Another damn virus

[Iris]

i totally agree with andrewas. here in the compound the sysadmin 2 days ago suddenly went around the offices and dorms and started checking the antivirus software of everyone who has a PC, and also confirmed if the latest MS patch was installed. he said the company's servers had encountered a virus and, while the infestation was in check, he wanted to make sure there were no leakages.

(Edited by Iris at 11:12 am on Aug. 13, 2003)

[DR EVIL]

i think the reason why people dont make viruses for macs is for one most dont know how to properly code a virus that could do real harm on a mac.
people who have macs and can code for them usualy like the OS. and of course macs are tough to hack (if correctly set up and managed)

people hack windows because microsoft wont get off its lazy arse to fix its software.

ive been around since windows 3.1
i now have win xp corperate that i got from "alternate sources"

[Pacemeyer]

Blaster's just been on the news.

It affects:

Win XP
Win NT
Win 2000
And anotherone which I just forgot but it ended in 2003.

It's a vius which is s protest about the buggy software by microsoft and there's meant to be a major attack on the microsoft update page.

I think the attacks meant to destroy microsoft. (Not sure though).

[Sym33]

As far as I can see from this virus, it appears to shutdown the computer after 60 seconds each time it is turned on until it is removed. It's not going to do a great DOS attack if it lasts 60 seconds, and most people wouldn't bother turning on there computers unless they were going to get rid of the virus

[Pacemeyer]

What I meant by theres going to be an attack on Microsoft is:

This virus is a warning message to Microsoft.
Some experts who looked at the code found a message.

[Liquid Data]

As far as I can see from this virus, it appears to shutdown the computer after 60 seconds each time it is turned on until it is removed. It's not going to do a great DOS attack if it lasts 60 seconds, and most people wouldn't bother turning on there computers unless they were going to get rid of the virus

The shutdown effect only occurs if the worm tries either to exploit Windows XP with the method written for Windows 2000 or vice versa. It is most certainly an undesired effect caused by a bug in the worm's code. (Would be a bit pointless to write a worm that would prevent itself from spreading by causing the infected computer to shut down after 60 seconds...)

A really nasty bug, though... try to download and install a patch within 60 seconds. Quite a challenge, isn't it?

And of course the whole thing is designed to slap Microsoft right into the face. I wonder if they will be able to prevent any DoS attacks that are going to be performed by the infected machines on Friday...

But well, the RPC vulnerability was revealed a month ago, and M$ released a security update to fix the problem only several days after it had been discovered. Soon exploits for this vulnerability were created and spread throughout Bugtraq and other lists. From that day on, it was only a matter of time before someone would use one of these exploits to create a virus or worm, and it was quite clear that this would happen.

I wasn't affected - just because of the fact that I downloaded and installed the patch instantly after it was out. If not, ZoneAlarm Pro wouldn't have been able to protect my system, as far as I can tell from the posts in this topic. Lucky... -_-

However, a good hardware firewall plus a router seems to be more effective. In the place where I work, our network server hadn't been patched until today (when half of the employees run for the sysadmin to tell him he REALLY should download the update to protect our systems from the worm... ^^; ). But the server remained unaffected, even without the patch - thanks to the firewall.

Btw, did you notice that there are already two variants of the worm spreading...? That was quick... Obviously the source code was posted somewhere, maybe on Bugtraq.

[sarcasm]It's always a pleasure to see how a bunch of half-adolescent script kiddies are able to cause irrational panic to internet users, system administrators, security experts and the media - all at once.[/sarcasm]

Well, at least now they have something to rant about.

(Edited by Liquid Data at 11:11 pm on Aug. 13, 2003)

[Stewsburntmonkey]

Quote: from DR EVIL on 1:46 pm on Aug. 13, 2003[br]i think the reason why people dont make viruses for macs is for one most dont know how to properly code a virus that could do real harm on a mac.
people who have macs and can code for them usualy like the OS. and of course macs are tough to hack (if correctly set up and managed)

people hack windows because microsoft wont get off its lazy arse to fix its software.

ive been around since windows 3.1
i now have win xp corperate that i got from "alternate sources"

This worm (and most others) do not affect PCs that are "correctly set up and managed".  The patch for this vulnerability has been out for a good while now, its just people not clicking on the little update icon on the screen that is the problem.  People don't code worms and viruses for Macs because the whole point is to get the widest audience, and Macs are certainly not the largest audience.  People hack school Macs all the time (especially the pre-OSX systems), its really not that hard.  The thing I hate is all these people running around yelling at MS for these security holes, when they are present on every consumer OS, and MS does a better job patching them than anyone else for the most part.  Things like this are possible not because of MS, but because of the people who don't update their systems.  That is their perogative but they can't blame anyone but themself.  

