From ispadmin@bcpl.net Wed Aug 13 12:27:50 2003 Date: Wed, 13 Aug 2003 12:16:10 -0400 (EDT) From: BCPL.NET SysAdmin To: BCPL.NET News Subject: BCPL.NET NEWS: MSBlast Worm Alert ------------------------- VIRUS ALERT: MSBLAST WORM ------------------------- A new worm, named "MSBlast", "LovSan", "Blaster" and several other names containing those words, was discovered spreading rapidly on the Internet on the afternoon of Monday August 11. By Tuesday it had infected thousands of computers worldwide. The MSBlast Worm infects Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 PCs. It does not infect Windows 3.1, Windows 95, Windows 98 or Windows ME PCs. It does not infect Macintosh OS or UNIX computers. The MSBlast Worm has been rated as a serious threat by most of the major virus information Web sites. How The MSBlast Worm Spreads ---------------------------- Unlike most other recent viruses, the MSBlast Worm does not spread via e-mail. Instead it takes advantage of well-known vulnerabilities in the Microsoft Remote Procedure Call (RPC) Interface to spread from one computer to another via a local network connection or via the Internet. Due to the nature of the worm it is also possible for it to be spread via malicious use of Internet Relay Chat (IRC) file downloads, Instant Messaging (IM) file downloads, and via KaZaA and similar file sharing protocols. Microsoft distributed a patch to fix this vulnerability a month ago via Windows' Software Update function. However it is believed that most home users and many business users never run the Software Updater, so a huge number of PCs are vulnerable to MSBlast infection. Symptoms Of MSBlast Infection ----------------------------- You may experience frequent unexpected reboots due to the activities of the MSBlast Worm. The specific message in the System Shutdown window that pops up will be "Windows must now restart because the Remote Procedure Call [RPC] service terminated unexpectedly". You may also get an alert box labelled "Generic Host Process for Win32 Services" that says "Generic Host Process for Win32 Services has encountered a problem and needs to close". What MSBlast Does To The Infected PC ------------------------------------ The worm installs a Trivial File Transfer Protocol (TFTP) server, and uses it to download its payload to the infected PC. It also adds a key to the Windows Registry to automatically run the worm each time the infected PC is rebooted. The infected PC then attempts to spread the infection to other vulnerable PCs. PCs infected with MSBlast are programmed to launch a denial of service (DoS) attack against the Microsoft Windows Update web site on the 16th of each month, starting in August 2003. How To Protect Your PC From MSBlast Infection --------------------------------------------- o If you have Windows XP, turn on its built-in firewall: - Click the Start button in the lower left-hand corner. - If you see two columns, click Control Panel. - If only one column appears, click Settings, and then click Control Panel. The Control Panel should now appear. - If you see the phrase Pick a category in the window, click Switch to Classic View on the left. - Double click Network Connections. - Double click the BCPL icon. - Click the Properties button at the bottom. - Click the Advanced tab at the top. - At the top of your next screen, make sure there is a check next to Protect my computer and network. - Click OK until you are returned to your desktop. If you have third party firewall software that is not built into Windows, consult the documentation that came with the software. o Run Windows Update often. You'll find it under the "Tools" menu in recent versions of Internet Explorer, and possibly also in your Windows "Start" menu. Windows Update connects your PC to the Windows Update Web site, determines what updates are available for your version of Windows, downloads them to your PC, and installs them. Microsoft issues critical patches via Windows Updates to fix bugs and security holes in Windows. We recommend that you run Windows Update at least once a week to keep your copy of Windows up to date. Failure to do so makes your PC vulnerable to a seemingly never ending stream of worms, trojans, viruses, and other threats designed to exploit bugs in Windows. o If you have anti-virus software on your PC, make sure its virus description database is up to date enough to know about MSBlast. The virus description database must be *very* new. The MSBlast Worm was discovered and described by the major anti-virus software vendors on August 11 & 12, 2003, so a virus description database older than