Blaster Worm 2!

[Yeloazndevil]

Quote:

Security researchers yesterday detected hackers distributing software to break into computers using flaws announced last week in some versions of Microsoft Corp.'s Windows operating system. The threat from this new vulnerability -- which already has drawn stern warnings from the Homeland Security Department -- is remarkably similar to one that allowed the Blaster virus to infect hundreds of thousands of computers last month.

Researchers from iDefense Inc. of Reston, Va., who found the new attack software being distributed from a Chinese Web site, said it already was being used to break into vulnerable computers and implant eavesdropping programs. They said they expect widespread attacks similar to the Blaster infection within days.

Microsoft confirmed last night it was studying the new attack tool.
source: Neowin

Quote:

Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.

There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation— two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another.

get the patch here

I knew this was coming oh yea this only affects NT based OS's

[gamezonline]

here we go again, thx for the update

[scottlc]

Just use DCOMbobulator. It turns off the unnecessary DCOM service and protects you against all current (and future) DCOM exploits. Get it from:

http://grc.com/

[Yeloazndevil]

um no, don't like that program

[RZetlin]

Quote:

Originally Posted by scott_uk5

Just use DCOMbobulator. It turns off the unnecessary DCOM service and protects you against all current (and future) DCOM exploits. Get it from:

http://grc.com/

I just ran the test. My port is closed shut.

[RF]

What does it mean when my ports are "stealth" 'd?

edit:

Quote:

If your system is unprotected, without any personal firewall or NAT router, any ports showing as stealth are being blocked somewhere between your computer and the public Internet. This is probably being done by your ISP. Internet traffic directed to your computer at the stealth ports will be dropped before reaching your machine.

nm

[Phoenix]

easy as this, open your registry and do the following:

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
Value Name: EnableDCOM
Data Type: REG_SZ (String Value)
Value Data: "Y" = enabled, "N" = disabled

that is exactly what grc.com's DCOMBobulator does I guess, disabling via the registry such service besides testing the vulnerability, the port 135 and such.

It's safer installing those patches and disabling the service if you're not using it.

I find handy Steve Gibson's programs.

[Player-X]

Why don't they just disable RPC by default

[Quark]

Quote:

Originally Posted by Player-X

Why don't they just disable RPC by default

Actually, DCOM. RPC is quite necessary for XP/2000, but DCOM is just a part of it that's not.

And disabling it would be smart, something microsoft is not.

[l3illyl3ob]

Quote:

Originally Posted by Player-X

Why don't they just disable RPC by default

because there's about 30 different services that depend on RPC.

[Player-X]

Hi n00bs

I ment DCOM Thanks for correcting me

[Recca]

how can you install the patch before the comp shuts down. I find it near impossible

[Quark]

Quote:

Originally Posted by Recca

how can you install the patch before the comp shuts down. I find it near impossible

Sounds like you're infected with the original blaster worm.
As soon as your computer is finished booting, hit ctrl-alt-delete and get into task manager. Under processes there's a program, either blaster.exe or msblaster.exe (I forget which), end that process. Then you should be good until the next reboot, at least.

Install the patches and you'll no longer be vulnerable to it and such, though you may want to run a FixBlaster program to clean the computer out (I'm not sure where it resides).

Of course, you may also be infected with Welchia, but I haven't heard of Welchia-infected computers crashing.

[Recca]

This is not the blaster Virus, it's the one that infects the RCP protocol. I can't seem to fix it, i tried Ctrl+alt+del but couldn't find anything that isn't supposed to be there.

[Bispoo]

Hi, To stop the Computer From restarting and Install the patch, when the Countdown Begins, open a Dos Command Prompt (execute: CMD) and then write: ' shutdown -a ' That's all. install the patch and Voila! I hope it helps anybody

[gigaX]

ending task dosnt work but i had to restarrt my comp 3 times to finish dloading and installing the patch for the blaster worm wehoich i was infeced by 1 month ago...

[Yeloazndevil]

I was one of the lucky ppl that wasn't affected by the blaster worm

[elachys]

nah i wasn't infected either

[GKort]

patch=prevents you from getting it (again)

once you have it the patch wont help you at that point...you have to get an AV prog like mcaffee...ive used mcaffee for several weeks and i havnt been hit with a single virus/worm/trojan

also you might wanna search @download.com for "Spybot: Search & Destroy" to remove AD/SPY ware...it eats your comp alive...

[Yeloazndevil]

>>also you might wanna search @download.com for "Spybot: Search & Destroy" to remove AD/SPY ware...it eats your comp alive...

actually it slows down your pc