The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> System Administration
> Antivirus Protection
|
w32.blaster.worm aka. My XP(pro) has been hijacked
Discuss w32.blaster.worm aka. My XP(pro) has been hijacked in the Antivirus Protection forum on Dev Shed. w32.blaster.worm aka. My XP(pro) has been hijacked Antivirus Protection forum discussing issues relating to antivirus programs, spyware, hijack protection, and personal firewalls for all operating systems. Keep your systems protected from hackers and other hazards.
|
|
 |
|
|
|
|
|

Dev Shed Forums Sponsor:
|
|
|

August 11th, 2003, 02:55 PM
|
 |
Retired
|
|
Join Date: Feb 2002
Location: Finland
|
|
My XP(pro) has been hijacked
What a nightmare.
I switched on my monitor for my PC today and when it lit up there was only a black screen. I could move the cursor, but nothing else worked.... reboot
When I restarted I got a win32 service error, couldn't find something
Rebooted again, then the PC decided to shut itself down, saying that the Remote Procedure Call (RPC) Service, had terminated unexpectedly.
Several system restores or rollbacks, I am still no further on.
My firewall, ZA, is asking if I want to allow access to the internet to msblast.exe
I am getting very high CPU usage, up to max, 99% of which is vsmon.exe
To add to this, I was unable to move / open / delete any files on the desktop, and search and explorer didn't work
Anyone, get any ideas what happened - I know MS does stuff by itself sometimes
Does anyone know what msblast.exe and vsmon.exe do?
I run XP pro and have ADSL connection and my PC is almost always on. I use Zone Alarm as a firewall and AVG anti-virus.
I also write very bad  php with mysql database also installed if that makes a difference.
Thanks for any advice
Jamie
__________________
Cheers,
Jamie
>_ skiFFie ? | Twitter
__________________
Let the might of your compassion arise to bring a quick end
to the flowing stream of the blood and tears .....
Please hear my anguished words of truth.
__________________
|

August 11th, 2003, 03:09 PM
|
 |
Just another guy
|
|
Join Date: Jun 2003
Location: Wisconsin
|
|
|
vsmon.exe is a component of Zone Alarm which monitors your internet traffic and generates alerts. I'm not sure what msblast.exe is, and no info on google. The RPC error could be due to a recently published exploit. If you can, be sure you have the latest service pack and security patches. If you can't fix it, you might have to reformat, then apply the patches and such.
Don't know how helpful this is, but it's all I know.
HTH
Dave
|

August 11th, 2003, 04:17 PM
|
 |
Perl Monkey
|
|
Join Date: May 2003
Location: the far end of town where the Grickle-grass grows
|
|
|
It seems this RPC exploit is getting some serious attention by the folks that use such things.
From what I've heard, they tend to drop some ms*.exe file and set it to startup, and various things (most notably task manager) won't run. These .exe files suck up all the CPU usage they can (probably trying to spread themselves thru RPC) and it looks like ZA is trying to stop it (but trying very hard to eat up that much cpu time). I'd delete msblast.exe if at all possible. Boot into safe mode to delete it if you have to. Use msconfig or startup.cpl to remove it from start up.
I'm of the opinion, if you don't know what it is, stop it from running. If you system screws up, let it back in, else, you're better off without it.
|

August 11th, 2003, 04:46 PM
|
 |
Banned ;)
|
|
Join Date: Nov 2001
Location: Woodland Hills, Los Angeles County, California, USA
|
|
|
__________________
Up the Irons
What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
"Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
Down with Sharon Osbourne
|

August 12th, 2003, 12:03 AM
|
|
Junior Member
|
|
Join Date: Aug 2003
Posts: 1
Time spent in forums: < 1 sec
Reputation Power: 0
|
|
|
msblast info
URL
I do believe its related to this too:
URL
it causes probs with msn messanger. shuts your computer off just for the hell of it.. and i'm guessing its causing even more probs.
spread the word folks
lol
|

August 12th, 2003, 02:51 PM
|
 |
echo $usertitle['computer'];
|
|
Join Date: Jan 2003
Location: UK
|
|
|

August 12th, 2003, 03:44 PM
|
 |
Retired
|
|
Join Date: Feb 2002
Location: Finland
|
|
Damn and blast(er)
Hi guys, thanks for the info.
When I got into work this morning, before reading any responses I had thought it was a virus. Then I checked the board again and it was confirmed
Then I searched google again, and lo and behold, there were news articles about it being just about to hit Europe.
I wonder if I was the first
Anyway, I have deleted the files in safe mode, tweaked the registery a bit. Installed the XP patch and am now finally able to get my virus update and do the scan.
Hopefully I will be clear by tomorrow
Jamie
PS: I am currently on a different PC 
|

August 12th, 2003, 05:28 PM
|
|
i'm nothing
|
|
Join Date: Aug 2003
Posts: 70
Time spent in forums: 1 m 44 sec
Reputation Power: 10
|
|
My friend in London got hit yesterday too....hope you get it all cleared up. 
|