that will not enable your anti-virus software to detect and stop MSBlast. We recommend that you update your virus description database at least once a week, although given the rate at which new PC viruses appear updating more often would be even better. How you do this depends on which anti-virus software you have on your PC, so consult the documentation that came with the software. If you do not keep your virus description database up to date, then your anti-virus software is virtually useless because it only knows about viruses that existed when the installation CD was made. How To Remove the MSBlast Worm From An Infected PC -------------------------------------------------- The BCPL.NET Help Desk has posted a Web page containing instructions for removing MSBlast from an infected Windows XP PC at the following URL: http://www.bcpl.net/help/msblaster.html Or, follow the instructions below. You may have difficulty doing anything about an MSBlast infection if your PC is rebooting frequently due to the RPC failure described above. If you have Windows XP, turning on the built-in Internet Firewall as described above should stop the reboots. Run the free "Stinger" utility (version 1.8.0 or newer) from the Network Associates Web site at http://vil.nai.com/vil/stinger/ . Stinger is produced by the McAfee AVERT division of Network Associates, the makers of McAfee Virus Scan. It will remove Lovsan (McAfee's name for the MSBlast Worm) and a number of other recent worms, trojans, and viruses. Read the instructions on the Stinger web page carefully, then download Stinger from the web site and run it on your PC. Note: Stinger downloads from the Network Associates web site have been very slow today, probably due to a huge number of people trying to download the latest version of Stinger. You can also download it from the following URL on the BCPL.NET web site, but go to the official Stinger URL above for instructions on how to use Stinger. http://www.bcpl.net/download/stinger.exe If your PC is rebooting too frequently to allow time to download Stinger, one possible solution is to download it to a friend's PC, copy it onto a floppy disk, and run it from the floppy on your PC. Once Stinger has disinfected your PC, run the Windows Update utility as described above to install all the latest critical updates from Microsoft. Action Taken By BCPL.NET ------------------------ We first became aware of the MSBlast Worm when several PCs in our offices became infected late Monday afternoon. On the routers that connect us to the rest of the Internet we set up access controls to block all traffic destined for the UDP and TCP ports used by the MSBlast Worm. We did the same on the router that connects our external network to the library's internal network. Finally we set up access controls on our 18 dial-up access servers to prevent an infected PC connected to one access server from spreading the infection to PCs connected to other access servers. Unfortunately there is no practical way to prevent an infected PC from spreading the infection to other PCs connected to the same access server. For this reason we strongly recommend that all BCPL.NET customers who use Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003 follow the instructions in the "How To Protect Your PC From MSBlast Infection" section of this message. More Information About The MSBlast Worm: --------------------------------------- For a detailed description of the Windows bug that allows MSBlast and similar exploits to operate, see Microsoft Security Bulletin MS03-026: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp The following URLs will take you to detailed information about MSBlast on several well-known security and anti-virus Web sites: http://isc.sans.org/diary.html?date=2003-08-11 http://us.mcafee.com/virusInfo/default.asp?id=lovsan http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html http://www.F-Secure.com/v-descs/msblast.shtml http://www.sophos.com/virusinfo/analyses/w32blastera.html http://www.sophos.com/virusinfo/articles/blaster.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A -- BCPL.NET INTERNET SERVICES 320 York Road Towson, MD 21204-5179 U.S.A. CONTACTS: -------- Web Site: http://www.bcpl.net Administration & Policy: ispadmin@bcpl.net 410-887-6180 Sales, Renewals, Account Status: accounts@bcpl.net 410-887-4172 Technical Support (Help Desk): help@bcpl.net 410-887-3297 Usenet News Newsgroup Requests news-admin@bcpl.net 410-887-6180 E-Mail & Newsgroup Abuse Reports: abuse@bcpl.net 410-887-6180 Domain Name Service Issues: dnsadmin@bcpl.net 410-887-6180 FAX: 410-887-2091