All Windows NT/2K/XP/2003 Users, Very Important Message

[Whaleboy]

Oh I use mozilla... no matter!

[Asher]

If Mozilla decided to support ActiveX, you could use that too.

[Alex]

How serious is that thing? I mean, I read something about a Lovsan virus that is spreading like fire, but I don't know if it is the same thing.

[Zopperoni]

Yes, this is the same as the lovsan virus.

[Zopperoni]

O, and as for seriousness:

Symantec rates it a level-4 virus, which is high.

[Zopperoni]

Here's the security bulletin addressing the issue:

http://www.microsoft.com/technet/tre...n/MS03-026.asp

On the page are also links to the patches.

Cinch, I hope you can get the patches through this page.

[DanS]

My mom caught this. She called me last night complaining that her laptop kept rebooting.

Here's a pretty simple fix (although it's a process, not an application)...

http://www.washingtonpost.com/wp-dyn...2003Aug12.html

[ixnay]

I patched as soon as I heard about this last week. Some nasty-sounding stuff.

[Asher]

The end-user security bulletin is here: http://www.microsoft.com/security/se...s/ms03-026.asp

The other one from MS TechNet is aimed towards sysadmins and computer geeks. Though the end-user one just says use Windows Update basically with a very dumbed-down description of why it's important.

[mrmitchell]

Used windowsupdate.com on another person's machine, and it is at least for me very slow for the moment. At least it means one thing--people are downloading patches, in droves. (Or the computer I'm using for it is a piece of ****. Either way... )

[Panag]

Finjan Software Proactively Protects Against Lovson Worm
August 12, 2003


Infection Level: Very High
Payload Threat Level: Medium
-----------------------------

OVERVIEW
"Lovsan" is the first DCOM RPC worm. Lovsan, which can spread via a direct network attack, downloads an executable and launches it automatically. It may cause a restart of Windows every time Windows starts up. If you are experiencing this problem, start Windows in 'Safe Mode' and delete the Msblast.exe from Windows System folder. Remote Procedure Call (RPC) is a protocol used by the Windows operating system. DCOM is Windows Distributed Component Object Model. DCOM RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. DCOM RPC uses port 135 which may be an open port. Finjan Software products do not monitor port 135. You can block this worm by closing port 135 in your firewall until you deploy the Windows 2000 / XP patch. The patch can be found at: http://www.microsoft.com/technet/tre...n/MS03-026.asp
Finjan SurfinShield Corporate and SurfinGuard Pro can be configured to provide proactive protection from Lovsan and similar RPC worms. After upgrading the configuration file, no further actions are necessary to be protected including updating your virus signature database. The Window Of Vulnerability will not exist in your organization.
Finjan Software customers are already protected from this worm.

TECHNICAL OVERVIEW
Aliases: W32.Blaster.Worm, Win32.Poza, WORM_MSBLAST.A
"The name of the downloaded executable is msblast.exe. It is packed with UPX and will self extract. The size of the binary is about 11kBytes unpacked, and 6kBytes packed.
The worm may launch a SYN flood against windowsupdate.com on the 16th. It has the ability to infect Windows NT, 2000, XP and potentially Windows Server 2003.

CERT has issued a detailed advisory that can be found at:
http://www.cert.org/advisories/CA-2003-20.html

TEST YOUR SECURITY
General Security Demos can be found at Finjan's Malicious Code Research Center: http://www.finjan.com/mcrc/sec_test.cfm .


PROTECTION
1. Update your anti-virus software often.
2. Install security patches issued by your software vendors.
3. Deploy proactive content security solutions to defend against both new and yet unknown attacks. (See below for details)


FINJAN PROACTIVE SOLUTIONS
Finjan is the only company that proactively protects you from new viruses, worms, Trojans and other attacks. Anti-virus solutions protect you only after you or someone else has been hit. It's like getting a flu shot after you've been infected. Finjan's proactive solutions provide enterprises with complete protection from both known and unknown attacks with the best performance and management capabilities. Even if you have deployed firewalls, intrusion detection, and updated anti-virus software, you are still not protected from the new generation of attacks coming via e-mail and from the web. Don't trust your mission-critical data and system security to luck.
Prevention is the best cure!
Finjan Software products are available at: http://www.finjan.com/store.cfm .




