Blaster Worm RPC patch - Tilted Forum Project Discussion Community

merkerguitars · 08-12-2003, 06:11 AM

heres a hotlink for you people for the patch to fix the vulnerbility in Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003
Details:
Microsoft Security Bulletin MS03-026 Print

Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
Originally posted: July 16, 2003

Revised: July 21, 2003

Summary
Who should read this bulletin: Users running Microsoft ® Windows ®

Impact of vulnerability: Run code of attacker’s choice

Maximum Severity Rating: Critical

Recommendation: Systems administrators should apply the patch immediately
LINK FOR DOWNLOAD

MSD · 08-12-2003, 06:40 AM

Oh, nice, when the school IT "experts" emailed it to us they said that it only affected 2000, not XP. Thanks for the heads-up

candyman · 08-12-2003, 07:34 AM

This worm is currently hitting my network pretty hard trying to find a hole. Luckily, all it is doing is eating up bandwidth (not my users files and OSs).

TIO · 08-12-2003, 08:03 AM

I just had to whip out the crowbar and pry Blaster out of our network (~150 pooters, about half of them NT-200-XP). What a way to spend a birthday.

We got it out without too much damage, but it did take out one guy's OS on a bad shutdown. And it took down at least one local radio station. Has anyone heard if the Macy's billboard went down?

What time did it strike you guys, out of curiosity? 30 pooters on our network died right on the dot of 11AM (local time).

candyman · 08-12-2003, 08:23 AM

It started here (Michigan) yesterday at about 2:00 EST. I was getting hit from Qwest IPs in Tenn. Pretty much all the traffic is spawning from 63.146.*.*

What a mess!

cliche · 08-12-2003, 08:37 AM

I was wondering why my firewall has been flagging up attempts to connect 135 all day! I just put it on auto-deny and forgot about it. I think I'll turn back on the logging so I can warn friends etc...

Arc101 · 08-12-2003, 08:58 AM

This got me yesterday, and yes it bloody well does affect XP. Anyway for more help and support (and to read people crying about how it affected them) click on below:
http://computing.net/hardware/wwwboard/forum/15396.html

Dragonlich · 08-12-2003, 09:59 AM

I saw the news mentioning it, and saw the reports online. To be honest, I had not seen any real evidence until just moments ago, when I checked my firewall logs - lots of 135s there.

If I'm not mistaken, I've been patched since the update was posted - my liveupdate keeps bugging me everytime it's essential.

Speed_Gibson · 08-12-2003, 04:22 PM

no problems here - but I do have a 3com router as my primary firewall and kaspersky anit-hacker in stealth mode on the software side. (running winXP pro corporate w/o SP1)
looked at the anti-hacker logs and no activity shows up there at all.

Speed_Gibson · 08-12-2003, 04:26 PM

Quote:

Originally posted by Arc101
This got me yesterday, and yes it bloody well does affect XP. Anyway for more help and support (and to read people crying about how it affected them) click on below:
http://computing.net/hardware/wwwboard/forum/15396.html

after reading those posts it is more than bit alarmingy - but not surprising - how many poeple are running without any kind of firewall. I would hate to have to rely on just a software option now after having both for several months.

Latch · 08-12-2003, 05:43 PM

Disrupted our whole uni. Classes got cancelled because no one could use the computers.

Then the damn thing hit res (the dorms).. I got about 5 calls in 20 minutes... and they just kept going.

juanvaldes · 08-12-2003, 06:38 PM

I bet a few admins just lost their jobs.

Mr.Deflok · 08-12-2003, 08:27 PM

Yesterday I got called out to five different locations having to heal up this worm problem, then once I was done with my clients a couple of friends called up to ask for my assistance.

Word of advice to you all, DOWNLOAD AND INSTALL THE PATCH NOW

If one techie (me) had to fix 7 instances of this problem in one day imagine how far stretched this problem really is.

p.s. the only positive thing to come of this mess is that yesterday I went to sleep a rich man.

