MEMBER ITEMS FOR SALE
Custom Knives | Other Knives | General Items
-------------------------------------------
New Posts | New PhotosAll Photos



Go Back   The Knife Network Forums : Knife Making Discussions > Knife Network : Support & Services > Feature & Member Support

Feature & Member Support Questions about how to use the features on the Knife Network web site? Problems logging in? Post them in here.

Reply
 
Thread Tools Display Modes
  #1  
Old 08-12-2003, 12:56 PM
Jamey Saunders's Avatar
Jamey Saunders Jamey Saunders is offline
Moderator
 
Join Date: Jul 2002
Location: Portal, GA - If you know where it is, you probably got a speeding ticket.
Posts: 1,951
Send a message via AIM to Jamey Saunders Send a message via MSN to Jamey Saunders Send a message via Yahoo to Jamey Saunders
Exclamation New internet worm -- protect yourselves!

{SHORT STORY}

There's a new internet worm. Run Windows update and check out http://sarc.com/avcenter/venc/data/w...ster.worm.html for more information.

{END SHORT STORY}

{THE LONG STORY}

I'm feeling pretty humbled right now. All these years, and I've never been bitten by a serious worm or virus. Oh, sure, I've had minor viruses (viri?) in the past, but nothing major. But last night, my laptop became a victim of the W32.blaster worm.

I have to admit that this is a pretty ingenious worm. I have absolutely no idea how I got it, as I am behind a firewall most of the time (at work) and I never accept attachments. Last night, however, when I was at home on the dial-up line, my computer issued me a message saying that the "RPC subsystem" had terminated and the computer would restart in one minute.

I thought that was odd, but hey, I'm running Windows. Odd-ball errors are to be expected. I let the computer restart, logged back onto the Information Superhighway, and in two minutes, I got the same message.

OK, by this time, I'm pretty sure I've got a virus. I fire up my anti-virus and run a full-system scan. Nothing. Clean as a whistle. Now I'm starting to get concerned.

Then it came to me. I remembered hearing about a nasty little worm making the rounds when I was watching "The Screensavers" on TechTV. I logged back onto the internet and Googled the message "RPC subsystem terminated". Lo and behold, there are the messages -- It's a nasty worm that is propogating over the internet and exploiting a hole in Windoze.

Basically, it looks on the internet for an open port (TCP Port 135). Once it finds one, it loads a program onto the target machine and attempts to run it. The error gets issued because the program has guessed the wrong operating system.

Microsoft has a patch for this problem at the windows update site. But here's where the worm is really nasty: The program that is being run is targeted specifically to run a denial-of-service attack on the Windows Update site!

The solution for me was to turn on the Windoze XP firewall until I could get to work this morning and load the latest update. If you haven't done this, do it. If the worm guesses the right OS, I am assuming that it will work in the background without you even knowing it.

The program that is being run is msblast.exe. If you do a full-system search for "msblast" and find that file, DELETE IT! Then load your updates. This has apparently spread so rapidly that my antivirus (updated Sunday) didn't even catch it.

Here's the URL to Symantec's dissertation on this worm, including the fix instructions. They have a tool to remove the problem, but you really should load the Windows updates to shut down this vunerability.

http://sarc.com/avcenter/venc/data/w...ster.worm.html

{END LONG STORY}


__________________
Jamey Saunders -- Charter Member, GCKG
(Got a question? Have you tried to for the answer?)

"I won't be wronged, I won't be insulted, and I won't be laid a hand on. I don't do these things to other people, and I require the same of them." --John Wayne, in The Shootist

Last edited by Jamey Saunders; 08-12-2003 at 12:58 PM.
Reply With Quote
  #2  
Old 08-12-2003, 01:13 PM
Rob Frink Rob Frink is offline
Steel Addict
 
Join Date: Jun 2002
Location: Columbus, Ohio
Posts: 283
yeppers! I got nailed yesterday. Can't figure out how I got it....as I use norton and with auto updates....email scan and computer scan every evening.

It was MSblaster.exe. and it caused the rpc shut down thing.

I used the fixes from norton's web site...but had to use a different computer to find out what was wrong since the infected computer keep shuttiung down every 2-3 min with the RPC message.

I think I'm back up to speed.

-Rob


__________________
Robert Frink
BeaumontMetalWorks.com
Reply With Quote
  #3  
Old 08-12-2003, 01:20 PM
Jamey Saunders's Avatar
Jamey Saunders Jamey Saunders is offline
Moderator
 
Join Date: Jul 2002
Location: Portal, GA - If you know where it is, you probably got a speeding ticket.
Posts: 1,951
Send a message via AIM to Jamey Saunders Send a message via MSN to Jamey Saunders Send a message via Yahoo to Jamey Saunders
Rob, best I've been able to figure out, the worm is not spread by email. It is spread on the open internet. Just being on the internet without a firewall and having TCP Port 135 open exposes you to getting this worm.

To put it simply...

We've been hacked!

Glad you got it sorted out.


__________________
Jamey Saunders -- Charter Member, GCKG
(Got a question? Have you tried to for the answer?)

"I won't be wronged, I won't be insulted, and I won't be laid a hand on. I don't do these things to other people, and I require the same of them." --John Wayne, in The Shootist
Reply With Quote
  #4  
Old 08-12-2003, 01:47 PM
Chuck Burrows's Avatar
Chuck Burrows Chuck Burrows is offline
Super Moderator
 
Join Date: Sep 2002
Location: Durango, Co
Posts: 3,671
For those who are infected and can't do a Windows Update - Here is the MS info page re: msblast with a link for the patch.

http://search.microsoft.com/search/r...exe&View=en-us

Note according to this Bulletin the patch is ONLY for computers using the NT platform : NT 4.0, Windows 2000, and Windows XP. Did a Windows Update search and there is no patch for Win 95/98 so apparently it is aimed at the newer Windows machines.