************************************************** *


Finjan Software
http://www.finjan.com

[Hueij]

Quote:

Originally posted by Asher or go to windowsupdate.microsoft.com (needs to use IE)

Needs to use IE to update Windows? What kind of bullshit is that?

[Panag]

Quote:

Originally posted by Hueij Needs to use IE to update Windows? What kind of bullshit is that?

hi ,

just follow the link above , ......

have a nice day

[Hueij]

The Finjan thing? But why can't I get the MS updates straight from their site? Are they afraid of my browser?

[Panag]

Quote:

Originally posted by Hueij The Finjan thing? But why can't I get the MS updates straight from their site? Are they afraid of my browser?

hi ,

panag points out the link from above , .....

>>>> http://www.microsoft.com/technet/tr...in/MS03-026.asp


have a nice day

[Hueij]

Quote:

Originally posted by panag hi , panag points out the link from above , ..... >>>> http://www.microsoft.com/technet/tr...in/MS03-026.asp have a nice day

Well, this is what I get from your link. So my question still stands...

[Zopperoni]

Odd, the link still works for me.

Edit: I see the error now. Panag just copied the text of the link, instead of the link itself.

Click here, H, and you can read the page: http://www.microsoft.com/technet/tre...n/MS03-026.asp

[Whaleboy]

I think the virus does something like a DDoS attack on the fixing thing, this error might be it, I dont know.

[Zopperoni]

No, click on the link that Panag gave Hueij and then look at the address bar of your browser.

And about the worm being a DoS, yes, that is true, it blocks the update site, which is why Cinch wasn't able to patch earlier.

[cinch]

Well, I seem to have it contained.

Just running fixblast.exe was not enough. I had to kill the trojan first (ctl alt del and all that), and then that bought me some time to download the updates & patches.

I had to disable system restore, too. That was very important. It was keeping the thing alive.

After all that, I just disconnected the internet, ran fixblast again, and deleted the files it found. Then, I reconnected and rebooted, and it seems to have half-disappeared. I still get weird 'cannot open such and such a file' notices when I start up windows, but msblast.exe itself (the thing that makes my computer automatically reboot) does not seem to have survived.

I think it's still dwelling in here somewhere, and it could return, but at least I have it under control now.

Thanks to everyone who posted info and such in this thread!

[TCO]

Heeeeeelp mee!!!!!

[TCO]

1. Ashie. I am on the sysadmin page. Do I have 32bit or 64bit XP. I have XP home. The Washington Post process sends me to that same page.

2. The Washington Post thing is good. But it lies. The msblast is a process not an application. You have to go to applications to kill it.

3. I'm scared to do the Firewall part so I'm blowing that off.

4. I tried (before Washington Post) going to windows update but that doesn 't work. If anything it triggers the shutdown.

[TCO]

Ok...to simplify is windows XP home a 32 bit or 64 bit XP?

[mrmitchell]

You've probably got 32bit. Unless you're running on some server or something. I'm sure Ash knows the obscure dialogue that tells you exactly your version, build, shoe size, and whatnot.

IIRC the trojan kills the Windows Update program that automatically downloads these things for you. Try going to the technet page or something.

[TCO]

crap I am still infected. Frigging windows.

[TCO]

I'm dying in here.

[Q Classic]

windows xp home and professional, including the volume license versions, are the 32-bit versions of windows.

the 64bit version is used only in datacenters and for niche applications, and isn't sold preinstalled or at any computer store...

go to the symantec website to clean it off.
http://securityresponse.symantec.com...r/FixBlast.exe

then download the patch from microsoft

[TCO]

crap, the symantec thing shut down. And what is the Windows patch? Which specific thing are you reffering to? I've been directed to download a Xp32 bit file. But also to run Windows update.

[TCO]

No joy. The symantec thing shuts down in the damn middle.

[Q Classic]

the symantec thing shut down as it stopped working?

hmm... ok.

download the symantec file to your root c: folder.
then, download this patch from microsoft.
then, right click on the "My Computer" icon, whether it's on your desktop or in your start menu, and choose "properties". go to the system restore tab, and click the check box that says "turn off system restore for all drives".

reboot the computer, and right before the windows xp boot screen comes up, mash f8 repeatedly, and select "safe mode", and then run the program again.

allow it to clean everything out, and then reboot the computer and go back into the full windows; run the patch.

turn system restore on again.