Blaster.worm has f*ck*d up some machines - what can I do?

[Devast8or, work]

Hi all,

Looks like w32.blaster.worm has paid some of our computers a little visit.
Then worm is gone, but the machines are still pretty weird.

Moving icons on the desktop is impossible.
If you rightclick the LAN-connection icon and press properties you get an
error. If you doubleclick the icon nothing happens.
If you open up add/remove programs it looks really weird. In the top there's
some text (don't remember what it says), and there's no program list. The
background of this window is blue and white IIRC.
And you can't send e-mail.

Anyone know what I can do about it? Reinstalling everything means sending
the computers back and forth via courier service, so that's something we
would really like to avoid.

TIA for any help

Devast8or

 

[Zvi Netiv]

Looks like w32.blaster.worm has paid some of our computers a little visit.
Then worm is gone, but the machines are still pretty weird.

Moving icons on the desktop is impossible.
If you rightclick the LAN-connection icon and press properties you get an
error. If you doubleclick the icon nothing happens.
If you open up add/remove programs it looks really weird. In the top there's
some text (don't remember what it says), and there's no program list. The
background of this window is blue and white IIRC.
And you can't send e-mail.

Anyone know what I can do about it? Reinstalling everything means sending
the computers back and forth via courier service, so that's something we
would really like to avoid.

Atypical to Blaster. More likely messed up Windows installation.

 

[FromTheRafters]

One of the other guys at work (where these machines are) said it was blaster
that did, and all the machines I have seen these problems on had blaster at
some point. But I looked at Symantec's homepage, and you're right there's
nothing about these "symptons" there.

I don't think it's just the Windows installation that's messed up, because
we've had these things happen on several machines in the last 2 days, but
never before. That would be quite a coincidence if it weren't a virus or
something similar.

But if it isn't blaster, then what is it? And more important, what can be
done about?

From what I have read (mostly here) the problem could be the RPC
service is being attacked by exploit code aimed at a different OS than
the one that is affected. In other words, if the exploit code is the right
one, the result is the download and execution of the worm executable.
If the exploit code is the wrong one, the result can be the repeated
crashing of the RPC service. Evidently (also from reading) the OSs
with RPC use the service for local IPC as well as the RPC itself, and
this affects drag and drop functionality.

You said "the worm is gone" but said nothing about "the vulnerability
is gone" ~ did the system get patched?

 

[Nick FitzGerald]

Looks like w32.blaster.worm has paid some of our computers a little visit.
Then worm is gone, but the machines are still pretty weird.

Moving icons on the desktop is impossible.
If you rightclick the LAN-connection icon and press properties you get an
error. If you doubleclick the icon nothing happens.
If you open up add/remove programs it looks really weird. In the top there's
some text (don't remember what it says), and there's no program list. The
background of this window is blue and white IIRC.
And you can't send e-mail.

Anyone know what I can do about it? Reinstalling everything means sending
the computers back and forth via courier service, so that's something we
would really like to avoid.

I've read Zvi's comments and your followup to that too.

I'd say there is a good possibility the machines have been hit by "something"
that has a high probability of being introduced via the DCOM RPC hole these
machines have clearly been exposing where they shouldn't.

What AV is on them?

What change-control and monitoring do you have on them?

How do the settings in critical registry areas compare with the original or
"normal" settings of these machines?

First, inability to drag'n'drop (which moving icons on the desktop is) is a
common symptom of RPC having died (or at least gone septic internally), which
is, in turn, a very likely outcome if the machine is hit with a DCOM RPC
exploit attempt targetted at a "badd offset". You didn't say what OS these
machines are, but the original Blaster chooses between a W2K and XP offset
with 20/80 probability, so such symptoms are very common on unpatched W2K
machines on Blaster-infested networks, but not uncommon on XP machines for
the same reason. However, if you had XP I'd guess you would be more likely
telling us the machines regularly pop up a "I'm closing down in 60 seconds"
dialog box and then close down, so I'll assume you have W2K...

The failure of "Properties" and some other context menu items for some
"special" shortcuts (network conenctions is one such "special" shortcut) is
also common when RPC dies as the special shortcuts (they're not just pointers
to a file or a folder as are "simple" shortcuts) as the special shortcuts are
actually pointers to COM objects and access to these is brokered through RPC
mechanisms. Ditto the failure of double-clicking special shortcuts.

Further, these types of problem with Add/Remove programs are also due to RPC
services being screwed.

Not being able to send Email I'm not so sure about. Depending on your mailer
and its configuration, if it is sending via MAPI it is quite conceivable that
RPC and/or COM could be involved, but I've not looked into this. "Direct to
SMTP" mailers should not be affected by RPC or COM service problems though.

So, all or all but one of your reported symptoms are classic indicators of a
W2K machine, as yet unpatched against the DCOM RPC flaw described in the
MS03-026 security bulletin, and on a network where Blaster or similar DCOM
RPC exploits are being fired around.

You did realize, when you read whatever description of cleaning up Blaster
that you followed when cleaning up the worm earlier, that where it said
something like:

To prevent the worm from re-infecting the machine get the MS03-026 patch
and install it on all vulnerable machines in your network.

they actually meant that to prevent the worm from re-infecting the machine
you _MUST_ get the MS03-026 patch and install it on all vulnerable machines
in your network, didn't you?

Given the sloppy approach to system administration clear from your message,
it is likely that before you can install the patch you will have to download
the 120-something MB service pack 3 or 4 for W2K and install it, as the odds
are very high your machines are running Gold or an earlier SP which is not
supported for the patch. Actually the patch will install on SP2 machines
_but_ this is not a recommended configuration and it is _NOT_ supported by
Microsoft who say it is not properly tested. The patch was reputedly
originally developed to support SP2 and SP3 but then SP4 was scheduled for
release _before_ this patch would be released. Because this patch was
started after the cut-off for SP4 and not released until after SP4's release,
it had to support SP4 but need not (by MS's "current and previous SP or
release" rule) support SP2.

