Symantec "FixBlast" says No Blaster Worm found... but....

[Tim]

This is an odd problem.

My Windows 2000 Server machine (which gets rarely used except for software
updates) has been giving me a fit today... locking up a lot. I attributed
this to a hardware problem which I hope to get resolved soon.

But, while I was formatted a 120GB hard drive in there, it got to 40% then I
got one of those "remote shutdown" boxes...... said it was from the "NT
AUTHORITY\SYSTEM" or something like that. The shutdown message was
something to the wording of "C:\WINNT\SYSTEM32\SVCHOST.EXE has encountered
an error and the system will shut down now and restart"..... not the exact
wording there but almost, and it did shut down in almost a few seconds.....
never saw the "saving settings" screen or "shutting down" screens like a
normal remote shutdown does.

Upon reboot, I ran the FixBlast program I just NOW downloaded from Symantec.
It scanned my entire computer and said the Blaster Worm was not found on the
system.

So.... what was the message I got?

Yes, all updates from Windows Update are installed.
Yes, running Norton AntiVirus 2001 with the latest virus definition
updates....

Tim

 

[Mark V]

Tim wrote in

This is an odd problem.

My Windows 2000 Server machine (which gets rarely used except for
software updates) has been giving me a fit today... locking up a
lot. I attributed this to a hardware problem which I hope to get
resolved soon.

But, while I was formatted a 120GB hard drive in there, it got to
40% then I got one of those "remote shutdown" boxes...... said it
was from the "NT AUTHORITY\SYSTEM" or something like that. The
shutdown message was something to the wording of
"C:\WINNT\SYSTEM32\SVCHOST.EXE has encountered an error and the
system will shut down now and restart"..... not the exact wording
there but almost, and it did shut down in almost a few
seconds..... never saw the "saving settings" screen or "shutting
down" screens like a normal remote shutdown does.

Upon reboot, I ran the FixBlast program I just NOW downloaded from
Symantec. It scanned my entire computer and said the Blaster Worm
was not found on the system.

So.... what was the message I got?

Yes, all updates from Windows Update are installed.
Yes, running Norton AntiVirus 2001 with the latest virus
definition updates....

Is it
connected to the Internet
Not patched for the RPC/DCOM vulnerability
not protected by adequate firewall rules

Yes? Then fix it.

RPC crashed from inbound attack on port 135

 

[Farouk Dindar]

But, while I was formatted a 120GB hard drive in there, it got to 40% then I
got one of those "remote shutdown" boxes...... said it was from the "NT
AUTHORITY\SYSTEM" or something like that. The shutdown message was
something to the wording of "C:\WINNT\SYSTEM32\SVCHOST.EXE has encountered
an error and the system will shut down now and restart"..... not the exact
wording there but almost, and it did shut down in almost a few seconds.....
never saw the "saving settings" screen or "shutting down" screens like a
normal remote shutdown does.

Upon reboot, I ran the FixBlast program I just NOW downloaded from Symantec.
It scanned my entire computer and said the Blaster Worm was not found on the
system.

My daughters computer was having multiple problems so Installed a fresh
version of Winxp professional.

I got the same message

I fomatted it and installed win2k

I then did upgrade to service pack #4 and applied the security patch
from microsofts.

I then ran the fix blast program. No problem.

I decided to get a router for her as I do not expect her keep on calling
me

The salesman told me that some people are getting infected with the blaster
virus immediately after installing win 2k on XP if they have high speed
internet access. The virus then does not allow them to do a repair.

I wonder whether my XP experience was due to blaster virus.

I did not want to waste time trouble shooting as I do not know winxp and the
copy I have is for testing given to me by xxx I am sticking with win 2k and
will PAY for future versions

I am just relating my experience.

I have gut feeling the message you got is due to some virus similar to blaster
virus.

Farouk Dindar

 

[Tim]

Then it must be a similar and not-known virus.... as I said, I ran the
FixBlast utility and it said it was not found (after it did a thorough scan
of all my hard drives on that computer), and I have my virus def's up to
date and have performed a full system scan...... no dice.

 

[George Hester]

"... you can't stop that unless port 135 is not visible from the net" - VG

Really? hmmm...