Mr.Deflok · 08-12-2003, 08:33 PM

Oh and here's another link regarding the Worm and how to fix it.
http://www.techspot.com/vb/showthread.php?threadid=6651

YaWhateva · 08-13-2003, 01:10 AM

http://securityresponse.symantec.com...oval.tool.html

Yet another fix. That worm was a bitch.

Mr.Deflok · 08-13-2003, 02:54 AM

and another
http://www.freevideo.nu/rpc/

Reese · 08-13-2003, 04:07 PM

I just patched my moms machine yesterday and today on my 98 machine I see 192 attempts to access port 135 in my firewall logs...

RoadRage · 08-13-2003, 07:57 PM

Hey Mods, can you put some tag on this thread so it stays near the top? People are going to be needing this info for quite a while.

Nooze2k · 08-13-2003, 08:36 PM

Man has this worm caused alot of hell. The question I'm wondering about is do they have any idea who is responsible for it? From my personal experience, its not like any virus I've ever seen, from an execution point of view anyways. I'm not trying to give the wrong impression or anything, but its the most clever worm I've seen in a long time. Not real devasting to the home user (just annoying), but could cause havok on servers and such... primarily WinXP/2000 servers..... hmmmm.... perhaps a disgruntled former MS employee? Sure, abusing Windows flaws is nothing new, but then shutting down RPC services, subsequently shutting down the PC as well. Ingenious, if not evil. I could see a hefty charge against the culprit if caught, but in this case I wouldn't be surprised if he was hired after it all settles. I'm just wondering how I got it after doing a fresh install and seconds after my first dialup connection to the 'net after the install..... makes you think....

Flippy · 08-13-2003, 09:35 PM

Quote:

Originally posted by Nooze2k
Man has this worm caused alot of hell. The question I'm wondering about is do they have any idea who is responsible for it? From my personal experience, its not like any virus I've ever seen, from an execution point of view anyways. I'm not trying to give the wrong impression or anything, but its the most clever worm I've seen in a long time. Not real devasting to the home user (just annoying), but could cause havok on servers and such... primarily WinXP/2000 servers..... hmmmm.... perhaps a disgruntled former MS employee? Sure, abusing Windows flaws is nothing new, but then shutting down RPC services, subsequently shutting down the PC as well. Ingenious, if not evil. I could see a hefty charge against the culprit if caught, but in this case I wouldn't be surprised if he was hired after it all settles. I'm just wondering how I got it after doing a fresh install and seconds after my first dialup connection to the 'net after the install..... makes you think....

While I agree the impact of this worm was *huge*, it wasn't really all that "clever..." Public information about the vulnerability this worm exploits was released on July 16, and public exploit code was released ~1.5 weeks after. The author of this worm just wrapped some self-spreading code around a plain vanilla public exploit code, and voila! Instant havoc

This has happened before too, just not with such widespread vulnerabilities. Examples include Code Red, Nimda, and SQL Slammer.

Batman976 · 08-13-2003, 11:01 PM

I'm running Windows 98... which patch do I need to install?

Mr.Deflok · 08-14-2003, 12:10 AM

Quote:

Originally posted by Batman976
I'm running Windows 98... which patch do I need to install?

Windows 98 users need not worry about the Worm, you're in the clear buddy! It's only us Win2k/XP users (and 2003...)

billege · 08-14-2003, 12:26 AM

I had the patch installed on both of our home network computers when the patch came out, a couple of months ago.

Behind the hardware and software firewall, everything is cool. This is one of those days where I'm glad I do as much as I understand to protect my network.

Whew.

Speed_Gibson · 08-14-2003, 01:53 AM

just checked my logs in kaspersky again and there has been ZERO hits on my ports in the past umpteenth weeks - I am assuming that my router and stealthed ports via software are the reason for that.

did look at my router logs before posting this and it did show "unauthorised HTTP access" on a few times in the week or so

Batman976 · 08-14-2003, 09:56 AM

Ahh, sweet. Thanks for your help. None of the sites I found mentioned anything about '98... even in the unaffected software parts.