August 12th, 2003, 10:20 PM
|
 |
Contributing User
|
|
Join Date: Apr 2003
Location: 127.0.0.1
Posts: 448
  
Time spent in forums: 3 h 9 m 25 sec
Reputation Power: 12
|
|
|
i havnt gotten it,... hope i never do.
|

August 13th, 2003, 01:24 PM
|
 |
Perl Monkey
|
|
Join Date: May 2003
Location: the far end of town where the Grickle-grass grows
|
|
|
I think we need a temporary sticky for this one. This keeps coming up, and probably will for the next week or two.
|

August 13th, 2003, 03:07 PM
|
 |
An Ominous Coward
|
|
|
|
To sum up everything for the inevitable entry of people who are too lazy to click links and Google (and, therefore, who will keep asking questions):
Quote: | shuts your computer off just for the hell of it |
To clarify... it doesn't actually shut your computer off. The MSBlast worm comes in through port 135 using a previously known vulnerability in RPC. It attempts to determine what system you are running and then tries to exploit RPC. It often results in RPC crashing which is causing the shutdown. By default, Windoze attempts to reboot the system if RPC crashes (thus bringing RPC back to life). MSBlast, however, installs itself in the system32 directory as an autostarter and then crashes RPC again, resulting in another reboot, ad nauseum. You can stop the crashing by changing the "Action to Take" for RPC to "Take No Action" for all events (crash, etc.) but you'll still have the worm.
Once installed, the binary opens up port 4444 on your system and scans random IP addresses at port 135 looking for more vulnerable machines to propogate to, though it seems to stay in your IP block most of the time (i.e. within your ISPs block of IPs for most home users).
The bigger deal with this worm is that on August 15th at Midnight (or, the 16th, depending on how you look at it), it's going to start attacking the windowsupdate.com site in an attempt to SYN flood it (DDOS). Expect to see that start happening within 36-48 hours.
It's relatively simple to stop. In fact, in theory, if you were smart enough to turn on ICF when you setup your Inernet connection in XP, you should be safe. ICF blocks incoming port 135 requests. If you don't have ICF, you just need to run a firewall that blocks ports 135, 139, and 445 (and any others you may have configured as RCP ports for whatever reason). Also, patch your damn computer. Home users have no excuses. There are reports that the patch is ineffective, but it's better than not trying it at all.
Finally, to stop the shutdowns, simply go into the command prompt (Start > Run > cmd or, on Win9x Start > Run > dosprmpt) and type 'shutdown /a'. There are also reports that you can set the system time back an hour to delay the shutdown an hour, but I can't say for sure that that works. Go into the system32 directory and delete 'msblast.exe' and delete the registry key 'HKLM\Software\Microsoft\Windows\Run\windows auto update'.
Any more info that I forgot or corrections welcome!
|

August 13th, 2003, 08:08 PM
|
 |
Second highest poster :p
|
|
|
|
UPDATE
A variant of the worm has been released W32.Blaster-B
Quote:
W32/Blaster-B is functionally equivalent to W32/Blaster-A, except that this variant uses the filename teekids.exe and the registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..
Also the internal message has been changed to:
Microsoft can suck my left testi!
Bill Gates can suck my right testi!
And All Antivirus Makers Can Suck My... |
Yeah I am going to leave that last bit of the quote behind... doesnt need to be posted here
Also a worm called W32.RpcSpybot-A has been released, takes advantage of the same RPC exploit.
Quote: | W32/RpcSpybot-A is a worm that exploits the RPC/DCOM vulnerability on computers running the Windows operating system to spread. The worm has a backdoor component that allows a malicious user remote access to an infected computer. |
|

August 13th, 2003, 08:27 PM
|
 |
Shes dancing (obviously)
|
|
Join Date: Jul 2002
Location: the far side
Posts: 527
  
Time spent in forums: 2 h 38 m 39 sec
Reputation Power: 12
|
|
|
i wonder what they are going to do to the person thats responsible for this!
is this virus the most successful todate?
|

August 13th, 2003, 10:12 PM
|
 |
An Ominous Coward
|
|
|
|
I think this one still holds the record.
I love it when something big like this comes out, and some twit somewhere alters one or two lines of code and re-releases it thinking they're soooooo clever. Never mind that the truly elite people in this story are the folks who actually disassembled it in the first place and figured out it's footprint and connection pattern / packet data / signatures / etc. If it wasn't for the really smart people, these dolts couldn't re-release it to begin with.
|

August 13th, 2003, 10:29 PM
|
 |
Second highest poster :p
|
|
|
|
Man, that 1988 worm is bad, but hey the internet was a lot smaller back then so easier to bring down. Networks were easy to crash back then, just reach behind a machine and slightly disconnect the BNC plug from its T connector. Good old 10Base2 networks 
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|