 

[Devast8or, work]

I've read Zvi's comments and your followup to that too.

I'd say there is a good possibility the machines have been hit by "something"
that has a high probability of being introduced via the DCOM RPC hole these
machines have clearly been exposing where they shouldn't.

What AV is on them?

Norton AV corporate edition, updated daily.

What change-control and monitoring do you have on them?

No idea what this is (I probably know the danish terms, but that doesn't
help much).

The machines ar just normal standalone computers, with Win2kPro installed
and connected to an ADSL line.

How do the settings in critical registry areas compare with the original or
"normal" settings of these machines?

Define critical.

But as I said, I wasn't the one trying to fix these machines so I don't even
know what they looked like first and what have been done to them.

First, inability to drag'n'drop (which moving icons on the desktop is) is a
common symptom of RPC having died (or at least gone septic internally), which
is, in turn, a very likely outcome if the machine is hit with a DCOM RPC
exploit attempt targetted at a "badd offset". You didn't say what OS these
machines are, but the original Blaster chooses between a W2K and XP offset
with 20/80 probability, so such symptoms are very common on unpatched W2K
machines on Blaster-infested networks, but not uncommon on XP machines for
the same reason. However, if you had XP I'd guess you would be more likely
telling us the machines regularly pop up a "I'm closing down in 60 seconds"
dialog box and then close down, so I'll assume you have W2K...

Win2kPro, yes.

The failure of "Properties" and some other context menu items for some
"special" shortcuts (network conenctions is one such "special" shortcut) is
also common when RPC dies as the special shortcuts (they're not just pointers
to a file or a folder as are "simple" shortcuts) as the special shortcuts are
actually pointers to COM objects and access to these is brokered through RPC
mechanisms. Ditto the failure of double-clicking special shortcuts.

Further, these types of problem with Add/Remove programs are also due to RPC
services being screwed.

Not being able to send Email I'm not so sure about. Depending on your mailer
and its configuration, if it is sending via MAPI it is quite conceivable that
RPC and/or COM could be involved, but I've not looked into this. "Direct to
SMTP" mailers should not be affected by RPC or COM service problems

though.

It oculd be the mailprogram was just messed up - doesn't have to anything to
do with blaster, I just thought I'd mention it.

So, all or all but one of your reported symptoms are classic indicators of a
W2K machine, as yet unpatched against the DCOM RPC flaw described in the
MS03-026 security bulletin, and on a network where Blaster or similar DCOM
RPC exploits are being fired around.

Not on a network. Just standalone computer connected to an ADSL line (but
the again, being connected to the internet probably classifies as being "on
a network where Blaster or similar DCOM RPC exploits are being fired
around").

You did realize, when you read whatever description of cleaning up Blaster
that you followed when cleaning up the worm earlier, that where it said
something like:

To prevent the worm from re-infecting the machine get the MS03-026 patch
and install it on all vulnerable machines in your network.

they actually meant that to prevent the worm from re-infecting the machine
you _MUST_ get the MS03-026 patch and install it on all vulnerable machines
in your network, didn't you?

Yes, I know this. I just don't know if it was installed on these computers
we have had trouble with, and what happened.

Given the sloppy approach to system administration clear from your message,
it is likely that before you can install the patch you will have to download
the 120-something MB service pack 3 or 4 for W2K and install it, as the odds
are very high your machines are running Gold or an earlier SP which is not
supported for the patch. Actually the patch will install on SP2 machines
_but_ this is not a recommended configuration and it is _NOT_ supported by
Microsoft who say it is not properly tested. The patch was reputedly
originally developed to support SP2 and SP3 but then SP4 was scheduled for
release _before_ this patch would be released. Because this patch was
started after the cut-off for SP4 and not released until after SP4's release,
it had to support SP4 but need not (by MS's "current and previous SP or
release" rule) support SP2.

All machines have been updated with SP3 recently, and they will all get an
SP4 cd sent to them along with a router (as well as being set to run windows
update daily. ATM they update weekly).

Thanks for the answers, it definitely looks like this because of blaster.
But I still donøt know what to do about it. Should installing the patch
help, or will it only prevent future infections from happening?

Devast8or

 

[Zvi Netiv]

Ok, I just had acces to a computer with blaster. I removed it with symantecs
tool and installed the patch. I can drag'n'drop, IE works fine (someone said
to check if it had anything in "version", "cypher strength" etc., and all is
good here), add/remove programs are fine.

But I can't open a simple .txt file

Naturally, because these machines are/were infected by Lovgate and were
disinfected improperly, without undoing the changes that the worm did to the
registry. Among other things, modifying the content of
HKEY_CLASS_ROOT\txtfile\shell\open\command with the value "winrpc.exe %1".

It just comes up and says winrpc.exe couldn't be found. I have a feeling
that all I need to do now reinstall RPC, but how do I do that?

Just change the value in that key to "notepad.exe %1" and Windows will resume
normal operation.

Some AV producers have a dedicated remover for this worm.

Regards, Zvi

 

[Devast8or]

Naturally, because these machines are/were infected by Lovgate and
were disinfected improperly, without undoing the changes that the
worm did to the registry. Among other things, modifying the content
of HKEY_CLASS_ROOT\txtfile\shell\open\command with the value
"winrpc.exe %1".

Um, where did Lovgate enter this? I thought we were talking about Blaster.

But I'll check it out next time I have the chance. Thanks

Just change the value in that key to "notepad.exe %1" and Windows
will resume normal operation.

Some AV producers have a dedicated remover for this worm.

I know symantec has one.

Devast8or