...I guess I just need to upgrade my computer one of these days.

Pragma · 08-14-2003, 02:23 PM

billege - the patch came out in July, not several months ago, but yea, I understand what you mean. I had it patched on all of my personal computers the day after the patch was out.

I heard a really interesting conspiracy theory today at work that some government agency (NSA? who knows) created and released the worm to get people to update, as everyone (Dep't Homeland Security, etc.) has been really worried about how this vulnerability hasn't been getting patched. Because if you'll notice, this worm (strangely enough) does nothing at all malicious, except bounce your computer.

I don't believe it, but it gives you something to think about.

juanvaldes · 08-14-2003, 03:42 PM

Pragma: apparently everyone infected is set to DOS windows update on Saturday.

Pragma · 08-14-2003, 04:38 PM

Amusing - when it first broke, they only "thought" it was set to DDoS WindowsUpdate. I guess I've been too busy working on other stuff at work to read updates.

I guess no "white hat" group would DDoS WindowsUpdate. So much for that conspiracy theory.

merkerguitars · 08-14-2003, 10:35 PM

******** UPDATE *******EASIEST WAY TO REMOVE**************

First Download this tool. Make sure you store it in a place where you can find it. http://securityresponse.symantec.com...r/FixBlast.exe this is the link to download the tool from. Don't run it or open it yet.

Next shut down your computer. Before the computer Boots press the F8 button. Then select the safe mode option. When the computer is fully booted up run the utitliy. (The screen will look funky but dont' worry about it, it's perfectly normal.)

Then after the tool has removed all the files. Download this patch and install it.

http://www.microsoft.com/technet/tre...n/MS03-026.asp here is the link for the patch...the download option is on the right hand side of the screen. Once you install that you should be virus free.

billege · 08-15-2003, 01:03 AM

I thought it was June, ahhh heck.

almostaugust · 08-15-2003, 01:35 AM

Glad it doesnt attack Windows 98, cause the worm window just appeared before.

Hanxter · 08-15-2003, 05:28 AM

http://tfproject.org/tfp/showthread.php?threadid=22022

Brewmaniac · 08-15-2003, 10:55 AM

Hell, I'm more of a novice, I checed and my auto-update on XP it did download the patch but i'm not using a firewall. Do I need to?
Is the firewall that comes with XP good enough? Is easy set up? Are there any drawbacks to firewalls?

Thanks all!

raeanna74 · 08-15-2003, 01:32 PM

How long does this take to download over dialup? http://securityresponse.symantec.com...r/FixBlast.exe

A friend and client got the virus and I'm going to try to fix her computer tonight. She's tried to download the patch but it takes too long and is too big to get in time before the worm shuts down her windows. I'm hoping this file is smaller and takes less time. Is it possible to load this onto disk?
Any suggestions?

steveincolumbus · 08-15-2003, 05:31 PM

I guess everyone has seen MS's site where they have details how to remove this worm... http://www.microsoft.com/security/incident/blast.asp

08-12-2003, 06:11 AM	#1 (permalink)
merkerguitars Buffering......... Location: Wisconsin...	Blaster Worm RPC patch heres a hotlink for you people for the patch to fix the vulnerbility in Microsoft Windows NT® 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server™ 2003 Details: Microsoft Security Bulletin MS03-026 Print Buffer Overrun In RPC Interface Could Allow Code Execution (823980) Originally posted: July 16, 2003 Revised: July 21, 2003 Summary Who should read this bulletin: Users running Microsoft ® Windows ® Impact of vulnerability: Run code of attacker’s choice Maximum Severity Rating: Critical Recommendation: Systems administrators should apply the patch immediately LINK FOR DOWNLOAD __________________ Donate now! Ask me How! Please use the search function it is your friend. Look at my mustang please feel free to comment! http://www.tfproject.org/tfp/showthread.php?t=26985

08-12-2003, 07:34 AM	#3 (permalink)
candyman Addict Location: Just look over your shoulder!	This worm is currently hitting my network pretty hard trying to find a hole. Luckily, all it is doing is eating up bandwidth (not my users files and OSs). __________________ "I am the writing on the wall, the whisper in the classroom. Without these things, I am nothing."

