w32.blaster.worm aka. My XP(pro) has been hijacked

What a nightmare.

I switched on my monitor for my PC today and when it lit up there was only a black screen. I could move the cursor, but nothing else worked.... reboot
When I restarted I got a win32 service error, couldn't find something
Rebooted again, then the PC decided to shut itself down, saying that the Remote Procedure Call (RPC) Service, had terminated unexpectedly.
Several system restores or rollbacks, I am still no further on.
My firewall, ZA, is asking if I want to allow access to the internet to msblast.exe
I am getting very high CPU usage, up to max, 99% of which is vsmon.exe

To add to this, I was unable to move / open / delete any files on the desktop, and search and explorer didn't work

Anyone, get any ideas what happened - I know MS does stuff by itself sometimes

Does anyone know what msblast.exe and vsmon.exe do?

I run XP pro and have ADSL connection and my PC is almost always on. I use Zone Alarm as a firewall and AVG anti-virus.

I also write very bad php with mysql database also installed if that makes a difference.

Thanks for any advice

Jamie

vsmon.exe is a component of Zone Alarm which monitors your internet traffic and generates alerts. I'm not sure what msblast.exe is, and no info on google. The RPC error could be due to a recently published exploit. If you can, be sure you have the latest service pack and security patches. If you can't fix it, you might have to reformat, then apply the patches and such.
Don't know how helpful this is, but it's all I know.
HTH
Dave

It seems this RPC exploit is getting some serious attention by the folks that use such things.

From what I've heard, they tend to drop some ms*.exe file and set it to startup, and various things (most notably task manager) won't run. These .exe files suck up all the CPU usage they can (probably trying to spread themselves thru RPC) and it looks like ZA is trying to stop it (but trying very hard to eat up that much cpu time). I'd delete msblast.exe if at all possible. Boot into safe mode to delete it if you have to. Use msconfig or startup.cpl to remove it from start up.

I'm of the opinion, if you don't know what it is, stop it from running. If you system screws up, let it back in, else, you're better off without it.

msblast info

URL

I do believe its related to this too:
URL

it causes probs with msn messanger. shuts your computer off just for the hell of it.. and i'm guessing its causing even more probs.

spread the word folks
lol

yeah its w32.blaster.worm

http://securityresponse.symantec.co...echnicaldetails

Hi guys, thanks for the info.

When I got into work this morning, before reading any responses I had thought it was a virus. Then I checked the board again and it was confirmed

Then I searched google again, and lo and behold, there were news articles about it being just about to hit Europe.

I wonder if I was the first

Anyway, I have deleted the files in safe mode, tweaked the registery a bit. Installed the XP patch and am now finally able to get my virus update and do the scan.

Hopefully I will be clear by tomorrow

Jamie

PS: I am currently on a different PC

My friend in London got hit yesterday too....hope you get it all cleared up.

i havnt gotten it,... hope i never do.

I think we need a temporary sticky for this one. This keeps coming up, and probably will for the next week or two.

To sum up everything for the inevitable entry of people who are too lazy to click links and Google (and, therefore, who will keep asking questions):


To clarify... it doesn't actually shut your computer off. The MSBlast worm comes in through port 135 using a previously known vulnerability in RPC. It attempts to determine what system you are running and then tries to exploit RPC. It often results in RPC crashing which is causing the shutdown. By default, Windoze attempts to reboot the system if RPC crashes (thus bringing RPC back to life). MSBlast, however, installs itself in the system32 directory as an autostarter and then crashes RPC again, resulting in another reboot, ad nauseum. You can stop the crashing by changing the "Action to Take" for RPC to "Take No Action" for all events (crash, etc.) but you'll still have the worm.

Once installed, the binary opens up port 4444 on your system and scans random IP addresses at port 135 looking for more vulnerable machines to propogate to, though it seems to stay in your IP block most of the time (i.e. within your ISPs block of IPs for most home users).

The bigger deal with this worm is that on August 15th at Midnight (or, the 16th, depending on how you look at it), it's going to start attacking the windowsupdate.com site in an attempt to SYN flood it (DDOS). Expect to see that start happening within 36-48 hours.

It's relatively simple to stop. In fact, in theory, if you were smart enough to turn on ICF when you setup your Inernet connection in XP, you should be safe. ICF blocks incoming port 135 requests. If you don't have ICF, you just need to run a firewall that blocks ports 135, 139, and 445 (and any others you may have configured as RCP ports for whatever reason). Also, patch your damn computer. Home users have no excuses. There are reports that the patch is ineffective, but it's better than not trying it at all.

Finally, to stop the shutdowns, simply go into the command prompt (Start > Run > cmd or, on Win9x Start > Run > dosprmpt) and type 'shutdown /a'. There are also reports that you can set the system time back an hour to delay the shutdown an hour, but I can't say for sure that that works. Go into the system32 directory and delete 'msblast.exe' and delete the registry key 'HKLM\Software\Microsoft\Windows\Run\windows auto update'.

Any more info that I forgot or corrections welcome!

UPDATE

A variant of the worm has been released W32.Blaster-B



Yeah I am going to leave that last bit of the quote behind... doesnt need to be posted here

Also a worm called W32.RpcSpybot-A has been released, takes advantage of the same RPC exploit.