The Lovisan Worm aka MSBlast - VIRUS!!!!!

- General Comments.

Moderators: Voice Dax, Voice Aeneas

The Lovisan Worm aka MSBlast - VIRUS!!!!!

Postby Kaz » Tue Aug 12, 2003 5:15 pm

I know this should probably go in Computer Tech, but as a lot of people dont read that forum I thought id put it in here.

My Virus Checker Just found a Worm known as Lovisan. It seems to be shuting down my system (even after removal)


The File is called msblast.exe
I found it in c:\windows\System32\msblast.exe

The Microsoft Patch
http://www.microsoft.com/technet/treevi ... 03-026.asp
Programming is 10% science, 25% ingenuity and 65% getting the ingenuity to work with the science.
TEN, TMP, Peace, Fervent, LA, sLAinte
Table Warfare Miniatures
User avatar
Kaz
Retired Admin
 
Posts: 3873
Joined: Wed Sep 25, 2002 5:00 pm
Location: The Vinyards of Fernabergia

Postby Kaz » Tue Aug 12, 2003 5:16 pm

http://www.silicon.com/news/500013/1/5564.html
Tue 12 August 2003 05:29PM BST

Virus watch: Should we fear a Blaster disaster?
Not if we paid more attention to patching systems…



Companies and PC users in the UK are being warned of a new virus threat today, and while Blaster/Lovesan is yet to set the alarm bells ringing, it should serve as a reminder about the importance of an effective patching strategy.


The worm attacks a Windows vulnerability which has been flagged up since mid-July.


But despite likely widespread occurrences of the flaw in the popular operating system the virus may yet fail to really take hold, according to anti-virus experts at Network Associates.


David Emm, marketing manager for Network Associates' Avert unit, said: "The lion's share of activity with this virus has been in the US, where it broke overnight, but we've seen a significant number within the UK already today and it is affecting both home and business users."


Network Associates has given the virus a medium-level risk warning but Emm doesn't expect to see that rating increase.


"We don't expect to see this virus hit the highest alert ratings. There is the potential there for this to hit lots of machines, but it is not on the same scale as something like Slammer which spread within about 10 minutes."


As with all virus threats companies are advised to ensure their machines are patched and their anti-virus up to date, but despite this worm attacking a known vulnerability Emm was not critical of IT managers who had failed to patch their systems.


"There is always the art of the possible, " said Emm. "If something attacks a vulnerability which has gone unpatched for 12 months then it looks bad, but if something hits after just a month or two then there is a case for saying 'this came out of leftfield - we weren't expecting that'."


However, if Lovsan does pass without hitting the most serious levels of infection and propagation then IT managers should do a lot more than just count themselves lucky.


The scare, if that is what it proves to be, should serve as a further reminder about the importance of patching systems and remaining proactive, rather than reactive in the fight to safeguard your network.


This is a trend the security market has identified - with products and services aimed at spotting vulnerabilities before the exploit comes along.


"There has been a shift from protection to detection," said Emm.
Programming is 10% science, 25% ingenuity and 65% getting the ingenuity to work with the science.
TEN, TMP, Peace, Fervent, LA, sLAinte
Table Warfare Miniatures
User avatar
Kaz
Retired Admin
 
Posts: 3873
Joined: Wed Sep 25, 2002 5:00 pm
Location: The Vinyards of Fernabergia

Postby Kaz » Tue Aug 12, 2003 5:16 pm

http://www.silicon.com/news/500013/1/5550.html
Tue 12 August 2003 08:59AM BST

Windows worm now spreading
It's an MSBlast...



A worm that takes advantage of what some security experts have called the most widespread Windows flaw ever has started spreading, fulfilling the predictions of many researchers.


Dubbed 'MSBlast' by its author, the worm is spreading quickly, according to an initial analysis posted to the Internet Storm Center, a digital threat-tracking site. Ever since mid-July, when Microsoft announced a vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.



Johannes Ullrich, chief technology officer for the Storm Center said: "It is pretty widespread. It is sort of getting to the point where it is causing some slowdown."


Microsoft is investigating the worm but couldn't immediately comment on the program.


Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 per cent of the data coming into their networks has been created by the worm.


The worm contains two messages in its code. The first apparently is a 'greet' - a message of greeting or recognition to a friend or peer - while the second takes aim at Microsoft: "billy gates why do you make this possible?" the second part of the message says. "Stop making money and fix your software!!"

Starting with a random internet address, the worm sequentially scans for computers with the vulnerability.


MSBlast installs the Trivial File Transfer Protocol (TFTP) server, and runs the program to download its program code to the compromised server. It will also add a registry key to ensure that the worm is restarted when the host computer is rebooted.


