merkerguitars

heres a hotlink for you people for the patch to fix the vulnerbility in Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Details:
Microsoft Security Bulletin MS03-026 Print


Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003

Revised: July 21, 2003

Summary
Who should read this bulletin: Users running Microsoft ® Windows ®

Impact of vulnerability: Run code of attacker’s choice

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the patch immediately
LINK FOR DOWNLOAD

__________________
Donate now! Ask me How!

Please use the search function it is your friend.

Look at my mustang please feel free to comment!

http://www.tfproject.org/tfp/tilted-motors/26985-my-project-84-mustang-gt.html

MSD

Oh, nice, when the school IT "experts" emailed it to us they said that it only affected 2000, not XP. Thanks for the heads-up

candyman

This worm is currently hitting my network pretty hard trying to find a hole. Luckily, all it is doing is eating up bandwidth (not my users files and OSs).

__________________
"I am the writing on the wall, the whisper in the classroom. Without these things, I am nothing."

Have you donated?

TIO

I just had to whip out the crowbar and pry Blaster out of our network (~150 pooters, about half of them NT-200-XP). What a way to spend a birthday.

We got it out without too much damage, but it did take out one guy's OS on a bad shutdown. And it took down at least one local radio station. Has anyone heard if the Macy's billboard went down?


What time did it strike you guys, out of curiosity? 30 pooters on our network died right on the dot of 11AM (local time).

__________________
Strewth

candyman

It started here (Michigan) yesterday at about 2:00 EST. I was getting hit from Qwest IPs in Tenn. Pretty much all the traffic is spawning from 63.146.*.*

What a mess!

__________________
"I am the writing on the wall, the whisper in the classroom. Without these things, I am nothing."

Have you donated?

cliche

I was wondering why my firewall has been flagging up attempts to connect 135 all day! I just put it on auto-deny and forgot about it. I think I'll turn back on the logging so I can warn friends etc...

__________________
I can't understand why people are frightened of new ideas. I'm frightened of the old ones. -- John Cage (1912 - 1992)

Arc101

This got me yesterday, and yes it bloody well does affect XP. Anyway for more help and support (and to read people crying about how it affected them) click on below:
http://computing.net/hardware/wwwboard/forum/15396.html

Dragonlich

I saw the news mentioning it, and saw the reports online. To be honest, I had not seen any real evidence until just moments ago, when I checked my firewall logs - lots of 135s there.

If I'm not mistaken, I've been patched since the update was posted - my liveupdate keeps bugging me everytime it's essential.

Speed_Gibson

no problems here - but I do have a 3com router as my primary firewall and kaspersky anit-hacker in stealth mode on the software side. (running winXP pro corporate w/o SP1)
looked at the anti-hacker logs and no activity shows up there at all.

Speed_Gibson

after reading those posts it is more than bit alarmingy - but not surprising - how many poeple are running without any kind of firewall. I would hate to have to rely on just a software option now after having both for several months.

Latch

Disrupted our whole uni. Classes got cancelled because no one could use the computers.

Then the damn thing hit res (the dorms).. I got about 5 calls in 20 minutes... and they just kept going.

juanvaldes

I bet a few admins just lost their jobs.

Mr.Deflok

Yesterday I got called out to five different locations having to heal up this worm problem, then once I was done with my clients a couple of friends called up to ask for my assistance.

Word of advice to you all, DOWNLOAD AND INSTALL THE PATCH NOW

If one techie (me) had to fix 7 instances of this problem in one day imagine how far stretched this problem really is.

p.s. the only positive thing to come of this mess is that yesterday I went to sleep a rich man.

Mr.Deflok

Oh and here's another link regarding the Worm and how to fix it.
http://www.techspot.com/vb/showthread.php?threadid=6651

YaWhateva

http://securityresponse.symantec.com...oval.tool.html

Yet another fix. That worm was a bitch.

__________________
"This is my United States of Whateva!"

Mr.Deflok

and another
http://www.freevideo.nu/rpc/

cybermike

I just patched my moms machine yesterday and today on my 98 machine I see 192 attempts to access port 135 in my firewall logs...

__________________
(All opinions subject to change without warning.)

"The power of accurate observation is commonly called cynicism by those who have not got it." - George Bernard Shaw

RoadRage

Hey Mods, can you put some tag on this thread so it stays near the top? People are going to be needing this info for quite a while.