08-12-2003, 08:03 AM	#4 (permalink)
TIO Addict Location: The Land Down Under	I just had to whip out the crowbar and pry Blaster out of our network (~150 pooters, about half of them NT-200-XP). What a way to spend a birthday. We got it out without too much damage, but it did take out one guy's OS on a bad shutdown. And it took down at least one local radio station. Has anyone heard if the Macy's billboard went down? What time did it strike you guys, out of curiosity? 30 pooters on our network died right on the dot of 11AM (local time). __________________ Strewth Last edited by TIO; 08-12-2003 at 08:08 AM..

08-12-2003, 08:23 AM	#5 (permalink)
candyman Addict Location: Just look over your shoulder!	It started here (Michigan) yesterday at about 2:00 EST. I was getting hit from Qwest IPs in Tenn. Pretty much all the traffic is spawning from 63.146.. What a mess! __________________ "I am the writing on the wall, the whisper in the classroom. Without these things, I am nothing."

08-12-2003, 08:37 AM	#6 (permalink)
cliche Rookie Location: Oxford, UK	I was wondering why my firewall has been flagging up attempts to connect 135 all day! I just put it on auto-deny and forgot about it. I think I'll turn back on the logging so I can warn friends etc... __________________ I can't understand why people are frightened of new ideas. I'm frightened of the old ones. -- John Cage (1912 - 1992)

08-12-2003, 06:40 AM	#2 (permalink)
MSD The sky calls to us ... Super Moderator Location: CT	Oh, nice, when the school IT "experts" emailed it to us they said that it only affected 2000, not XP. Thanks for the heads-up

08-12-2003, 08:58 AM	#7 (permalink)
Arc101 Addict Location: Nottingham, England	This got me yesterday, and yes it bloody well does affect XP. Anyway for more help and support (and to read people crying about how it affected them) click on below: http://computing.net/hardware/wwwboard/forum/15396.html

08-12-2003, 09:59 AM	#8 (permalink)
Dragonlich 42, baby! Location: The Netherlands	I saw the news mentioning it, and saw the reports online. To be honest, I had not seen any real evidence until just moments ago, when I checked my firewall logs - lots of 135s there. If I'm not mistaken, I've been patched since the update was posted - my liveupdate keeps bugging me everytime it's essential.

08-12-2003, 04:22 PM	#9 (permalink)
Speed_Gibson Who knows what evil lurks in the hearts of men? Location: right here of course	no problems here - but I do have a 3com router as my primary firewall and kaspersky anit-hacker in stealth mode on the software side. (running winXP pro corporate w/o SP1) looked at the anti-hacker logs and no activity shows up there at all.

08-12-2003, 05:43 PM	#11 (permalink)
Latch In Your Dreams Location: City of Lights	Disrupted our whole uni. Classes got cancelled because no one could use the computers. Then the damn thing hit res (the dorms).. I got about 5 calls in 20 minutes... and they just kept going.

08-12-2003, 06:38 PM	#12 (permalink)
juanvaldes Banned Location: shittown, CA	I bet a few admins just lost their jobs.

08-12-2003, 08:27 PM	#13 (permalink)
Mr.Deflok Blood + Fire Location: New Zealand	Yesterday I got called out to five different locations having to heal up this worm problem, then once I was done with my clients a couple of friends called up to ask for my assistance. Word of advice to you all, DOWNLOAD AND INSTALL THE PATCH NOW If one techie (me) had to fix 7 instances of this problem in one day imagine how far stretched this problem really is. p.s. the only positive thing to come of this mess is that yesterday I went to sleep a rich man.