The worm attacks Windows computers via a hole in the operating system, an issue Microsoft on 16 July had warned about. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break in to Windows computers. The Windows flaw has been characterised by some security experts as the most widespread ever found in Microsoft's operating system.


The flaw is in a component of the OS that lets other computers request that the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use the computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.


The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program.


Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.


Slammer spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.


Security experts and network administrators are working to identify the worm and patch their networks.


Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and workarounds are available in the advisory posted online.


Robert Lemos writes for CNET News.com
Programming is 10% science, 25% ingenuity and 65% getting the ingenuity to work with the science.
TEN, TMP, Peace, Fervent, LA, sLAinte
Table Warfare Miniatures
User avatar
Kaz
Retired Admin
 
Posts: 3873
Joined: Wed Sep 25, 2002 5:00 pm
Location: The Vinyards of Fernabergia

Postby zenpig » Tue Aug 12, 2003 5:34 pm

should be noted that a fix for the 'slammer worm' was available long before it ever hit, too, and should have never effected the net like it did...lazy ass sys. admins.
"The trouble with socialism is that you eventually run out of other people's money" ~M. Thatcher

If I could buy my reasoning I pay to lose
User avatar
zenpig
Journeyman
 
Posts: 2220
Joined: Wed Sep 25, 2002 5:00 pm

Postby Sunblade » Tue Aug 12, 2003 5:57 pm

Started at about 6pm GMT last night - or that's when we first started hearing customers complain about it.

Easiest fix - download symantec.com's removal tool (linked on their front page), then apply the windows patch which has been available since mid-July and which you all should have downloaded by now since it's a critical update and fixes a known windows vulnerability.

*breathes again*
"I like the word 'indolence'. It makes my laziness sound classy."
-Bern Williams
User avatar
Sunblade
Retired Admin
 
Posts: 4896
Joined: Wed Sep 25, 2002 5:00 pm
Location: Nottingham

Postby Divx » Tue Aug 12, 2003 6:07 pm

Glad I always update.
Guinness -> :beer: <- me happy
Digital Keg
...still the Chaös TÔwñ Druñk and the Prophet of the almighty Beer God
User avatar
Divx
Peasant
 
Posts: 694
Joined: Wed Sep 25, 2002 5:00 pm

Postby Kaz » Tue Aug 12, 2003 7:06 pm

since i patched the pc hasnt shut down btw....the worm was prolly still in memory after i deleted it which is why i said it still crashed after removal
Programming is 10% science, 25% ingenuity and 65% getting the ingenuity to work with the science.
TEN, TMP, Peace, Fervent, LA, sLAinte
Table Warfare Miniatures
User avatar
Kaz
Retired Admin
 
Posts: 3873
Joined: Wed Sep 25, 2002 5:00 pm
Location: The Vinyards of Fernabergia

Postby Canis » Tue Aug 12, 2003 7:17 pm

yeah, i was smart and updated like last month..
[center]"Cry Havok, and Let slip the Dogs of War"

Disciple of Sun Tzu [/center]
User avatar
Canis
Peasant
 
Posts: 690
Joined: Mon Mar 17, 2003 1:29 pm
Location: Buhsscuks,Ok

Postby Sunblade » Tue Aug 12, 2003 7:39 pm

Viruses can be retained within your System Restore folder, which isn't checked by most anti-virus software.

If you want to be sure you've gotten rid of it, turn off system restore (right click my computer - properties - system restore). This will delete all system restore files, getting rid of any resident viruses or infected files. Then just turn it back on from the same screen to start creating restore points again.
"I like the word 'indolence'. It makes my laziness sound classy."
-Bern Williams
User avatar
Sunblade
Retired Admin
 
Posts: 4896
Joined: Wed Sep 25, 2002 5:00 pm
Location: Nottingham

Postby Vesperan » Tue Aug 12, 2003 10:59 pm

Quite funny,
most of my university's computers were down yesterday due to this, which has screwed a lot of people up in regards to assignments.

Mind you, its only funny to me because I wasnt relying on university computers for assignments. If I was.. I would be pretty peeved off.

I read somewhere (symantec?) that the virus also does DoS attacks against windowsupdate.com, so when you goto update your computer to protect it... no response. I love that.
Neither individuals nor corporations have any right to come into court and ask that the clock of history be stopped, or turned back.
User avatar
Vesperan
Peasant
 
Posts: 889
Joined: Wed Sep 25, 2002 5:00 pm
Location: New Zealand

Postby Vothus » Tue Aug 12, 2003 11:39 pm

Pretty sure Symantec check the System Restore folders. Does anyone know what the effect of simply removing the shutdown clause from the RPC service is? I did that until I could get the fix, and was wondering if it was as dumb as I think it might have been.
~BLACK DOGS~

~ For every battle lost and won, are these the ones we offer up? ~
User avatar
Vothus
Stablehand
 
Posts: 308
Joined: Mon Jun 23, 2003 11:26 pm
Location: Melbourne, Aust.

