PDA

View Full Version : Are you Getting 'random' reboots online?



XyZspineZyX
08-12-2003, 10:51 AM
Then please read this:

http://forums.ubi.com/messages/message_view-topic.asp?name=us_il2sturmovik_ts&id=zwmth

I know this does not really belong in the GD forum but this is very prevalent.

I saw many users experiencing this on UBI.com last night.
Some thought it was the patch link causing it.

Mods - maybe leave this one for a while?

This relates to your PC suddenly shutting itself down with the 'RPC Service' error message.

XyZspineZyX
08-12-2003, 10:51 AM
Then please read this:

http://forums.ubi.com/messages/message_view-topic.asp?name=us_il2sturmovik_ts&id=zwmth

I know this does not really belong in the GD forum but this is very prevalent.

I saw many users experiencing this on UBI.com last night.
Some thought it was the patch link causing it.

Mods - maybe leave this one for a while?

This relates to your PC suddenly shutting itself down with the 'RPC Service' error message.

XyZspineZyX
08-12-2003, 11:02 AM
BIG bumb. win xp users are vlunerable to this attack. It really goes off in 15th when it starts flooding the windows update site. It allows the attacker to execute code on your computer so better act now.

XyZspineZyX
08-12-2003, 11:04 AM
yep windows update does the trick

XyZspineZyX
08-12-2003, 11:05 AM
It's a virus
Virus Alert Notification

Win32.Poza



Alias: W32.Blaster.Worm (Symantec) ,
W32/Lovsan.worm (McAfee),
W32/Msblast.A (F-Secure),
Win32/Poza.Worm ,
WORM_MSBLAST.A (Trend)
Category: Win32
Type: Worm
Published Date: 8/11/2003
Last Modified: 8/11/2003

CHARACTERISTICS

Win32.Poza is a worm using the exploit described in MS03-026 to gain access to unpatched Windows installation. More information about the exploit can be found in our Vulnerabilities Library or at the Microsoft site here: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Method of Installation

It creates a mutex "BILLY" to avoid running multiple instances of itself, and creates a registry value to activate on Windows restart:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wind ows auto update = "msblast.exe"

The worm runs a FTP service listening on port 69 waiting for exploited machine to connect.

Method of Distribution

It starts by scanning the entire subnet for open 135 ports, then moves on to scan randomly selected class B subnets (255.255.0.0) to start scanning. If an open 135 port is found, it uses the exploit mentioned above to gain entry and create a remote shell on the exploited machine. It then assumes the exploit succeeded and attempts to connect to port 4444 of the remote machine. If successfully connected, it instructs the remote machine to download MSBLAST.EXE (size: 6,176 bytes, UPX packed) from its FTP service using TFTP.EXE. It then sends an instruction to start MSBLAST.EXE on the remote machine.

Note: TFTP.EXE is an utility included by default in Windows installation of Windows 2000 and later versions.

The worm is capable of keeping live connections to 20 exploited machines simultaneously.

Payload

If the day of the month is 16 or later, or the month is between January and August, the worm creates a working thread to send random data to windowsupdate.com almost continuously. This effectively launches a Distributed Denial of Service attack against windowsupdate.com.

Additional Information

The worm body contains these strings:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

CA has also received reports from several sources that this worm may be seen, associated with crashes of svchost.exe.



For more information about Win32.Poza worm click here

XyZspineZyX
08-12-2003, 11:07 AM
MD_Kaz wrote:
- yep windows update does the trick
-
-

Hi Kaz.

Windows update does NOT do the trick if you are already infected!

Only fixblast or the procedure detailed at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Will fix it.

XyZspineZyX
08-12-2003, 11:08 AM
I gonna do my RBJ-interpretation:


If you don't check Windows Update on a regular basis it's your own fault.

/i/smilies/16x16_smiley-surprised.gif

U like, Loco-S? /i/smilies/16x16_smiley-wink.gif

http://members.chello.se/ven/milton.jpg

XyZspineZyX
08-12-2003, 11:08 AM
I have this problem too. I think I fixed it by applied xp patch and fixblast

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
http://www.tamiya.com/japan/products/list/48plane_img/61027.jpg

XyZspineZyX
08-12-2003, 11:15 AM
Yep, only just solved (I think). Spent all evening sorting this out- Just in time for the patch! /i/smilies/16x16_smiley-happy.gif I thought it was me since I`d just reformatted. I tell you I was getting REALLY hacked off!





"Tis better to work towards an Impossible Good, rather than a Possible Evil."

SeaFireLIV.

XyZspineZyX
08-12-2003, 11:27 AM
Hacked of is definately the expression seafire!

And yes Ven a regular windows update should be done.

Sadly as it does take up some bandwidth many have disabled it with the good intention of manually doing it. And then forgetting.

I guess I'm one of those!

XyZspineZyX
08-12-2003, 11:43 AM
where on the PC do I find the "disable system restore" feature?

<ceter>http://www.artehistoria.com/batallas/jpg/BAT575.jpg </center>
THE FORGOTTEN MIG-5

XyZspineZyX
08-12-2003, 11:46 AM
fjuff79 wrote:
- where on the PC do I find the "disable system
- restore" feature?
-
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html has this link:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Hope this helps!

Good luck.

Edit:

Also available by right clicking 'my computer' on your desktop and selecting 'properties'. Then select the system restore tab.

Dont forget to turn it back on after rebooting and repeating the fixblast.



Message Edited on 08/12/0311:50AM by B16Enk

XyZspineZyX
08-12-2003, 12:38 PM
rumpity thumpity bump

Europe was hit badly with this make sure your all sorted!!