__________________
Join TFP Team SETI
43K workunits complete, 34 members, more of each needed.

Nooze2k

Man has this worm caused alot of hell. The question I'm wondering about is do they have any idea who is responsible for it? From my personal experience, its not like any virus I've ever seen, from an execution point of view anyways. I'm not trying to give the wrong impression or anything, but its the most clever worm I've seen in a long time. Not real devasting to the home user (just annoying), but could cause havok on servers and such... primarily WinXP/2000 servers..... hmmmm.... perhaps a disgruntled former MS employee? Sure, abusing Windows flaws is nothing new, but then shutting down RPC services, subsequently shutting down the PC as well. Ingenious, if not evil. I could see a hefty charge against the culprit if caught, but in this case I wouldn't be surprised if he was hired after it all settles. I'm just wondering how I got it after doing a fresh install and seconds after my first dialup connection to the 'net after the install..... makes you think....

__________________
" Can't keep my eyes from the circling skies, Tongue-tied and twisted just an earth-bound misfit, I "

Flippy

While I agree the impact of this worm was *huge*, it wasn't really all that "clever..." Public information about the vulnerability this worm exploits was released on July 16, and public exploit code was released ~1.5 weeks after. The author of this worm just wrapped some self-spreading code around a plain vanilla public exploit code, and voila! Instant havoc

This has happened before too, just not with such widespread vulnerabilities. Examples include Code Red, Nimda, and SQL Slammer.

Batman976

I'm running Windows 98... which patch do I need to install?

__________________
The following statement is true.
The preceding statement was false.

Mr.Deflok

Windows 98 users need not worry about the Worm, you're in the clear buddy! It's only us Win2k/XP users (and 2003...)

billege

I had the patch installed on both of our home network computers when the patch came out, a couple of months ago.

Behind the hardware and software firewall, everything is cool. This is one of those days where I'm glad I do as much as I understand to protect my network.

Whew.

__________________
I can sum up the clash of religion in one sentance:
"My Invisible Friend is better than your Invisible Friend."

Speed_Gibson

just checked my logs in kaspersky again and there has been ZERO hits on my ports in the past umpteenth weeks - I am assuming that my router and stealthed ports via software are the reason for that.

did look at my router logs before posting this and it did show "unauthorised HTTP access" on a few times in the week or so

Batman976

Ahh, sweet. Thanks for your help. None of the sites I found mentioned anything about '98... even in the unaffected software parts.

...I guess I just need to upgrade my computer one of these days.

__________________
The following statement is true.
The preceding statement was false.

Pragma

billege - the patch came out in July, not several months ago, but yea, I understand what you mean. I had it patched on all of my personal computers the day after the patch was out.

I heard a really interesting conspiracy theory today at work that some government agency (NSA? who knows) created and released the worm to get people to update, as everyone (Dep't Homeland Security, etc.) has been really worried about how this vulnerability hasn't been getting patched. Because if you'll notice, this worm (strangely enough) does nothing at all malicious, except bounce your computer.

I don't believe it, but it gives you something to think about.

__________________
Eat antimatter, Posleen-boy!

juanvaldes

Pragma: apparently everyone infected is set to DOS windows update on Saturday.

Pragma

Amusing - when it first broke, they only "thought" it was set to DDoS WindowsUpdate. I guess I've been too busy working on other stuff at work to read updates.

I guess no "white hat" group would DDoS WindowsUpdate. So much for that conspiracy theory.

__________________
Eat antimatter, Posleen-boy!

merkerguitars

******** UPDATE *******EASIEST WAY TO REMOVE**************

First Download this tool. Make sure you store it in a place where you can find it. http://securityresponse.symantec.com...r/FixBlast.exe this is the link to download the tool from. Don't run it or open it yet.

Next shut down your computer. Before the computer Boots press the F8 button. Then select the safe mode option. When the computer is fully booted up run the utitliy. (The screen will look funky but dont' worry about it, it's perfectly normal.)

Then after the tool has removed all the files. Download this patch and install it.

http://www.microsoft.com/technet/tre...n/MS03-026.asp here is the link for the patch...the download option is on the right hand side of the screen. Once you install that you should be virus free.

__________________
Donate now! Ask me How!

Please use the search function it is your friend.

Look at my mustang please feel free to comment!

http://www.tfproject.org/tfp/showthread.php?t=26985