On Wed, 14 Jan 2004 17:00:16 -0800, "christine"
I believe I have the blasterworm or a variant of it on my
compt. I have followed the directions for one of the
tool removal from symantec. It found no worm. How do I
know which variant of the worm I have? Do I just run
each worm tool listed until I get the right one?
My standard post on this:
<paste>
It's been a while, so let me start with a recap of the history:
1) NT includes a Remote Procedure Call service that cannot be avoided
or turned off, because several internal processes require it. The
service exposes itself to all (TCP/IP only?) networks, including the
Internet. So any computer anywhere in the world can "have a go".
2) Since at least NT 4.0, if not earlier, the coding of this and
related DCOM critical services have included defects that allow
specially-constructed RPC requests to inject raw code into the system,
which Windows will run automatically shortly thereafter.
3) This defect persisted through all the NT 4.0 service packs, the
re-coding of NT for NT 5.0 and 5.1 (Win2000 and XP respectively) and
all the service packs thereof. However, the structure of the attack
packet changed between 5.0 and 5.1 - so that an attack crafted for 5.0
would cause 5.1 to simply crash, and vice versa.
4) In July 2003, MS documented the problem and issued a patch for NT
4.0, Win2000 and XP. As NT 3.xx is no longer supported, the lack of
coverage of this OS does not imply it is immune. However, Win9x
(95xx, 98xx and ME) *are* structurally immune, even if they have the
RPC service added to them - the code is completely different.
5) In August 2003, Lovesan.A spearheaded a series of malware that
attacked the NT RPC service. As well as several Lovesan variations,
there was also Welchia, a variant of the common SDBot trojan with
RPC-attacking capability added, and several others. Of these, only
those with alternate means of spread (such as SDBot.RPC.A) pose risks
to Win9x, though all Internet computers suffered the congestion caused
by Welchia's method of scouting for IP addresses to attack.
6) In Spetember 2003, MS revised the RPC patch, documenting three
additional exploitable defects in the previous "fix".
7) Subsequently, the author of SDBot.RPC.A and the author of a
Lovesan variant that had RAT (Remote Access Trojan) functionality
added to it, were apprehended and charged.
The most significant thing to know about RPC attacks is that you will
be attacked simply because you are connected to an infected network -
no software needs to be run, no action has to be taken by the user.
And the Internet is the mother of all infected networks
Because the process of attempting an attack can crash the system,
traditional antivirus protection is irrelevant. Your NT PC could be
spontaneously restarting every few minutes without any malware
successfully gaining a foothold; the attempts themselves are escalated
to a significant DoS effect, due to particularly dumb MS settings.
To protect yourself against RPC attacks (instructions for XP):
1) Harden the PC against consequences of attack attempts
1.1) Stop the PC from restarting every time a system error occurs
Start, Settings, Control Panel, System icon, Advanced tab
Startup and Recovery section; click the Settings button
UNcheck the "Automatically restart" setting, OKOK
1.2) Stop the RPC service restarting the system when it dies
Start, Settings, Control Panel, Administrative Tools icon
Click into the Service icon
Find and click into Remote Procedure Call (RPC)
Recovery tab; all failures default to Restart the Computer
Change all of those to Restart the Service, OKOKOK
1.3) Turn on the built-in firewall for your Internet connection
This may block RPC attacks; I haven't relied on it alone, so I can't
say whether it alone is enough of a shield.
2) Fix the defective code
Microsoft does NOT send code fixes by email, particularly unsolicited
email (they do send alterts by email if you subscribe to that service,
but these always link to thier site rather than attach files).
So you need to go to MS's web site, find the RPC defect patch that is
relevant to your version of NT, download it, install it, and restart
the PC when prompted so that it can go into effect.
All this while several thousand infected PCs are squirting tiny RPC
attack packets directly into your system, with immediate effect - so
good luck! Hence step (1). Beg a Win9x user to download it for you
if your PC keeps crashing; it fits on one diskette.
3) Detect and clean up Lovesan and other malware
If you are using NTFS, you are forced to rely on informal tools to do
this, i.e. antivirus scanners that try to clean the system while
standing waist-deep in infected code. Several free utilities abound
that will scan specifically for particular malware, and NAI has a
thing called "Stinger" that scans for and cleans up a small but
germain collection of common malware. Stick to reputable URLs, as
malware may "market" itself as anti-malware freebies.
Else
http://users.iafrica.com/c/cq/cquirke/virtest.htm applies, i.e.
if you are using FAT32, you can take the formal approach, and should.
4) Apply general risk management
Beyond the scope of this post; Win9x-centric approaches described in
http://users.iafrica.com/c/cq/cquirke may not be directly applicable
to NT, but the concepts may, and "safe hex" is "safe hex".
Blaster is an example of the new breed of pure worms that can spread
globally within a few minutes (Slammer/Sapphire went global in 10
minutes). Not only does that make a mockery of daily av updates,
these are conceptually significant for another reason - they are
infosphere infectors, not computer or file infectors as most malware
and viruses are, respectively.
It's faster for these worms to re-infect you PC from the "installed
base" of infected systems on the Internet than it is to persist across
runtime by infecting your PC's files or OS runpoints. Many do not
even attempt to do so; switch the PC off, and the malware's gone -
until you reconnect to the infected network again.
With always-on servers, no-longer-needs-rebooting NT, and a
consumerland bulging with fast always-on broadband, this strategy
becomes more viable all the time.
The traditional approach to malware has been malware- rather than
risk-focussed. Just as you'd treat a bacterial infection with
antibiotics, malware has been treated with antivirus software that is
used to "cure" the PC. But just as you can't cure bioviral infections
with antibiotics, you can't clean the whole of the infosphere!
So these new threats demand risk management as the front-line defence.
Software that is stupid enough to allow direct attack is simply
indefensible, and has to be repaired (patched) or avoided.
</paste>
--------------- ----- ---- --- -- - - -
Dreams are stack dumps of the soul
