on and then it will reboot. Well it will reboot after that 60 seconds even if you don't have everything closed down and/or saved. So like me you are in a mad rush to close down 15 different windows and make sure everything is saved before it reboots on you.
We have found a cure for it and a way to protect against it...
Win32 Blaster Worm security update and cleaner (Thank you Google.com and Slashdot.org for having the information)
Follow the instructions found on the page. Install the update first and then run the cleaner.
It infects Win NT4/Win 2000/WinXP If you have any of those operation systems you should install this patch. Please pass along all this information so that we can kill this worm before it spreads more.
Fix for reboot worm - PIX - 08-12-2003
Don't patch this fix if you have a firewall blocking port 135 to the outside. Here is the tech info.
Block Port 135 at your firewall. Port 135 is used to initiate an RPC connection with the RPC Endpoint Mapper service. Blocking Port 135 at the firewall will prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. However to ensure that those systems cannot be attacked by systems behind the firewall, you should still consider applying the patch.
GRITS just patched hers at work and it seems to have messed up a few things. She didn't know that her work was probably firewalled against this exploit already. If you dont have a firewall at home...by all means do this....best thing is to get a firewall.....haxors love you windows people with broadband out there wide open.
Fix for reboot worm - brokend - 08-12-2003
SO.
there is a curse that comes with broadband, eh?
i guess i must be safe, then ;)
Fix for reboot worm - Power and Glory - 08-12-2003
I always make sure to use Windows Update when they release critical updates. They had the patch for this a month ago.
Fix for reboot worm - _Acid_Head_ - 08-12-2003
Just get a hardware firewall/gateway/router like I did, little chance of a hacker/worm getting in.
Fix for reboot worm - Guest - 08-13-2003
Power and Glory,Aug 13 2003, 02:32 AM Wrote:I always make sure to use Windows Update when they release critical updates. They had the patch for this a month ago.They might have, but there were still issues with the so called patch. Someone I knew used to have broadband without a firewall... so I suggested they try it with the desktop popup's for reporting on so they can see what's happening... they got a bit of a shock.:)
Fix for reboot worm - _Acid_Head_ - 08-13-2003
Yeah, a lot of people are saying their comps still get the message box to reboot, even after patching, there's a manual way to get rid of the virus, I forget where I read about it, if anybody still has a problem after patching, I can dig up a link for you.
Fix for reboot worm - Power and Glory - 08-13-2003
I have a firewall aswell. I never said I didn't. I never had 1 virus or any other bug all the years I've owned a computer (knock on wood). There are alot of people who ignore those Critical Updates from Microsoft for whatever reason. From what I have been reading those people seem to be the ones that are having the most problems with this worm.
Fix for reboot worm - kermit - 08-13-2003
Quote:SO.actually my friend has dialup and he got this virus. compUSA is charging for a fix (some cd or something). i told him not to pay their 'extortion' and i'm going to help him fix it sometime tomorrow. he's not a big computer user like me, so he can go a while before he needs to use his comp.
there is a curse that comes with broadband, eh?
i guess i must be safe, then
Fix for reboot worm - kermit - 08-13-2003
what are these ports you speak of PIX and how can i analyze them as to wether they are 'open' or not? i have a linksys router...but i don't think it does anything...it's just really to connect the computers in my house together on a cable lan of sorts (5-port workgroup switch). isss it a router? i mean it's routing shit in a way. i'm not playing stupid...i don't understand internet/network technology. how/where can i learn so i can have an intelligent conversation on the matter w/ someone like PIX or netniv?
Fix for reboot worm - PIX - 08-13-2003
The port to block is port 135 which is Microsoft's RPC Endpoint Mapper port. It is used for Microsoft for RPC locator service.
Here is a quote I found on it:
Quote:Windows Remote Procedure Call (RPC) and Distributed COM (DCOM)
In some cases, Microsoft uses port 135 as an RPC Endpoint Mapper. Runs as RPCSS on (some versions of?) Windows. This is a sort of "RPC directory" service which can be used to lookup what ports other services are running on. For some additional information, see Windows 2000 Network Architecture: Remote Procedure Call and NT Gatekeeper: RPC and Firewall Configuration.