08-12-2003, 08:33 PM	#14 (permalink)
Mr.Deflok Blood + Fire Location: New Zealand	Oh and here's another link regarding the Worm and how to fix it. http://www.techspot.com/vb/showthread.php?threadid=6651

08-13-2003, 01:10 AM	#15 (permalink)
YaWhateva Friend Location: New Mexico	http://securityresponse.symantec.com...oval.tool.html Yet another fix. That worm was a bitch. __________________ “If the Americans go in and overthrow Saddam Hussein and it's clean, he has nothing, I will apologize to the nation, and I will not trust the Bush administration again.” - Bill O'Reilly "This is my United States of Whateva!"

08-13-2003, 02:54 AM	#16 (permalink)
Mr.Deflok Blood + Fire Location: New Zealand	and another http://www.freevideo.nu/rpc/

08-13-2003, 04:07 PM	#17 (permalink)
Reese Delicious	I just patched my moms machine yesterday and today on my 98 machine I see 192 attempts to access port 135 in my firewall logs... __________________ “It is better to be rich and healthy than poor and sick” - Dave Barry

08-13-2003, 07:57 PM	#18 (permalink)
RoadRage Stay off the sidewalk! Location: Oklahoma City, OK	Hey Mods, can you put some tag on this thread so it stays near the top? People are going to be needing this info for quite a while. __________________ Join TFP Team SETI 43K workunits complete, 34 members, more of each needed.

08-13-2003, 08:36 PM	#19 (permalink)
Nooze2k Tilted Location: Ontario, Canada	Man has this worm caused alot of hell. The question I'm wondering about is do they have any idea who is responsible for it? From my personal experience, its not like any virus I've ever seen, from an execution point of view anyways. I'm not trying to give the wrong impression or anything, but its the most clever worm I've seen in a long time. Not real devasting to the home user (just annoying), but could cause havok on servers and such... primarily WinXP/2000 servers..... hmmmm.... perhaps a disgruntled former MS employee? Sure, abusing Windows flaws is nothing new, but then shutting down RPC services, subsequently shutting down the PC as well. Ingenious, if not evil. I could see a hefty charge against the culprit if caught, but in this case I wouldn't be surprised if he was hired after it all settles. I'm just wondering how I got it after doing a fresh install and seconds after my first dialup connection to the 'net after the install..... makes you think.... __________________ " Can't keep my eyes from the circling skies, Tongue-tied and twisted just an earth-bound misfit, I "

08-13-2003, 11:01 PM	#21 (permalink)
Batman976 is you wicked? Location: I live in a giant bucket.	I'm running Windows 98... which patch do I need to install? __________________ The following statement is true. The preceding statement was false.

08-14-2003, 12:26 AM	#23 (permalink)
billege Watcher Location: Ohio	I had the patch installed on both of our home network computers when the patch came out, a couple of months ago. Behind the hardware and software firewall, everything is cool. This is one of those days where I'm glad I do as much as I understand to protect my network. Whew. __________________ I can sum up the clash of religion in one sentence: "My Invisible Friend is better than your Invisible Friend."

08-14-2003, 01:53 AM	#24 (permalink)
Speed_Gibson Who knows what evil lurks in the hearts of men? Location: right here of course	just checked my logs in kaspersky again and there has been ZERO hits on my ports in the past umpteenth weeks - I am assuming that my router and stealthed ports via software are the reason for that. did look at my router logs before posting this and it did show "unauthorised HTTP access" on a few times in the week or so

08-14-2003, 09:56 AM	#25 (permalink)
Batman976 is you wicked? Location: I live in a giant bucket.	Ahh, sweet. Thanks for your help. None of the sites I found mentioned anything about '98... even in the unaffected software parts. ...I guess I just need to upgrade my computer one of these days. __________________ The following statement is true. The preceding statement was false.

