August 11th, 2003, 02:55 PM
My XP(pro) has been hijacked
What a nightmare.
I switched on my monitor for my PC today and when it lit up there was only a black screen. I could move the cursor, but nothing else worked.... reboot
When I restarted I got a win32 service error, couldn't find something
Rebooted again, then the PC decided to shut itself down, saying that the Remote Procedure Call (RPC) Service, had terminated unexpectedly.
Several system restores or rollbacks, I am still no further on.
My firewall, ZA, is asking if I want to allow access to the internet to msblast.exe
I am getting very high CPU usage, up to max, 99% of which is vsmon.exe
To add to this, I was unable to move / open / delete any files on the desktop, and search and explorer didn't work
Anyone, get any ideas what happened - I know MS does stuff by itself sometimes
Does anyone know what msblast.exe and vsmon.exe do?
I run XP pro and have ADSL connection and my PC is almost always on. I use Zone Alarm as a firewall and AVG anti-virus.
I also write very bad php with mysql database also installed if that makes a difference.
Thanks for any advice
>_ My Music Blog | Losing weight @notsoheavyblog | My Tweets
Let the might of your compassion arise to bring a quick end
to the flowing stream of the blood and tears .....
Please hear my anguished words of truth.
August 11th, 2003, 03:09 PM
vsmon.exe is a component of Zone Alarm which monitors your internet traffic and generates alerts. I'm not sure what msblast.exe is, and no info on google. The RPC error could be due to a recently published exploit. If you can, be sure you have the latest service pack and security patches. If you can't fix it, you might have to reformat, then apply the patches and such.
Don't know how helpful this is, but it's all I know.
August 11th, 2003, 04:17 PM
It seems this RPC exploit is getting some serious attention by the folks that use such things.
From what I've heard, they tend to drop some ms*.exe file and set it to startup, and various things (most notably task manager) won't run. These .exe files suck up all the CPU usage they can (probably trying to spread themselves thru RPC) and it looks like ZA is trying to stop it (but trying very hard to eat up that much cpu time). I'd delete msblast.exe if at all possible. Boot into safe mode to delete it if you have to. Use msconfig or startup.cpl to remove it from start up.
I'm of the opinion, if you don't know what it is, stop it from running. If you system screws up, let it back in, else, you're better off without it.
August 11th, 2003, 04:46 PM
Up the Irons
What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
"Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
Down with Sharon Osbourne
"I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
August 12th, 2003, 12:03 AM
August 12th, 2003, 02:51 PM
August 12th, 2003, 03:44 PM
August 12th, 2003, 05:28 PM
My friend in London got hit yesterday too....hope you get it all cleared up.
August 12th, 2003, 10:20 PM
i havnt gotten it,... hope i never do.
August 13th, 2003, 01:24 PM
I think we need a temporary sticky for this one. This keeps coming up, and probably will for the next week or two.
August 13th, 2003, 03:07 PM
To sum up everything for the inevitable entry of people who are too lazy to click links and Google (and, therefore, who will keep asking questions):
To clarify... it doesn't actually shut your computer off. The MSBlast worm comes in through port 135 using a previously known vulnerability in RPC. It attempts to determine what system you are running and then tries to exploit RPC. It often results in RPC crashing which is causing the shutdown. By default, Windoze attempts to reboot the system if RPC crashes (thus bringing RPC back to life). MSBlast, however, installs itself in the system32 directory as an autostarter and then crashes RPC again, resulting in another reboot, ad nauseum. You can stop the crashing by changing the "Action to Take" for RPC to "Take No Action" for all events (crash, etc.) but you'll still have the worm.
Once installed, the binary opens up port 4444 on your system and scans random IP addresses at port 135 looking for more vulnerable machines to propogate to, though it seems to stay in your IP block most of the time (i.e. within your ISPs block of IPs for most home users).
The bigger deal with this worm is that on August 15th at Midnight (or, the 16th, depending on how you look at it), it's going to start attacking the windowsupdate.com site in an attempt to SYN flood it (DDOS). Expect to see that start happening within 36-48 hours.
It's relatively simple to stop. In fact, in theory, if you were smart enough to turn on ICF when you setup your Inernet connection in XP, you should be safe. ICF blocks incoming port 135 requests. If you don't have ICF, you just need to run a firewall that blocks ports 135, 139, and 445 (and any others you may have configured as RCP ports for whatever reason). Also, patch your damn computer. Home users have no excuses. There are reports that the patch is ineffective, but it's better than not trying it at all.
Finally, to stop the shutdowns, simply go into the command prompt (Start > Run > cmd or, on Win9x Start > Run > dosprmpt) and type 'shutdown /a'. There are also reports that you can set the system time back an hour to delay the shutdown an hour, but I can't say for sure that that works. Go into the system32 directory and delete 'msblast.exe' and delete the registry key 'HKLM\Software\Microsoft\Windows\Run\windows auto update'.
Any more info that I forgot or corrections welcome!
August 13th, 2003, 08:08 PM
A variant of the worm has been released W32.Blaster-B
Yeah I am going to leave that last bit of the quote behind... doesnt need to be posted here
Also a worm called W32.RpcSpybot-A has been released, takes advantage of the same RPC exploit.
August 13th, 2003, 08:27 PM
i wonder what they are going to do to the person thats responsible for this!
is this virus the most successful todate?
August 13th, 2003, 10:12 PM
I think this one still holds the record.
I love it when something big like this comes out, and some twit somewhere alters one or two lines of code and re-releases it thinking they're soooooo clever. Never mind that the truly elite people in this story are the folks who actually disassembled it in the first place and figured out it's footprint and connection pattern / packet data / signatures / etc. If it wasn't for the really smart people, these dolts couldn't re-release it to begin with.
August 13th, 2003, 10:29 PM
Man, that 1988 worm is bad, but hey the internet was a lot smaller back then so easier to bring down. Networks were easy to crash back then, just reach behind a machine and slightly disconnect the BNC plug from its T connector. Good old 10Base2 networks