Microsoft security flaw

[lukemax 0]

Some of you may be experiencing a serious problem with your computer which causes it to reboot every sixty seconds. This is caused by a serious security flaw in the windows operating system, as well as a worm that is taking advantage of it. Keep in mind that this worm is not detectible by any virus protection program. There is, however a small patch that, if you are quick enough, you can install to fix the problem and get rid of your headaches.

A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

You can download the patch here:

http://www.microsoft.com/technet....026.asp

[SpecOp9 0]

Thank god...

I just hope it's not too late

[Nathanz 0]

I had the same damn problem yesterday. i found the patch and downloaded stinger to remove the worm.

Its a virus called W32.Blaster.Worm. you can get more info about it Here

and Downloaded Stinger to remove the worm

Here

[Shashman 0]

I thik it's part of Skynet's plans to shut down all Microsoft software running systems!!

We're all doomed!

What a tactic!You gottta hand it to those machines

[walker 0]

Hi all

You need to apply the patch described at microsoft.

http://support.microsoft.com/?kbid=823980

OR

If you cant dload the patch becaus of the 60 second effect there is a method to disable the trojan in this CERT post. Then apply the patch.

Quote[/b] ]CERT Advisory CA-2003-20 W32/Blaster worm

  Original issue date: August 11, 2003

  Last revised: --

  Source: CERT/CC

  A complete revision history is at the end of this file.

Systems Affected

    * Microsoft Windows NT 4.0

    * Microsoft Windows 2000

    * Microsoft Windows XP

    * Microsoft Windows Server 2003

Overview

  The  CERT/CC  is receiving reports of widespread activity related to a

  new piece of malicious code known as W32/Blaster. This worm appears to

  exploit  known  vulnerabilities in the Microsoft Remote Procedure Call

  (RPC) Interface.

I. Description

  The  W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC

  interface  as  described  in VU#568148 and CA-2003-16. Upon successful

  execution,   the  worm  attempts  to  retrieve  a  copy  of  the  file

  msblast.exe  from  the compromising host. Once this file is retrieved,

  the  compromised  system  then  runs  it and begins scanning for other

  vulnerable  systems to compromise in the same manner. In the course of

  propagation,  a TCP session to port 135 is used to execute the attack.

  However,  access  to  TCP  ports  139  and 445 may also provide attack

  vectors  and should be considered when applying mitigation strategies.

  Microsoft  has  published  information  about  this  vulnerability  in

  Microsoft Security Bulletin MS03-026.

  Lab testing has confirmed that the worm includes the ability to launch

  a TCP SYN flood denial-of-service attack against windowsupdate.com. We

  are  investigating  the  conditions  under  which  this  attack  might

  manifest  itself.  Unusual  or unexpected traffic to windowsupdate.com

  may  indicate an infection on your network, so you may wish to monitor

  network traffic.

  Sites  that do not use windowsupdate.com to manage patches may wish to

  block  outbound traffic to windowsupdate.com. In practice, this may be

  difficult  to  achieve, since windowsupdate.com may not resolve to the

  same    address    every   time.   Correctly   blocking   traffic   to

  windowsupdate.com  will require detailed understanding of your network

  routing  architecture,  system  management  needs, and name resolution

  environment. You should not block traffic to windowsupdate.com without

  a thorough understanding of your operational needs.

  We  have  been in contact with Microsoft regarding this possibility of

  this denial-of-service attack.

II. Impact

  A  remote  attacker  could  exploit  these  vulnerabilities to execute

  arbitrary   code   with   Local   System  privileges  or  to  cause  a

  denial-of-service condition.

III. Solutions

Apply patches

  All users are encouraged to apply the patches referred to in Microsoft

  Security  Bulletin  MS03-026  as soon as possible in order to mitigate

  the  vulnerability  described  in  VU#568148.  These  patches are also

  available via Microsoft's Windows Update service.

  Systems  running  Windows  2000  may still be vulnerable to at least a

  denial-of-service  attack  via  VU#326746 if their DCOM RPC service is

  available  via the network. Therefore, sites are encouraged to use the

  packet  filtering  tips  below  in  addition  to  applying the patches

  supplied in MS03-026.

  It  has been reported that some affected machines are not able to stay

  connected  to  the  network  long  enough  to  download  patches  from

  Microsoft.  For  hosts  in  this situation, the CERT/CC recommends the

  following:

   1. Physically disconnecting the system from the network

   2. Check the system for signs of compromise.

         + In most cases, an infection will be indicated by the presence

           of the registry key

           "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

           \Run\windows  auto  update"  with  a value of msblast.exe. If

           this key is present, remove it using a registry editor.

