Fix for reboot worm

[Gwarsbane]

There is a worm going around at the moment that is pretty annoying. It does a popup box that give you 1 minute to close down all your stuff you are working on and then it will reboot. Well it will reboot after that 60 seconds even if you don't have everything closed down and/or saved. So like me you are in a mad rush to close down 15 different windows and make sure everything is saved before it reboots on you.


We have found a cure for it and a way to protect against it...

Win32 Blaster Worm security update and cleaner (Thank you Google.com and Slashdot.org for having the information)

Follow the instructions found on the page. Install the update first and then run the cleaner.


It infects Win NT4/Win 2000/WinXP If you have any of those operation systems you should install this patch. Please pass along all this information so that we can kill this worm before it spreads more.

[PIX]

Don't patch this fix if you have a firewall blocking port 135 to the outside. Here is the tech info.

Block Port 135 at your firewall. Port 135 is used to initiate an RPC connection with the RPC Endpoint Mapper service. Blocking Port 135 at the firewall will prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. However to ensure that those systems cannot be attacked by systems behind the firewall, you should still consider applying the patch.

GRITS just patched hers at work and it seems to have messed up a few things. She didn't know that her work was probably firewalled against this exploit already. If you dont have a firewall at home...by all means do this....best thing is to get a firewall.....haxors love you windows people with broadband out there wide open.

[brokend]

SO.
there is a curse that comes with broadband, eh?
i guess i must be safe, then ;)

[Power and Glory]

I always make sure to use Windows Update when they release critical updates. They had the patch for this a month ago.

[_Acid_Head_]

Just get a hardware firewall/gateway/router like I did, little chance of a hacker/worm getting in.

[Guest]

I always make sure to use Windows Update when they release critical updates. They had the patch for this a month ago.

They might have, but there were still issues with the so called patch. Someone I knew used to have broadband without a firewall... so I suggested they try it with the desktop popup's for reporting on so they can see what's happening... they got a bit of a shock.:)

[_Acid_Head_]

Yeah, a lot of people are saying their comps still get the message box to reboot, even after patching, there's a manual way to get rid of the virus, I forget where I read about it, if anybody still has a problem after patching, I can dig up a link for you.

[Power and Glory]

I have a firewall aswell. I never said I didn't. I never had 1 virus or any other bug all the years I've owned a computer (knock on wood). There are alot of people who ignore those Critical Updates from Microsoft for whatever reason. From what I have been reading those people seem to be the ones that are having the most problems with this worm.

[kermit]

SO.
there is a curse that comes with broadband, eh?
i guess i must be safe, then 

actually my friend has dialup and he got this virus. compUSA is charging for a fix (some cd or something). i told him not to pay their 'extortion' and i'm going to help him fix it sometime tomorrow. he's not a big computer user like me, so he can go a while before he needs to use his comp.

[kermit]

what are these ports you speak of PIX and how can i analyze them as to wether they are 'open' or not? i have a linksys router...but i don't think it does anything...it's just really to connect the computers in my house together on a cable lan of sorts (5-port workgroup switch). isss it a router? i mean it's routing shit in a way. i'm not playing stupid...i don't understand internet/network technology. how/where can i learn so i can have an intelligent conversation on the matter w/ someone like PIX or netniv?

[PIX]

The port to block is port 135 which is Microsoft's RPC Endpoint Mapper port. It is used for Microsoft for RPC locator service.
Here is a quote I found on it:

Windows Remote Procedure Call (RPC) and Distributed COM (DCOM)
In some cases, Microsoft uses port 135 as an RPC Endpoint Mapper. Runs as RPCSS on (some versions of?) Windows. This is a sort of "RPC directory" service which can be used to lookup what ports other services are running on. For some additional information, see Windows 2000 Network Architecture: Remote Procedure Call and NT Gatekeeper: RPC and Firewall Configuration.

MS-RPC on port 135 is required for some Exchange Server and Active Directory communications. See e.g. TCP Ports and Microsoft Exchange: In-depth Discussion and Restricting Active Directory Replication Traffic to a Specific Port.
However this port also poses a security risk, as indicated in the NET SEND section of my broadband security page.

