Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. Retired
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Finland
    Posts
    9,143
    Rep Power
    2493

    Angry My XP(pro) has been hijacked


    What a nightmare.

    I switched on my monitor for my PC today and when it lit up there was only a black screen. I could move the cursor, but nothing else worked.... reboot
    When I restarted I got a win32 service error, couldn't find something
    Rebooted again, then the PC decided to shut itself down, saying that the Remote Procedure Call (RPC) Service, had terminated unexpectedly.
    Several system restores or rollbacks, I am still no further on.
    My firewall, ZA, is asking if I want to allow access to the internet to msblast.exe
    I am getting very high CPU usage, up to max, 99% of which is vsmon.exe

    To add to this, I was unable to move / open / delete any files on the desktop, and search and explorer didn't work

    Anyone, get any ideas what happened - I know MS does stuff by itself sometimes

    Does anyone know what msblast.exe and vsmon.exe do?

    I run XP pro and have ADSL connection and my PC is almost always on. I use Zone Alarm as a firewall and AVG anti-virus.

    I also write very bad php with mysql database also installed if that makes a difference.

    Thanks for any advice

    Jamie

    Cheers,
    Jamie

    >_ skiFFie ? | Twitter

    __________________

    Let the might of your compassion arise to bring a quick end
    to the flowing stream of the blood and tears .....
    Please hear my anguished words of truth.

    __________________
  2. #2
  3. Just another guy
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Jun 2003
    Location
    Wisconsin
    Posts
    2,953
    Rep Power
    262
    vsmon.exe is a component of Zone Alarm which monitors your internet traffic and generates alerts. I'm not sure what msblast.exe is, and no info on google. The RPC error could be due to a recently published exploit. If you can, be sure you have the latest service pack and security patches. If you can't fix it, you might have to reformat, then apply the patches and such.
    Don't know how helpful this is, but it's all I know.
    HTH
    Dave
  4. #3
  5. Perl Monkey
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    May 2003
    Location
    the far end of town where the Grickle-grass grows
    Posts
    1,860
    Rep Power
    109
    It seems this RPC exploit is getting some serious attention by the folks that use such things.

    From what I've heard, they tend to drop some ms*.exe file and set it to startup, and various things (most notably task manager) won't run. These .exe files suck up all the CPU usage they can (probably trying to spread themselves thru RPC) and it looks like ZA is trying to stop it (but trying very hard to eat up that much cpu time). I'd delete msblast.exe if at all possible. Boot into safe mode to delete it if you have to. Use msconfig or startup.cpl to remove it from start up.

    I'm of the opinion, if you don't know what it is, stop it from running. If you system screws up, let it back in, else, you're better off without it.
  6. #4
  7. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,638
    Rep Power
    4247
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  8. #5
  9. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Posts
    1
    Rep Power
    0
    msblast info

    http://clanasc.com/html/

    I do believe its related to this too:
    http://securityresponse.symantec.com...ster.worm.html

    it causes probs with msn messanger. shuts your computer off just for the hell of it.. and i'm guessing its causing even more probs.

    spread the word folks
    lol
  10. #6
  11. echo $usertitle['computer'];
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jan 2003
    Location
    UK
    Posts
    6,705
    Rep Power
    420
  12. #7
  13. Retired
    Devshed Supreme Being (6500+ posts)

    Join Date
    Feb 2002
    Location
    Finland
    Posts
    9,143
    Rep Power
    2493

    Thumbs down Damn and blast(er)


    Hi guys, thanks for the info.

    When I got into work this morning, before reading any responses I had thought it was a virus. Then I checked the board again and it was confirmed

    Then I searched google again, and lo and behold, there were news articles about it being just about to hit Europe.

    I wonder if I was the first

    Anyway, I have deleted the files in safe mode, tweaked the registery a bit. Installed the XP patch and am now finally able to get my virus update and do the scan.

    Hopefully I will be clear by tomorrow

    Jamie

    PS: I am currently on a different PC

    Cheers,
    Jamie

    >_ skiFFie ? | Twitter

    __________________

    Let the might of your compassion arise to bring a quick end
    to the flowing stream of the blood and tears .....
    Please hear my anguished words of truth.