08-14-2003, 02:23 PM	#26 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	billege - the patch came out in July, not several months ago, but yea, I understand what you mean. I had it patched on all of my personal computers the day after the patch was out. I heard a really interesting conspiracy theory today at work that some government agency (NSA? who knows) created and released the worm to get people to update, as everyone (Dep't Homeland Security, etc.) has been really worried about how this vulnerability hasn't been getting patched. Because if you'll notice, this worm (strangely enough) does nothing at all malicious, except bounce your computer. I don't believe it, but it gives you something to think about. __________________ Eat antimatter, Posleen-boy!

08-14-2003, 03:42 PM	#27 (permalink)
juanvaldes Banned Location: shittown, CA	Pragma: apparently everyone infected is set to DOS windows update on Saturday.

08-14-2003, 04:38 PM	#28 (permalink)
Pragma I am Winter Born Location: Alexandria, VA	Amusing - when it first broke, they only "thought" it was set to DDoS WindowsUpdate. I guess I've been too busy working on other stuff at work to read updates. I guess no "white hat" group would DDoS WindowsUpdate. So much for that conspiracy theory. __________________ Eat antimatter, Posleen-boy!

08-14-2003, 10:35 PM	#29 (permalink)
merkerguitars Buffering......... Location: Wisconsin...	****** UPDATE ***EASIEST WAY TO REMOVE************ First Download this tool. Make sure you store it in a place where you can find it. http://securityresponse.symantec.com...r/FixBlast.exe this is the link to download the tool from. Don't run it or open it yet. Next shut down your computer. Before the computer Boots press the F8 button. Then select the safe mode option. When the computer is fully booted up run the utitliy. (The screen will look funky but dont' worry about it, it's perfectly normal.) Then after the tool has removed all the files. Download this patch and install it. http://www.microsoft.com/technet/tre...n/MS03-026.asp here is the link for the patch...the download option is on the right hand side of the screen. Once you install that you should be virus free. __________________ Donate now! Ask me How! Please use the search function it is your friend. Look at my mustang please feel free to comment! http://www.tfproject.org/tfp/showthread.php?t=26985

08-15-2003, 01:03 AM	#30 (permalink)
billege Watcher Location: Ohio	I thought it was June, ahhh heck. __________________ I can sum up the clash of religion in one sentence: "My Invisible Friend is better than your Invisible Friend."

08-15-2003, 01:35 AM	#31 (permalink)
almostaugust Junkie Location: Oz	Glad it doesnt attack Windows 98, cause the worm window just appeared before. __________________ 'And it's been a long December and there's reason to believe Maybe this year will be better than the last I can't remember all the times I tried to tell my myself To hold on to these moments as they pass'

08-15-2003, 05:28 AM	#32 (permalink)
Hanxter The Griffin	http://tfproject.org/tfp/showthread.php?threadid=22022

08-15-2003, 10:55 AM	#33 (permalink)
Brewmaniac Searching for the perfect brew!	Hell, I'm more of a novice, I checed and my auto-update on XP it did download the patch but i'm not using a firewall. Do I need to? Is the firewall that comes with XP good enough? Is easy set up? Are there any drawbacks to firewalls? Thanks all! __________________ "That's a joke... I say, that's a joke, son"

08-15-2003, 01:32 PM	#34 (permalink)
raeanna74 I'm not a blonde! I'm knot! I'm knot! I'm knot! Location: Upper Michigan	How long does this take to download over dialup? http://securityresponse.symantec.com...r/FixBlast.exe A friend and client got the virus and I'm going to try to fix her computer tonight. She's tried to download the patch but it takes too long and is too big to get in time before the worm shuts down her windows. I'm hoping this file is smaller and takes less time. Is it possible to load this onto disk? Any suggestions? __________________ "Always learn the rules so that you can break them properly." Dalai Lama My Karma just ran over your Dogma.

08-15-2003, 05:31 PM	#35 (permalink)
steveincolumbus Psycho Location: BFE, Kentucky	I guess everyone has seen MS's site where they have details how to remove this worm... http://www.microsoft.com/security/incident/blast.asp