   3. If  you're  infected,  terminate  the  running copy of msblast.exe

      using the Task Manager.

   4. Take  one of the following steps to protect against the compromise

      prior to installing the Microsoft patch:

         + Disable DCOM as described below

         + Enabling  Microsoft's  Internet  Connection  Filter (ICF), or

           another host-level packet filtering program to block incoming

           connections for 135/tcp

   5. Reconnect  the  system to the network and apply the patches in the

      recommended manner

  Trend  Micro,  Inc.  has  published a set of steps to accomplish these

  goals.  Symantec has also published a set of steps to accomplish these

  goals.

Disable DCOM

  Depending  on  site  requirements,  you  may  wish  to disable DCOM as

  described  in  MS03-026. Disabling DCOM will help protect against this

  vulnerability  but may also cause undesirable side effects. Additional

  details  on  disabling DCOM and possible side effects are available in

  Microsoft Knowledge Base Article 825750.

Filter network traffic

  Sites are encouraged to block network access to the following relevant

  ports   at  network  borders.  This  can  minimize  the  potential  of

  denial-of-service  attacks originating from outside the perimeter. The

  specific services that should be blocked include

    * 69/UDP

    * 135/TCP

    * 135/UDP

    * 139/TCP

    * 139/UDP

    * 445/TCP

    * 445/UDP

    * 4444/TCP

  Sites  should  consider  blocking both inbound and outbound traffic to

  these  ports,  depending  on  network  requirements,  at  the host and

  network level. Microsoft's Internet Connection Firewall can be used to

  accomplish these goals.

  If  access  cannot  be  blocked  for  all  external hosts, the CERT/CC

  recommends  limiting  access  to  only those hosts that require it for

  normal  operation. As a general rule, the CERT/CC recommends filtering

  all  types  of  network  traffic  that  are  not  required  for normal

  operation.

  Because  current exploits for VU#568148 create a backdoor, which is in

  some  cases  4444/TCP, blocking inbound TCP sessions to ports on which

  no  legitimate  services  are  provided  may  limit intruder access to

  compromised hosts.

Recovering from a system compromise

  If  you  believe  a  system under your administrative control has been

  compromised, please follow the steps outlined in

         Steps for Recovering from a UNIX or NT System Compromise

Reporting

  The  CERT/CC  is tracking activity related to this worm as CERT#30479.

  Relevant  artifacts  or activity can be sent to cert@cert.org with the

  appropriate CERT# in the subject line.

Appendix A. Vendor Information

  This  appendix  contains information provided by vendors. When vendors

  report  new  information,  this section is updated and the changes are

  noted  in  the  revision  history. If a vendor is not listed below, we

  have not received their comments.

Microsoft

    Please see Microsoft Security Bulletin MS03-026.

Appendix B. References

    * CERT/CC Advisory CA-2003-19 -

      http://www.cert.org/advisories/CA-2003-19.html

    * CERT/CC Vulnerability Note VU#561284 -

      http://www.kb.cert.org/vuls/id/561284

    * CERT/CC Vulnerability Note VU#326746 -

      http://www.kb.cert.org/vuls/id/326746

    * Microsoft Security Bulletin MS03-026 -

      http://microsoft.com/technet/security/bulletin/MS03-026.asp

    * Microsoft      Knowledge      Base      article      823980      -

      http://support.microsoft.com?kbid=823980

Thanks

  Our  thanks  to Microsoft Corporation for their review of and input to

  this advisory.

 

  Authors:  Chad  Dougherty,  Jeffrey  Havrilla, Shawn Hernan, and Marty

  Lindner

 

  This document is available from:

  http://www.cert.org/advisories/CA-2003-20.html

 

CERT/CC Contact Information

  Email: cert@cert.org

         Phone: +1 412-268-7090 (24-hour hotline)

         Fax: +1 412-268-6989

         Postal address:

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890

         U.S.A.

  CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /

  EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies

  during other hours, on U.S. holidays, and on weekends.

Hope this helps.

Kind Regards Ian

[-k44- Obi Wahn 0]

Reportedly there's a message in the worms code:

Quote[/b] ]"Billy Gates why do you make this possible? Stop making money and fix your software!"

Damn right, but I really wonder (once again) why many people are still unable to maintain a proper virus protection. On my three machines I run a product free for private use without any infection since years.