MS-RPC on port 135 is required for some Exchange Server and Active Directory communications. See e.g. TCP Ports and Microsoft Exchange: In-depth Discussion and Restricting Active Directory Replication Traffic to a Specific Port.
However this port also poses a security risk, as indicated in the NET SEND section of my broadband security page.
This is a common port that someone who has a broadband connection and Windows wide open to the internet. When port scanned, the scanner will see 135 as an open port and know that this is a Windows shitbox. He can then pull out his Window's hax and try his best to visit you with chaos.
Quote:Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter." However, be aware that the indicated TCP/IP ports also have legitimate uses in Microsoft Windows, such as connecting to Exchange email servers and for file and printer sharing
Here are some of the things Microsoft says to do:
Quote:Make sure you have a firewall installed and activated to help protect your computer against infection, before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer.
Quote:Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from the Microsoft Download Center.
Quote:Make sure you install and use antivirus software.
If you have antivirus software installed, get the latest virus definitions from your antivirus vendor's Web site.
Quote:If you think your computer has been infected, use the worm removal tool available at your antivirus vendor's Web site.
Fix for reboot worm - Guest - 08-14-2003
I'd like to go a step further and suggest ports 139 and 445 should also be blocked ... These are microsoft networking ports and should only really be used internally to your lan/machine.
Quote:CERT Advisory CA-2003-20 W32/Blaster worm
Original issue date: August 11, 2003
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
* Microsoft Windows NT 4.0
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
Overview
The CERT/CC is receiving reports of widespread activity related to a
new piece of malicious code known as W32/Blaster. This worm appears to
exploit known vulnerabilities in the Microsoft Remote Procedure Call
(RPC) Interface.
I. Description
The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
interface as described in VU#568148 and CA-2003-16. Upon successful
execution, the worm attempts to retrieve a copy of the file
msblast.exe from the compromising host. Once this file is retrieved,
the compromised system then runs it and begins scanning for other
vulnerable systems to compromise in the same manner. In the course of
propagation, a TCP session to port 135 is used to execute the attack.
However, access to TCP ports 139 and 445 may also provide attack
vectors and should be considered when applying mitigation strategies.
Microsoft has published information about this vulnerability in
Microsoft Security Bulletin MS03-026.
Lab testing has confirmed that the worm includes the ability to launch
a TCP SYN flood denial-of-service attack against windowsupdate.com. We
are investigating the conditions under which this attack might
manifest itself. Unusual or unexpected traffic to windowsupdate.com
may indicate an infection on your network, so you may wish to monitor
network traffic.
Sites that do not use windowsupdate.com to manage patches may wish to
block outbound traffic to windowsupdate.com. In practice, this may be
difficult to achieve, since windowsupdate.com may not resolve to the
same address every time. Correctly blocking traffic to
windowsupdate.com will require detailed understanding of your network
routing architecture, system management needs, and name resolution
environment. You should not block traffic to windowsupdate.com without
a thorough understanding of your operational needs.
We have been in contact with Microsoft regarding this possibility of
this denial-of-service attack.
Fix for reboot worm - PIX - 08-15-2003
Christ...they are also saying tcp port 4444 and UDP 69 (TFTP). Just make sure
all of your ports are closed or stealthed. Then you are safe regardless.
Here is another post from Symantec for what's suppose to happen on the 16th.
Quote:The following are recommendations for mitigating the Denial of Service payload which is set to activate on 8/16.
Internal DNS-spoofing of windowsupdate.com to a special ip-address. This will alert you to infected machines if you have a 'listening server' catching the syn flood. Reroute windowsupdate.com to the IP address of an internal machine with port 80 firewalled will help to avoid ACKs, RSTs, and ICMP unreachable's.
Reroute windowsupdate.com to 127.0.0.1. This may result in lots of RSTs on your network (Windows may send RSTs from 127.0.0.1 to the spoofed addresses)
If your DNS server allows, reroute windowsupdate.com to the IP 0.0.0.0.
Configuration of anti-spoofing-rules on routers if not already implemented. This will prevent a high percentage of packets leaving the network. Using uRPF or egress ACLs will be highly effective.