This is a common port that someone who has a broadband connection and Windows wide open to the internet. When port scanned, the scanner will see 135 as an open port and know that this is a Windows shitbox. He can then pull out his Window's hax and try his best to visit you with chaos.

Sites are encouraged to block network access to the RPC service at network borders. This can minimize the potential of denial-of-service attacks originating from outside the perimeter." However, be aware that the indicated TCP/IP ports also have legitimate uses in Microsoft Windows, such as connecting to Exchange email servers and for file and printer sharing

Here are some of the things Microsoft says to do:

Make sure you have a firewall installed and activated to help protect your computer against infection, before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer.

Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from the Microsoft Download Center.

Make sure you install and use antivirus software.

If you have antivirus software installed, get the latest virus definitions from your antivirus vendor's Web site.

If you think your computer has been infected, use the worm removal tool available at your antivirus vendor's Web site.

[Guest]

I'd like to go a step further and suggest ports 139 and 445 should also be blocked ... These are microsoft networking ports and should only really be used internally to your lan/machine.

CERT Advisory CA-2003-20 W32/Blaster worm

  Original issue date: August 11, 2003
  Last revised: --
  Source: CERT/CC

  A complete revision history is at the end of this file.

Systems Affected

    * Microsoft Windows NT 4.0
    * Microsoft Windows 2000
    * Microsoft Windows XP
    * Microsoft Windows Server 2003

Overview

  The  CERT/CC  is receiving reports of widespread activity related to a
  new piece of malicious code known as W32/Blaster. This worm appears to
  exploit  known  vulnerabilities in the Microsoft Remote Procedure Call
  (RPC) Interface.

I. Description

  The  W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC
  interface  as  described  in VU#568148 and CA-2003-16. Upon successful
  execution,  the  worm  attempts  to  retrieve  a  copy  of  the  file
  msblast.exe  from  the compromising host. Once this file is retrieved,
  the  compromised  system  then  runs  it and begins scanning for other
  vulnerable  systems to compromise in the same manner. In the course of
  propagation,  a TCP session to port 135 is used to execute the attack.
  However,  access  to  TCP  ports  139  and 445 may also provide attack
  vectors  and should be considered when applying mitigation strategies.
  Microsoft  has  published  information  about  this  vulnerability  in
  Microsoft Security Bulletin MS03-026.

  Lab testing has confirmed that the worm includes the ability to launch
  a TCP SYN flood denial-of-service attack against windowsupdate.com. We
  are  investigating  the  conditions  under  which  this  attack  might
  manifest  itself.  Unusual  or unexpected traffic to windowsupdate.com
  may  indicate an infection on your network, so you may wish to monitor
  network traffic.

  Sites  that do not use windowsupdate.com to manage patches may wish to
  block  outbound traffic to windowsupdate.com. In practice, this may be
  difficult  to  achieve, since windowsupdate.com may not resolve to the
  same    address    every  time.  Correctly  blocking  traffic  to
  windowsupdate.com  will require detailed understanding of your network
  routing  architecture,  system  management  needs, and name resolution
  environment. You should not block traffic to windowsupdate.com without
  a thorough understanding of your operational needs.

  We  have  been in contact with Microsoft regarding this possibility of
  this denial-of-service attack.

[PIX]

Christ...they are also saying tcp port 4444 and UDP 69 (TFTP). Just make sure
all of your ports are closed or stealthed. Then you are safe regardless.

Here is another post from Symantec for what's suppose to happen on the 16th.

The following are recommendations for mitigating the Denial of Service payload which is set to activate on 8/16.


Internal DNS-spoofing of windowsupdate.com to a special ip-address. This will alert you to infected machines if you have a 'listening server' catching the syn flood. Reroute windowsupdate.com to the IP address of an internal machine with port 80 firewalled will help to avoid ACKs, RSTs, and ICMP unreachable's.
Reroute windowsupdate.com to 127.0.0.1. This may result in lots of RSTs on your network (Windows may send RSTs from 127.0.0.1 to the spoofed addresses)
If your DNS server allows, reroute windowsupdate.com to the IP 0.0.0.0.
Configuration of anti-spoofing-rules on routers if not already implemented. This will prevent a high percentage of packets leaving the network. Using uRPF or egress ACLs will be highly effective.