:FI:Red Lichtie

Lang may yer lum reek!

http://www.endlager.net/fis/pix/banners/fis_euro_us_02.gif

http://fighting-irish.org

XyZspineZyX
08-12-2003, 12:39 PM
Damn! Although problem stopped, my virus checker says virus still there. I`ve gotta go do a complete reformat.



"Tis better to work towards an Impossible Good, rather than a Possible Evil."

SeaFireLIV.

XyZspineZyX
08-12-2003, 12:44 PM
Seafire did you follow the instructions from symantec?

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

try running the removal tool in safe mode

:FI:Red Lichtie

Lang may yer lum reek!

http://www.endlager.net/fis/pix/banners/fis_euro_us_02.gif

http://fighting-irish.org

XyZspineZyX
08-12-2003, 12:56 PM
unless ur running ntfs filesystem on your hd then u can make a dos boot (in a CLEAN machine) and thats it. also unplug from the net if u got kable etc so u wont get it again b4 u patch /i/smilies/16x16_smiley-happy.gif

Ask someone who knows something abt comps and DO NOT format if u dont need to /i/smilies/16x16_smiley-happy.gif its like tearing down a wall to get the mouse out.

XyZspineZyX
08-12-2003, 01:01 PM
hey turbo, ive got a question for you: are you finnish? I know that porsas means pig in finnish (I speak a little), so i thought i might ask

- McTriggerhappy

fluke39
08-12-2003, 01:07 PM
YES

Thank god it's not just me - i thought i'd f*cked my computer by not powering down all the time

i kept getting message

'REMOTE PROCEDURE CALL ' has been terminated windows must shutdown

i checked in task manager after about the 10th time this happened and noticed a blast.exe or blastof.exe(edit - sorry it was "msblast.exe") - ended the procedure and now it seems to have stopped (well the procedure anyway) - although i guess it'll come back unless i take the advice on how to get rid of the actual code or whatever it is

bollox - it's back better post this quick - FFS

<center><img src=http://mysite.freeserve.com/Angel_one_five/flukelogo.jpg>


Message Edited on 08/12/03 12:15PM by fluke39

Message Edited on 08/12/0312:17PM by fluke39

XyZspineZyX
08-12-2003, 01:09 PM
Ok ok ok, if i get regular windows updates im fine rite?

http://www.x-plane.org/users/12thiaptbone/viper.jpg
47|FC

XyZspineZyX
08-12-2003, 01:10 PM
SeAuthor: FI.Red.Lichtie wrote thougtfully:
Rank: Over 10 Postings
Date: 08/12/03 11:44AM


"Seafire did you follow the instructions from symantec?"

Yea, found it. Got rid of it with the W32 Blaster worm removal. Phew!





"Tis better to work towards an Impossible Good, rather than a Possible Evil."

SeaFireLIV.

XyZspineZyX
08-12-2003, 01:28 PM
Will it help if I delete the little file with the bear-icon? /i/smilies/16x16_smiley-very-happy.gif /i/smilies/16x16_smiley-very-happy.gif /i/smilies/16x16_smiley-very-happy.gif

http://members.chello.se/ven/milton.jpg

XyZspineZyX
08-12-2003, 01:29 PM
AHS_VIPER wrote:
- Ok ok ok, if i get regular windows updates im fine
- rite?

No!

Patch will prevent not cure.

Go to:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html for removal tool.

Then:

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 on instructions for stopping system restore (a right click on 'my computer'->properties->system restore takes you there.

I'm up to my eyes with all our servers at work with this (50+) so writing in haste......

XyZspineZyX
08-12-2003, 01:30 PM
For those of you with Mcafee you can also try this link which will give details on it.

http://vil.nai.com/vil/content/v_100547.htm

Should point you to a free tool called Stinger that enables you to nuke the virus off your system if it's already infected.

Have had a couple of people at work and also some of our customers infected with it. Luckily haven't had it myself but it made sure that everything was fully updated on my system after I just rebuilt it yesterday! /i/smilies/16x16_smiley-happy.gif

XyZspineZyX
08-12-2003, 02:32 PM
Grrrrrrrrrrrrr!

Some F@ck has done this to me! Just spent 20mins trying to suss what the problem was!

Grrr!
http://ubbxforums.ubi.com/infopop/emoticons/icon_frown.gif

I was to take responsability for the newcomer Erich Hartmann. I looked at him and thought: Oh my God, what are they sending us now? What a baby!

XyZspineZyX
08-12-2003, 02:43 PM
McTriggerhappy wrote:
- hey turbo, ive got a question for you: are you
- finnish? I know that porsas means pig in finnish (I
- speak a little), so i thought i might ask
-
-- McTriggerhappy
-
-


Yes, I'm a flying finn /i/smilies/16x16_smiley-happy.gif

Hope u ppl get the msblast under ctrl even though i'm eagerly awaiting the (insert place of lots of flame and coal and a red dude with a butt like lisa minellis and 2 horns here) it's gonna raise in msupdate.. thats the place it will hit on the 15th /i/smilies/16x16_smiley-happy.gif

XyZspineZyX
08-12-2003, 02:47 PM
THis one got me too /i/smilies/16x16_smiley-sad.gif

fortunately it looks *relatively* easy to eliminate-

XyZspineZyX
08-12-2003, 02:54 PM
try patching windows instead of removing the offending code:

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

.

XyZspineZyX
08-12-2003, 02:58 PM
JFW wrote:
- try patching windows instead of removing the
- offending code:
-
No!

As stated earlier in post:

Patch will prevent NOT cure.

fixblast from symantec or stinger from Mcaffee will remove worm.

Then and only then will patch be effective.

Trust me I do this for a living...............