RPC Worm Attack

[LoneDeranger]

OK, I just joined a game of CS (turning off my firewall so there is no lag) and the next thing I know I get this error saying some sort of an RPC error occured in SVCHOST.exe. But thats not all, 3 seconds later I get a messages saying your system is not being rebooted by the NT Administrator! And it rebooted my system!

I don't know how but I think I was infected with this: http://news.com.com/2100-1002_3-5062364.html?tag=fd_lede1_hed

Make sure you guys update your anitvirus and download all the windows updates.

 

[nw909]

That suxxorz, but I think my updates are up to date.

 

[nw909]

security experts have been waiting for some online vandal to create a worm that takes advantage of it.

Thats the most stupid thing i've ever ****ing heard.

 

[Xtasy0]

heres basic removal steps for anyone who might need it.

get zonealarm and block port 135, that way you wont get reinfected between the time you delete the file and the time you patch dcom.

1) delete msblast.exe (usually found at: winnt\system32\msblast.exe)

2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\windows auto update" . that key should contain the "msblast.exe" process, and is what starts it up again on reboot.

3) patch DCOM, or you'll just get this again. http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp is the update to get.

 

[switch]

Starting on Aug. 16, every computer infected with MBlast will start flooding the Microsoft's Windows Update service with legitimate-looking connection requests. The denial-of-service attack could slow down, and even halt access to, the primary way Microsoft customers receive updates for their computers.

 

[LoneDeranger]

Thanks guys. I think I should be OK now. There is a whole lot of 135 requests being blocked in ZoneAlarm though.

 

[=Coy0te=]

It appears this is very serious I had this problem this moring and for some reason It has stoped now

 

[LTA]

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


Download this patch also

 

[Archangel]

is it...dead? no attacks for today, all files seem to have gone, but it is said that infected systems will start a DoS attack on microsofts Winupdate.com service on August 16th...we will see...

 

[spamboo]

it comes through an RPC connection, I HATE RPC!!!!!! dont forget it leaves a back door at port 4444 so block that one too.

 

[The DemonWithin]

Wow thats wierd, as soon as i went into this thread i got that error that you got lone, it restarted an i deleted that msblast.exe, heh i better do all all them steps to prevent this, thanx for the help xtasy.