In fact, the only major crash ever happened to me was caused by OFPs "Direct-Play-Server-terminates-HD"-Bug.

[Tamme 0]

I just had that worm few minutes ago. My Norton spotted it and I downloaded the patch and the removal program, before it did any damage.

[walker 0]

Hi Moderators

Maybe make this sticky for a couple of days so people can get patched and kill it off When the fuss is over unsticky it and let it die off.

Kind Regards walker

[Evishion 0]

hey...I dont have this worm but I wanna be sure....if i download this patch now am I then safe or do I have to download it AFTER I get the worm?

[walker 0]

hey...I dont have this worm  but I wanna be sure....if i download this patch now am I then safe  or do I have to download it AFTER I get the worm?

Hi Diablo

Before is better

Kind Regards walker

[Evishion 0]

k thx for reply

it is WindowsXP-KB823980-ia64-ENU.exe right?

comment to it: "A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer."

Hope it is this 1

[Evishion 0]

DAmn I cant install it

[Tovarish 0]

Heh, ok. This explains what was happening last night....thought it might be a virus and was going to do a format of my Windows partition, now I know....hopefully I can fix it when I get home tonight. It was really pissing me off, I wanted to fall asleep with Winamp playing and instead I got the damn Windows shutdown sound after a couple of songs.

[bn880 5]

Yeah, you guys should really run that built in Firewall XP has. Whenever possible of course. Open your connection in XP and goto properties, goto advanced tab and check enable Firewall.

Not exact wording but you know...

[benu 1]

No, "you guys" should install security patches regularly. The patch for this worm is from march. I just wanted to install this "new patch" and saw that it was already on my system for a looooong time. Firewall don't help against most trojans, keeping the system up-to-date regarding security patches and disabling unneeded services helps.

Ups, was on a wrong patch site, but nevertheless it is from july... not as bad as i have written above, but still bad to not have it installed after a month...

[Jester983 0]

Okay someone want to tell me the difference between the 64 XP version and 32? cause im not sure which one to dl.

[bn880 5]

Just get the 32Bit version unless you have a very special 64Bit CPU. Another words if you don't really know then 32 is your choice.

stuff liek this should be a clue

http://www.mediaworkstation.com/2003....tro.htm

[Jester983 0]

Alright thanks man.

[Mister Frag 0]

k  thx for reply  

it is  WindowsXP-KB823980-ia64-ENU.exe    right?

comment to it:  "A security issue has been identified that could allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer."

Hope it is this 1  

       

You download the version for 64-bit Windows (the IA64 processor), no wonder you can't install it.

[Placebo 29]

The lil bastard got me

[shadow 6]

I'm drowning in work at my job, removing w32.blaster virus from lots of computers from costumers every day

Guess virus is a good business if you work in the right business

[toadlife 3]

I patched all of our servers at work as soon as the patch was released, but never patched my home computer. I was infected but due to some IPSEC filters I put on my home machine, the worm couldn't do much of anything once it got into my machine.

I'm still don't know how I even got infected. Outside machines are not supposed to be able to initiate any IP conenctions to my machine at home.

[shadow 6]

The clue to this is that the worm is a trojan horse. Meaning the worm/virus is like a application running on your computer initiating connection out from your computer and to whoever is listening (usually the virus-creator).... so a proxy or firewall won't help much once connection has been established.

[toadlife 3]

The clue to this is that the worm is a trojan horse. Meaning the worm/virus is like a application running on your computer initiating connection out from your computer and to whoever is listening (usually the virus-creator).... so a proxy or firewall won't help much once connection has been established.

That doesn't explain how I got infected in the first place. For me to get infected in the first place, the worm would have had to jump from an infected computer to mine. This would require the outside computer to initiate the connection - something which according to my IPSEC policy, should not have been allowed.

I'm thinking that I downloaded an executable that was infected with this trojan. I use McAfee and have it check for updates on the hour, but McAfee barely came out with a dat file for this worm on AUgust 11th, and this worm had obviously been out and about for a few days before that.

I'm going to need to take a good look at my IPSEC policy too.

[joltan 0]

This trojan doesn't require you to download anything. It connects all by itself to your system and infects it, if the security hole isn't patched.

From the MS TechNet:

Quote[/b] ]Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.

In short, using the security hole in XP/Win2000 an attacker can run any code he wants on your machine. All he needs is your IP which he gets by contacting random ip numbers and trying the exploit on them.

For more information on this look here.