Postby Bran » Tue Aug 12, 2003 11:56 pm

Sunny I downloaded the patch like you told me to the other day and the computer has not shut off again, but i keep getting the TFTP message whenI log on to my computer..how do you get it to stop doing that??
User avatar
Bran
Traveler
 
Posts: 1446
Joined: Wed Sep 25, 2002 5:00 pm
Location: Arkansas

Postby Hatama » Tue Aug 12, 2003 11:58 pm

I spent the whole damn day yesterday trying to figure out what was wrong with the stupid puter! :x

I thought for sure we had this damn worm...
Our puter had the symptoms listed but ,
after downloading updates for the virus scanner as well as the Stinger program from Trend, and searching for the MSBlast.exe file
i found nothing... :shock:

Then I came across this message at another site i visit...


On a machine that's being attacked via the first of the above vulnerabilities one might see the following:


-------------------------------------------------------------------------------->Date: Fri, 25 Jul 2003 14:08:30 -0400
>To: security-fyi at mit.edu, Itpartners at mit.edu,
> winpartners at mit.edu, mitvirus at mit.edu
>Subject: exploit for MS03-026 RPC vulnerability

If a machine is a target of the currently available exploit
program for the MS03-026 vulnerability, it will in some
cases pop up a window titled "System Shutdown" with
the text:


This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: 00:00:59

Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly


(The machine then reboots in 59 seconds.)

This indicates an unsuccessful exploit attempt on an unpatched
machine. If customers see this message, they should most likely
save their work and then disconnect from the network, or else
patch the machine immediately after it reboots
------------------------------------------------------------------------------

AHA!! This was my Exact problem :P

So as it turna out we didn't actually have it, but rather it was trying to get to us...
BAH! :roll:

Downloaded the patch and haven't had a problem since then....

Thought this might save someone a little time and trouble trying to get rid of something they don't have :oops:
~ISA~ (whoa, never thought that would happen)
Am I getting smart with you? ....How would you know?
~Keeper of The War Bong||Owner of Kinky Toys~
User avatar
Hatama
Peasant
 
Posts: 524
Joined: Wed Sep 25, 2002 5:00 pm
Location: Training Screaming Slaves in The Dungeon!

Postby Ain » Wed Aug 13, 2003 12:40 am

Boy am I glad I installed the patch last month at the computers at work... or I would be in deep shit right now.

Lovsan/Blaster is evil... funny though no one knows what it really does - unless of course spreading and bringing down MS Update is its main function. But people fear the worse, it has a lifecycle until Dec. 31st... so it has a lot of time to wreak havoc if people don't start updating their system... -really- soon.
User avatar
Ain
Stablehand
 
Posts: 103
Joined: Wed Sep 25, 2002 5:00 pm
Location: Sweden

Postby SpeakerForTheDead » Wed Aug 13, 2003 3:24 am

"RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system."

*sarcasm*
UNHUNH. right. great. wonderful. FANTASTIC!
*/sarcasm*

*russian accent, fist in air*
IDIOTS!
*/russian accent, fist in air*
User avatar
SpeakerForTheDead
Stablehand
 
Posts: 195
Joined: Mon Mar 03, 2003 12:40 am
Location: Shrewsbury, MA

Postby Sunblade » Wed Aug 13, 2003 6:38 am

Bran - have you gotten rid of the virus with the Symantec removal tool and turned off system restore?

Vothus - all of Symantec's virus removal instructions involve turning off System Restore before running the utilities. There's no virus checker I'm aware of that checks the system restore files.
"I like the word 'indolence'. It makes my laziness sound classy."
-Bern Williams
User avatar
Sunblade
Retired Admin
 
Posts: 4896
Joined: Wed Sep 25, 2002 5:00 pm
Location: Nottingham

Postby Ain » Wed Aug 13, 2003 6:54 am

I might add that, even in virusfree times, it is wise to shut down the System Restore. Restart the computer. Then turn it it on again.

And at this moment, if you don't feel safe, create a new Restore from your Help-menu.