 

[George Hester]

Tim you can tell if it is blaster very easily. Look in the Event Viewer for
the error that corresponds to what you are seeing. You will see it is
described as RPC something or other. That's blaster I don't care what your
AV is saying. That is blaster. Now I do not understand why you can have
the patch installed and still be experiencing the issue. If the error
occurs and there is no mention of RPC in the Event Viewer then it has
nothing to do with the msblaster but you are experiencing some other
difficulty. Have your services for RPC started in the Sevices applet? Not
the locator one that should be set to Manual the other should be set to
Automatic and be started.

 

[Vance Green]

George-

A few users, and a AV mgfr. site that I cannot remember
the link for :-( have said that just the repeated ATTEMPTS
to compromise your machine, even if it has been patched,
can cause the RPC service to fail (I'm still trying to backtrack
where I saw this-I had to downgrade from IE6 to 5.5, and in
the process lost my History).

Given the increasing amount of posts like this one ("I patched,
and updated my AV, but SVCHOST/RPC something is still giving me grief")
I am beginning to think they were right...

Yesterday, another user was experiencing the same stuff (reboot every
2 min or so), when told to physically disconnect from the net by pulling
the cable, it stopped.

I think there's more to Blaster (perhaps a completely unanticipated
behavior) than we know at this point.

 

[Vance Green]

Found it-my description was off, but it turns out
that SVCHOST can be crashed BY the virus
without HAVING it on your HD:

---------------------------------------------------------------------------
The worm attempts to infect both Windows 2000 and Windows
XP systems. One of the offsets used by the worm must be
different for each of these operating systems, in order for
the exploit it uses to work. Since the worm does not know
what operating system the target machine is running, it guesses.
There is an 80% chance it will attempt to exploit Windows XP,
and a 20% chance it will attempt to exploit Windows 2000.
If the worm guesses incorrectly and the remote machine is
vulnerable, the process svchost.exe on the target machine
will crash. The system may become unstable, but the infection will fail.
----------------------------------------------------------------------------
------------------------


This was taken from:

http://www3.ca.com/virusinfo/virus.aspx?ID=36309

I suppose the 80/20 stuff is why so many W2K users report
SVCHOST problems without actually having MSBLAST
on the system...

 

[George Hester]

Yes Vance I am familiar with that. But msblaster will still show in the
Event viewer as an RPC issue. No event viewer notification of that no
msblaster. There may be something more to msblaster not sure. I got it
once and then never again.

 

[Mark V]

Tim wrote in

No, it is patched. Also, SP4 has been installed for about 2 or 3
weeks now.


Firewall not installed.... whenever I went to install my firewall
software, it said that Win2k server was not supported and would
not install.... so I disabled filesharing on TCP/IP and run my
home network with IPX/SPX stack and use filesharing on that
protocol stack only.

Sounds like you've made some informed decicions security-wise.
Still, those symptoms parallel those for being hit (RPC) on pert 135
by the attack vector for MSBlast (even if not infected). See
"Vance"'s suggestion on how to check that by removing a connection to
the Internet.

You don't mention either a hardware NAT router or upstream firewall
so I would suggest you add at least an inexpensive NAT router between
you and the Internet. It's a good investment. Re SFW, many
specifically refuse to load on a Server as the company usually sells
a different package (for money, or more money), but I believe an
outbound firewall is important in any system. Some free ones can run
on Server. Kerio 2.1.5 for one IIRC. Then there is TCP/IP
FIltering built-in if you want to mess with that.

There's also a IRC Trojan out there that (perhaps) could be an issue
with svhost errors. Otherwise....

Hope you get some more suggestions or locate the problem.

 

[Tim]

Yowch. Get one. What you did won't stop the ATTACK, you can't

stop that unless port 135 is not visible from the net. The patch
only stops your machine from becoming infected by the worm.

Well, price is important...... what would you recommend? I don't care for
the free ones.... they usually aren't very featured.

I have two NIC's in there. One is connected to the internet via cable modem,
the other one goes out to my home network. I'm using simple ICS to share the
internet...

Doesn't 2k3 server have a basic firewall built in? (you may have
to enable it)

I believe it does, but since I posted in a Win2000 (not Win2003) newsgroup,
and said I was using Win2k, 2k3 Server is not an issue here....

 

[Tim]

I attempted just now to install Norton Personal Firewall 2003 on it, and it
gave me a message saying it doesn't support NT Servers. It said upon
startup, many Windows 2000 services require internet services which the
firewall generally blocks, and would increase startup time. Because of that,
it would not automatically startup and I would have to enable it manually
(quite a pain).

So.... can anyone recommend a good firewall to install and that would work
on a Win2k Server? It must work with ICS on that machine too