__________________
Chuck Burrows
Hand Crafted Leather & Frontier Knives
dba Wild Rose Trading Co
Durango, CO
chuck@wrtcleather.com
www.wrtcleather.com


Wild Rose Trading Co - Handcrafted Knife Sheaths



The beautiful sheaths created for storing the knife elevate the knife one step higher. It celebrates the knife it houses.
Reply With Quote
  #5  
Old 08-12-2003, 03:48 PM
Rob Frink Rob Frink is offline
Steel Addict
 
Join Date: Jun 2002
Location: Columbus, Ohio
Posts: 283
Jamey,

Thanks! I use a dial up ISP...... I didn't think it was possible for me to get anything other than from email. I could understand if I was using a T1. uhhhh....Its way over my head.....I wish the folks that did it (viruses) would spend thier brilliance on something more constructive.

Whatta ya do?

-Rob


__________________
Robert Frink
BeaumontMetalWorks.com
Reply With Quote
  #6  
Old 08-12-2003, 03:58 PM
Jamey Saunders's Avatar
Jamey Saunders Jamey Saunders is offline
Moderator
 
Join Date: Jul 2002
Location: Portal, GA - If you know where it is, you probably got a speeding ticket.
Posts: 1,951
Send a message via AIM to Jamey Saunders Send a message via MSN to Jamey Saunders Send a message via Yahoo to Jamey Saunders
I write accounting software for Georgia county and municipal governments. We do property tax billing and mobile home tax billing for most of the state of Georgia. All the internet stuff (web pages, security, etc.) is a side hobby of mine. Our software still runs as a "green-screen" application!


__________________
Jamey Saunders -- Charter Member, GCKG
(Got a question? Have you tried to for the answer?)

"I won't be wronged, I won't be insulted, and I won't be laid a hand on. I don't do these things to other people, and I require the same of them." --John Wayne, in The Shootist
Reply With Quote
  #7  
Old 08-12-2003, 04:10 PM
Chuck Burrows's Avatar
Chuck Burrows Chuck Burrows is offline
Super Moderator
 
Join Date: Sep 2002
Location: Durango, Co
Posts: 3,671
The other geeks in the crowd may find this of interest re: TCP PORT 135
Quote:
"It's very likely that a new worm ? la "code red" will emerge to exploit this vulnerability."
Here's a link to the full article
http://www.nta-monitor.com/news/port135-overview.htm


Quote:
I wish the folks that did it (viruses) would spend thier brilliance on something more constructive.

Whatta ya do?
A good lynch mob maybe :confused:

I believe in Singapore malicious hacking is punishable by death.?


__________________
Chuck Burrows
Hand Crafted Leather & Frontier Knives
dba Wild Rose Trading Co
Durango, CO
chuck@wrtcleather.com
www.wrtcleather.com


Wild Rose Trading Co - Handcrafted Knife Sheaths



The beautiful sheaths created for storing the knife elevate the knife one step higher. It celebrates the knife it houses.

Last edited by Chuck Burrows; 08-12-2003 at 04:12 PM.
Reply With Quote
  #8  
Old 08-13-2003, 09:22 PM
john costa's Avatar
john costa john costa is offline
Skilled
 
Join Date: Jun 2002
Location: watkinsville, ga
Posts: 488
I've just spent the last 6 hours trying to get mine fixed. Chuck or Jamey, if you see this and are so inclined , give me a call. Maybe you can answer a couple of questions. thanks, jc 706-769-6624


__________________
IF YOU DON'T STAND FOR SOMETHING
YOU'LL FALL FOR ANYTHING....

GEORGIA CUSTOM KNIFEMAKERS GUILD / CHARTER MEMBER
Reply With Quote
  #9  
Old 08-24-2003, 09:49 PM
Martyn's Avatar
Martyn Martyn is offline
Skilled
 
Join Date: Jun 2002
Location: England, near Europe.
Posts: 509
Dont feel bad Jamey, I got nailed almost as soon as the ####ed thing came out. I'm running a bang up to date version of Norton, on a win 2k system with zone alarm pro firewall and it still nailed me. I couldn't figure out why I was getting these vchost.exe crashes. That's the thing that manages how your browser handles url's on the internet. I lost the ability to click links or use right click to "open a new window". I searched high and low for a solution and while doing some research on vchost.exe, came accross an early alert for the blaster32 worm. Once I knew my problems were virus related, I popped over to symantec who had by then issued a scan tool for download. Bingo, there it was. I wiped it and ran the security patch from microsoft.

At work (a large hospital employing 5,000 people), the entire network has been infected. We have terminals all over the place and they all have net access.


__________________
BritishBlades.com
Reply With Quote
  #10  
Old 08-25-2003, 03:06 PM
StevePryor StevePryor is offline
Steel Addict
 
Join Date: Jun 2002
Location: Foothills of the Ozarks
Posts: 225
I got *blasted* also, even though being on an antiquated dial up system and running firewalls, etc.. It took he two days just to get up and running again and will take two yrs. or more to reload/reconfig everything.
I agree totally in the death penalty, but if the gov. does catch them, they will probably reward them with a cushy job.
Personally I think they should be staked out in a field and let everyone that has been hit by the virus, ten at a time drive golf balls at em from 50ft....and that's just for starters.


__________________


www.stevescutlery.com
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:29 AM.




KNIFENETWORK.COM
Copyright © 2000
? CKK Industries, Inc. ? All Rights Reserved
Powered by ...

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
The Knife Network : All Rights Reserved