Cleaning those restore files is always a good idea, they are basically junk until you really need them.
User avatar
Ain
Stablehand
 
Posts: 103
Joined: Wed Sep 25, 2002 5:00 pm
Location: Sweden

Postby The Keeper » Wed Aug 13, 2003 2:00 pm

This has been a very useful post, and I thank you because I had no idea this virus was going around until I first read this (and thank you for putting it in Comments,) but I was just wondering whether my computer with Windows '98 is going to be affected by this virus thing, as there seems to be no download for it on the Microsoft TechNet page, and windows '98 is not in the "affected" bit, neither is it in the "unaffected" bit.
I may be hungry, but I sure ain't wierd...
Richard the Truthful
Unofficial Pigeon Fancier of the Ecclesiastical Inquisition.
User avatar
The Keeper
Stablehand
 
Posts: 278
Joined: Sun Dec 01, 2002 6:17 am
Location: London Guv'nah

Postby Belle » Wed Aug 13, 2003 4:43 pm

From what I'm hearing/reading, the virus worm thinger doesnt affect Win '98. Still wouldnt be a bad idea to get the updates and virus definitions. :wink:
Who is more irrational? A man who believes in a God he doesn't see, or a man who's offended by a God he doesn't believe in? ~Brad Stine

Jesus loves you but I'm His favorite.

User avatar
Belle
Unstable
 
Posts: 4834
Joined: Wed Sep 25, 2002 5:00 pm

Postby Pistol » Wed Aug 13, 2003 4:58 pm

I got a phone call from a friend two days ago telling me he had a problem with his computer (although im not brilliant on computers Im the best with them out of my group of mates) anyway it flummoxed me. He was a bit pissed off because his comp is only three weeks old and he was abroad for 2 of them. When he gets back from southampton he will be pleased I can now fix it for him:)

Its funny though ive never done any patches etc but am yet to suffer from any virus/ worm well at least if I have I havent noticed it.
"I contend that we are the finest race in the world and that the more of the world we inhabit the better it is for the human race" Taken from the Will of John Cecil Rhodes. If only his dreams had come true.
User avatar
Pistol
Peasant
 
Posts: 697
Joined: Wed Sep 25, 2002 5:00 pm
Location: Wigan - England

Postby Sunblade » Wed Aug 13, 2003 10:03 pm

The Keeper - it only affects XP/NT/2k.

Pistol - in theory, you wouldn't get this worm if you had XP Firewall turned on - or any other firewall software.

This plays on the millions of people who don't patch, who don't have firewalls, and who don't have AV programs. Darwin would be proud.
"I like the word 'indolence'. It makes my laziness sound classy."
-Bern Williams
User avatar
Sunblade
Retired Admin
 
Posts: 4896
Joined: Wed Sep 25, 2002 5:00 pm
Location: Nottingham

Postby Vesperan » Thu Aug 14, 2003 12:24 am

I love this virus.

Absolutely, unconditionally.

Why?
Because it took down the university computer system for a day, right in a crucial time of assignments and essays.. and so I have an extension for the essay that was due in tomorrow (a 5 day one as well, which is a bit extreme.. not that im complaining)! *does the happy dance*
Neither individuals nor corporations have any right to come into court and ask that the clock of history be stopped, or turned back.
User avatar
Vesperan
Peasant
 
Posts: 889
Joined: Wed Sep 25, 2002 5:00 pm
Location: New Zealand

Postby Bran » Thu Aug 14, 2003 12:32 am

Yeah Sunny I downloaded the patch adn now my computer isn't shutting down then I did the search for the msblast.exe like it told you to in the Symantec website but I could not find it..turned off the restore like I was supposed to and rebooted and it is still asking me for the correct application to open up TFTP..go figure..lol
"fortes fortuna adiuvat"
DF
User avatar
Bran
Traveler
 
Posts: 1446
Joined: Wed Sep 25, 2002 5:00 pm
Location: Arkansas

Postby Pistol » Thu Aug 14, 2003 2:08 am

I dont think I have a firewall either. I have never installed one anyway, maybe our kid has been getting these patches for me.
"I contend that we are the finest race in the world and that the more of the world we inhabit the better it is for the human race" Taken from the Will of John Cecil Rhodes. If only his dreams had come true.
User avatar
Pistol
Peasant
 
Posts: 697
Joined: Wed Sep 25, 2002 5:00 pm
Location: Wigan - England

Postby Cyric » Thu Aug 14, 2003 2:15 am

I'm glad basic firewalls block this.

it uses port like 135 or something like that (TFTP port) to spread.
User avatar
Cyric
Stablehand
 
Posts: 419
Joined: Wed Sep 25, 2002 5:00 pm

Next

Return to Comments

Who is online

Users browsing this forum: No registered users

cron