(Edited by Stewsburntmonkey at 4:30 pm on Aug. 13, 2003)

[tabasco boy]

it sometimes make me wonder how some of those IT staff who's client machines got infected got a job and what they do from 9 to 7 do they just chitchat the whole day or download porn. they had more or less a month now since the patch has been out.

they don't eFFing deserve to get a fat pay check. and us who knows more are the one getting layed off.

there's definetely something wrong here.

[sir hackalot]

well for those who got infected, good you deserve it, the RPC overflow patches have been out for at least a month now,  and because of your stupidity you now have blaster. the compiled version of blaster will exploit the RPC DCOM overflow for XP/2K, but the vulnerability is on every version of windows except 98, so it would take  a small amount of coding to upgrade this virus to real potential.

but as usual worms will still continue to rampage through systems over the world, why? because ppl wont spend five mintues updating there sytstems.

Symantecs removal tool: http://securityresponse.symantec.com/av ... .tool.html
Trend's removal tool:
http://www.trendmicro.com/download/tsc.asp
F-Secure's removal tool:
http://www.f-secure.com/v-descs/msblast.shtml
Mcaffee's removal tool:
http://vil.nai.com/vil/stinger/

Check your registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

if you find an entry for Windows Auto Update that launches a file named msblast.exe you should delete this tos topit running at startup. then delete it form your hard drive by dropping into DOS mode.

For those who might actually show an interest and learn something from this:
http://www.securiteam.com/windowsntfocu ... 20AKG.html
also has a list of pacthes for OS's, but these have not proved 100% successful.

And as for people talking about firewalls etc etc, they dont work. Blocking some ports:
* 69/UDP
* 135/TCP
* 135/UDP
* 139/TCP
* 139/UDP
* 445/TCP
* 445/UDP
* 4444/TCP
and several others.

LSD, the discoverers of the overflow analysis:
http://www.xfocus.org/documents/200307/2.html

[EDIT]sorry for stretching page[/EDIT]

(Edited by sir hackalot at 12:59 am on Aug. 14, 2003)

[Starfyre]

One should be safe if there's no msblast.exe, right?

[Adriac]

I don't update virus definitions, and I haven't ever gotten a virus... In my opinion, it's just good design to not require the users to protect themselves. I mean, you're like "Serves them right for not protecting their system." But, I mean, it serves your mom right, eh?

No, seriously. If your mom's computer got infected and wiped simply because she's not the right generation, is that her fault or Microsoft's?

For servers run by IT departments, I agree entirely. But PC users can get viruses as well, and I think it really is the developer's job to stop that.

And on a side note, labs getting hacked is a whole different animal. See, it's generally assumed that one doesn't have physical access to the target. If you do, well, single user mode (Command-S of OS X), or if that's passworded (isn't by default...) just take out the hard drive.

But it must be noted that Panther (OS X 10.3) will include an option to encrypt one's entire home directory at logout, if you're that paranoid.

Real life example*: My mom is fairly computer illiterate, but as a psychiatrist she needs to keep a certain amount of data (Read: everything) confidential. Transparent, automatic OS X encryption is really perfect for her needs.


*That's an example that's true, not an example of a RL scenario. My mom really is a psychiatrist.

[Stewsburntmonkey]

I think it is rather silly to say that people should not be asked to make any effort to keep their system secure.  There is not a consumer OS that does not have vulnerabilites.  If you are not a totally isolated system you are going to open up security issues somewhere.  For years the Linux community has railed against the insecurity of Microsoft, but now that Linux distros are trying to compete with Window's ease of use my mail box is full of notices from RedHat and Mandrake announcing new patches for security holes.  There are several security holes in OSX, but because the community is so limited no one really cares.  And when I talked about hacking school computers I was speaking of remote hacks, not the trivial direct access type.  

If anyone thinks they can design a fully secure OS (that anyone can use) I would ask them to give it a try.  The most secure OS is Unix and is so secure because it has been little changed in years.  Once BSD is configured for real consumer use several security issues arrise.  It is like a car;  the auto-maker can only do so much to protect you against yourself.   If you decide you should never have to change the oil or the brakes then you are doing so at your own risk.  :)

[Tuxedo Penguin]

Damn.  All this over a worm....
All things considered; I'd rather get Revelation.

[Kronus]

and yet, according to other sites, the message the worm telling Bill Gates to fix his own software... btw where can I find this virus I what to capture it and put it in my collection of viral software...

[tabasco boy]

Quote: from Kronus on 5:44 am on Aug. 14, 2003[br]and yet, according to other sites, the message the worm telling Bill Gates to fix his own software... btw where can I find this virus I what to capture it and put it in my collection of viral software...

you don't have to find it matey just disable your anti-virus, disable your software firewall connect PC directly to the net without router, enable every service on your machine open all possible ports and sit back and wait while rehearsing on pulling your hair in anger and thinking why did i follow tabasco boy. :biggrin:

you better hurry up though as most ISPs everywhere are blocking port 135 and some other ports which will make your chance slimmer of acquiring it.

(Edited by tabasco boy at 6:01 am on Aug. 14, 2003)