A New Nasty

The Inquirer reports on a new virus you should take very seriously.

The reason why is that you don’t have to do anything dumb to get infected, like get happy fingers when you get email attachments.

Rather, it comes looking for you.

The Inquirer article provides the necessary links to find out more about the virus and the necessary patches/files you need to prevent this from happening and fixing it if it already has.

What it doesn’t mention is that a minute or two after booting into Windows, it tells you it’s going to shut your machine down after sixty seconds, gives you a countdown, and procedes to do just that.

If you have just one machine handy, it leaves you with a Catch-22. You can’t retrieve the necessary files fast enough before the machine shuts down, and if you go into Safe Mode, the virus isn’t the problem, but then you can’t access the Internet to get the fix.

How do I know this? I just had to do a house call with someone with this problem. It was simple enough for me to go home and get the necessary files, but it may not be so easy for you.

In any event, better to prevent this from happening to begin with. You can get the Microsoft patch for WindowsXP here and Windows2000 here.

If you’re already infected, go here for a fix tool and further instructions.

Before fixing an XP system, you ought to turn off System Restore first. The Symantec link on how to do so doesn’t work, but this one does

What did I do?

First, I booted in Windows in Safe Mode and turned off System Restore. I rebooted, again into Safe Mode, and applied the Microsoft patch. I rebooted a third time, again into Safe Mode, and applied the Symantec fix tool (it looks at all your files on all the computer’s drives, so it takes a while to work).

One last reboot, this time regularly, and all was clear.

Update: This website says that the Symantec tool only gets rid of one out of the two instances of msblast.exe. Certainly do a search after using the fix tool, and delete the second.

Ed

Buying Time

Here’s the contents of an email which explains what is happens and suggest a way that may buy you enough time to download the files necessary to fix this.

I read your article regarding the MSBLAST.EXE/Win32.Blaster worm and noticed something slightly inaccurate that I thought you might be interested in a correction to… the Blaster worm does not actually give you a 60-second countdown and reboot your machine. Rather, that’s a side effect of it.

The vulnerability being exploited is a buffer overflow. The worm sends a specially malformed packet to the RPC service, which tries to put the data in a buffer too small for it, thus overflowing past the end and over the stack frame pointer. The result is that the packet, rather than just being used as data, is actually executed by the RPC service. This packet, of course, contains code to download and install the worm on the target machine.

All the worm does is spread itself through the buffer overflow, then launch a DDoS attack on August 16th (so that part, at least, hasn’t happened yet). However, a side effect of a buffer overflow attack is that after the attack code has finished, the stack is corrupted, so the program (in this case the RPC service) will start jumping wildly to other places in memory. Sooner or later (usually sooner), it will try to jump out of its own process space, which causes an access violation (error 0xc0000005, what UNIX users call a segmentation fault). An access violation is fatal if unhandled, so the process crashes. Normally, you’d get an error dialog when a process crashes this way (as an access violation counts as a general protection fault), but since RPC is a Windows service, it fails silently in the background. If you look in Event Viewer, though, you’ll see a fatal error logged from SVCHOST.EXE when it crashed.

However, while you’re looking in Event Viewer, you’ll also notice a second event at the exact same time as the crash. USER32.EXE notices that the RPC service is no longer running, and takes corrective action. RPC, remote procedure call, is a critical Windows service – large portions of Windows will not function properly without RPC. The only way to get RPC back after it’s gone down is… to reboot. So USER32.EXE, upon noticing that RPC is gone and thus many applications will probably no longer work correctly, schedules an emergency system shutdown in 60 seconds, with the machine set to restart after shutdown. The worm actually has nothing to do with this – the worm just crashed RPC, and Windows is trying to clean up the damage. If you just killed RPC in task manager, or stopped the service with a net stop, you’d get the same countdown.

You can actually stop this shutdown if you want – executing the command “shutdown /a” will abort the countdown and return control to you (Ed. note: Others have said the command should be parsed “shutdown -a.”) However, you may or may not want to do this… because about half the apps you run will probably not work without RPC. However, if your network is so hammered by worm traffic that you’re having trouble staying up long enough to download and apply the patch, a good “shutdown /a” can give you more time to work. Also, once USER32.EXE has scheduled one shutdown for RPC crashing, it won’t schedule another until you reboot (or manually restart RPC, which is not advisable) – so you don’t have to sit there aborting countdowns over and over again.

Another approach suggested by several was:

With Windows XP you can go to the Start
Menu->Programs->Accessories->Administrative
Tools->Component Services

Under “Services(Local)” go to “Remote Procedure Call
(RPC)” Properties. On the Recovery tab, change the
response if the service fails to “Take No Action”

This will give you enough time to download the patch
and install it without worrying about having enough
time before the computer reboots.

Again, you may have a problem if you can’t download without any RPC, but it’s worth a try.

Ed

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>