    __________________
  14. #8
  15. No Profile Picture
    i'm nothing
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2003
    Posts
    70
    Rep Power
    12

    Thumbs up


    My friend in London got hit yesterday too....hope you get it all cleared up.
  16. #9
  17. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2003
    Location
    127.0.0.1
    Posts
    448
    Rep Power
    13
    i havnt gotten it,... hope i never do.
  18. #10
  19. Perl Monkey
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    May 2003
    Location
    the far end of town where the Grickle-grass grows
    Posts
    1,860
    Rep Power
    109
    I think we need a temporary sticky for this one. This keeps coming up, and probably will for the next week or two.
  20. #11
  21. An Ominous Coward
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2002
    Posts
    4,425
    Rep Power
    0
    To sum up everything for the inevitable entry of people who are too lazy to click links and Google (and, therefore, who will keep asking questions):

    shuts your computer off just for the hell of it
    To clarify... it doesn't actually shut your computer off. The MSBlast worm comes in through port 135 using a previously known vulnerability in RPC. It attempts to determine what system you are running and then tries to exploit RPC. It often results in RPC crashing which is causing the shutdown. By default, Windoze attempts to reboot the system if RPC crashes (thus bringing RPC back to life). MSBlast, however, installs itself in the system32 directory as an autostarter and then crashes RPC again, resulting in another reboot, ad nauseum. You can stop the crashing by changing the "Action to Take" for RPC to "Take No Action" for all events (crash, etc.) but you'll still have the worm.

    Once installed, the binary opens up port 4444 on your system and scans random IP addresses at port 135 looking for more vulnerable machines to propogate to, though it seems to stay in your IP block most of the time (i.e. within your ISPs block of IPs for most home users).

    The bigger deal with this worm is that on August 15th at Midnight (or, the 16th, depending on how you look at it), it's going to start attacking the windowsupdate.com site in an attempt to SYN flood it (DDOS). Expect to see that start happening within 36-48 hours.

    It's relatively simple to stop. In fact, in theory, if you were smart enough to turn on ICF when you setup your Inernet connection in XP, you should be safe. ICF blocks incoming port 135 requests. If you don't have ICF, you just need to run a firewall that blocks ports 135, 139, and 445 (and any others you may have configured as RCP ports for whatever reason). Also, patch your damn computer. Home users have no excuses. There are reports that the patch is ineffective, but it's better than not trying it at all.

    Finally, to stop the shutdowns, simply go into the command prompt (Start > Run > cmd or, on Win9x Start > Run > dosprmpt) and type 'shutdown /a'. There are also reports that you can set the system time back an hour to delay the shutdown an hour, but I can't say for sure that that works. Go into the system32 directory and delete 'msblast.exe' and delete the registry key 'HKLM\Software\Microsoft\Windows\Run\windows auto update'.

    Any more info that I forgot or corrections welcome!
  22. #12
  23. Second highest poster :p
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2001
    Posts
    7,322
    Rep Power
    33
    UPDATE

    A variant of the worm has been released W32.Blaster-B

    W32/Blaster-B is functionally equivalent to W32/Blaster-A, except that this variant uses the filename teekids.exe and the registry entry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..

    Also the internal message has been changed to:
    Microsoft can suck my left testi!
    Bill Gates can suck my right testi!
    And All Antivirus Makers Can Suck My...
    Yeah I am going to leave that last bit of the quote behind... doesnt need to be posted here

    Also a worm called W32.RpcSpybot-A has been released, takes advantage of the same RPC exploit.

    W32/RpcSpybot-A is a worm that exploits the RPC/DCOM vulnerability on computers running the Windows operating system to spread. The worm has a backdoor component that allows a malicious user remote access to an infected computer.
  24. #13
  25. Shes dancing (obviously)
    Devshed Novice (500 - 999 posts)

    Join Date
    Jul 2002
    Location
    the far side
    Posts
    527
    Rep Power
    14
    i wonder what they are going to do to the person thats responsible for this!

    is this virus the most successful todate?
  26. #14
  27. An Ominous Coward
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jan 2002
    Posts
    4,425
    Rep Power
    0
    I think this one still holds the record.

    I love it when something big like this comes out, and some twit somewhere alters one or two lines of code and re-releases it thinking they're soooooo clever. Never mind that the truly elite people in this story are the folks who actually disassembled it in the first place and figured out it's footprint and connection pattern / packet data / signatures / etc. If it wasn't for the really smart people, these dolts couldn't re-release it to begin with.
  28. #15
  29. Second highest poster :p
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jul 2001
    Posts
    7,322
    Rep Power
    33
    Man, that 1988 worm is bad, but hey the internet was a lot smaller back then so easier to bring down. Networks were easy to crash back then, just reach behind a machine and slightly disconnect the BNC plug from its T connector. Good old 10Base2 networks
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo