New Virus detected as of yet unknown to Anti-Virus companied (Virus Name: MSBLAST.EXE)

[.]

Report submitted to SARC:

"A window may pop up "RPC Call service has ended, Windows will reboot
in 45 seconds", new file created msblast.exe This is a new virus file
that you do not have in your databases yet. I run liveupdate everyday.

"The Remote Procedure Call service RPC Has ended, Windows XP will
reboot in 45 seconds, please save any open documents"

Error window shows up. Following this the system reboots itself.
I tracked this event to a stange file msblast.exe, created by an
unknown process a few minutes before. (11 Aug 2003)

I quarantined msblast.exe but as I was writing this text to you the
first time around I also received a "Generic Host Process for Win32
Services has encountered a problem" and a reboot occured.

I was fighting with the hacker who could see that I was about to
submit his file to SARC.

Converted to .txt file, this line can be seen in the jumble:
"<1@€öíÿmsblast.exe I ju
waníÿÿÿto say LOVE YOU SAN!! billý·mûgates&h d%you
makeÚÖ~»1hipossiQ
?"

A few weeks ago my machine was also hacked with the same error message
"The Remote Procedure Call service RPC Has ended, Windows XP will
reboot in 45 seconds, please save any open documents"

back then the backdoor.sb.gen virus was detected, this maybe a new
strain.

11 August 2003 21:59"

 

[Ian.H [dS]]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whilst lounging around on 11 Aug 2003 13:48:26 -0700,
(e-mail address removed) (.) amazingly managed to produce the
following with their Etch-A-Sketch:

Report submitted to SARC:

"A window may pop up "RPC Call service has ended, Windows will
reboot in 45 seconds", new file created msblast.exe This is a new
virus file that you do not have in your databases yet. I run
liveupdate everyday.

"The Remote Procedure Call service RPC Has ended, Windows XP will
reboot in 45 seconds, please save any open documents"

Error window shows up. Following this the system reboots itself.
I tracked this event to a stange file msblast.exe, created by an
unknown process a few minutes before. (11 Aug 2003)

I quarantined msblast.exe but as I was writing this text to you the
first time around I also received a "Generic Host Process for Win32
Services has encountered a problem" and a reboot occured.

I was fighting with the hacker who could see that I was about to
submit his file to SARC.

Converted to .txt file, this line can be seen in the jumble:
"<1@€öíÿmsblast.exe I ju
wan
makeÚÖ~»1hipossiQ
?"

A few weeks ago my machine was also hacked with the same error
message "The Remote Procedure Call service RPC Has ended, Windows
XP will
reboot in 45 seconds, please save any open documents"

back then the backdoor.sb.gen virus was detected, this maybe a new
strain.

11 August 2003 21:59"

<URL:http://isc.sans.org/diary.html?date=2003-08-11>



Regards,

Ian

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPzgCGGfqtj251CDhEQLpJwCg88ewfj4S2CwdkOS9Y0RYghYWTAUAn2sf
pRoaTaCjFLLAkEtBQxGdZgL5
=m6s9
-----END PGP SIGNATURE-----

 

[David H. Lipman]

Read the following URL: http://vil.nai.com/vil/content/v_100547.htm

Try the McAfee utility Stinger: http://vil.nai.com/vil/stinger/

Dave

| Report submitted to SARC:
|
| "A window may pop up "RPC Call service has ended, Windows will reboot
| in 45 seconds", new file created msblast.exe This is a new virus file
| that you do not have in your databases yet. I run liveupdate everyday.
|
| "The Remote Procedure Call service RPC Has ended, Windows XP will
| reboot in 45 seconds, please save any open documents"
|
| Error window shows up. Following this the system reboots itself.
| I tracked this event to a stange file msblast.exe, created by an
| unknown process a few minutes before. (11 Aug 2003)
|
| I quarantined msblast.exe but as I was writing this text to you the
| first time around I also received a "Generic Host Process for Win32
| Services has encountered a problem" and a reboot occured.
|
| I was fighting with the hacker who could see that I was about to
| submit his file to SARC.
|
| Converted to .txt file, this line can be seen in the jumble:
| "<1@?öíÿmsblast.exe I ju
| waníÿÿÿto say LOVE YOU SAN!! billý·mûgates&h d%you
| makeÚÖ~»1hipossiQ
| ?"
|
| A few weeks ago my machine was also hacked with the same error message
| "The Remote Procedure Call service RPC Has ended, Windows XP will
| reboot in 45 seconds, please save any open documents"
|
| back then the backdoor.sb.gen virus was detected, this maybe a new
| strain.
|
| 11 August 2003 21:59"

 

[me]

Report submitted to SARC:

"A window may pop up "RPC Call service has ended, Windows will reboot
in 45 seconds", new file created msblast.exe This is a new virus file
that you do not have in your databases yet. I run liveupdate everyday.

"The Remote Procedure Call service RPC Has ended, Windows XP will
reboot in 45 seconds, please save any open documents"

Error window shows up. Following this the system reboots itself.
I tracked this event to a stange file msblast.exe, created by an
unknown process a few minutes before. (11 Aug 2003)

I quarantined msblast.exe but as I was writing this text to you the
first time around I also received a "Generic Host Process for Win32
Services has encountered a problem" and a reboot occured.

I was fighting with the hacker who could see that I was about to
submit his file to SARC.

Converted to .txt file, this line can be seen in the jumble:
"<1@€öíÿmsblast.exe I ju
waníÿÿÿto say LOVE YOU SAN!! billý·mûgates&h d%you
makeÚÖ~»1hipossiQ
?"

A few weeks ago my machine was also hacked with the same error message
"The Remote Procedure Call service RPC Has ended, Windows XP will
reboot in 45 seconds, please save any open documents"

back then the backdoor.sb.gen virus was detected, this maybe a new
strain.

11 August 2003 21:59"

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://isc.sans.org/diary.html?date=2003-08-11

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

 

[L. S. Pendragon]

My friend and my Ex-wife's computers have been infected by this worm called
"LovSan". Basically it takes advantage of a security hole in Windows XP Pro
and Home and causes the infected machine to launch an attack on
windowsupdate.com. What the user sees is the aforementioned RPC message.
Problem is that the fix is a security update located at the Windows Update
web site. The time it takes to update your system is probably going to be
longer than it takes for the RPC message and reboot to occur. I have tried
a system restore with no success. I also tried removing all references to
MSBLAST.EXE from the system but this causes the system to become unstable.
I am currently trying collect the appropriate update files for this specific
vulnerability and put them onto a floppy or CD so that I can update their
systems in the short window of opportunity "LovSan" allows. If this doesn't
work then the next step would be to do a clean install of the OF/S.

The only article I have found so far about "LovSan" is on The Age (an
Australian News Portal) web site
http://www.theage.com.au/articles/2003/08/12/1060588357192.html

--
Cheers,
Louis Pena
"Duct tape is like the force,
it has a dark and light side,
and it binds the universe together."

 

[FromTheRafters]

My friend and my Ex-wife's computers have been infected by this worm called
"LovSan".

Just another name for Blaster.

 

[Dark vader]

"L. S. Pendragon" <[email protected]> rearranged scrabble
letters at random and produced:

My friend and my Ex-wife's computers have been infected by this worm called
"LovSan". (*snip)Basically it takes advantage of a security hole in Windows XP Pro
and Home and causes the infected machine to launch an attack on
windowsupdate.com. What the user sees is the aforementioned RPC message.
Problem is that the fix is a security update located at the Windows Update
web site. The time it takes to update your system is probably going to be
longer than it takes for the RPC message and reboot to occur. I have tried
a system restore with no success. I also tried removing all references to
MSBLAST.EXE from the system but this causes the system to become unstable.
I am currently trying collect the appropriate update files for this specific
vulnerability and put them onto a floppy or CD so that I can update their
systems in the short window of opportunity "LovSan" allows. If this doesn't
work then the next step would be to do a clean install of the OF/S.

The only article I have found so far about "LovSan" is on The Age (an
Australian News Portal) web site
http://www.theage.com.au/articles/2003/08/12/1060588357192.html

--
Cheers,
Louis Pena
"Duct tape is like the force,
it has a dark and light side,
and it binds the universe together."

Personally I got round the initial problem of getting online by doing the
following (Windows XP, sorry I don't know about any other OS)
Start - Control Panels - Administrative Tools - Services - Remote Procedure
Call (RPC) - Recovery (change all drop down menus to Take No Action) - APPLY

Apparently system restore won't be effective unless you switch off system
restore before you get rid of the virus. If you don't the virus hides in the
system restore and just pops up again later.

Dave