New Worm called mblaster

There is a new worm that is on the net and many people are getting infected. It attacks your ports and shows the following message: THIS SYSTEM IS SHUTTING DOWN PLEASE SAVE ALL WORK IN PROGRESS AND LOG OFF. Any unsaved changes will be lost. This shutdown was initiated by NT Authority/System.

Time Before Shutdown: 00:01:00 minute
Message
Windows must now restart because the Remote Procedure Call(RPC) service terminated unexpectedly.

If you see the following message you are already infected and I will include a link for the fix for you. It is the following.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

This tool will work by scanning your entire system and finding the infected file. After you run the tool do the following, go to start and go to search on your windows application. In the search box type in the following: mblast.exe.

If you still see the file present on your system do not dbl click it. Simply right click it and scroll down to delete and then immidiately empty your recycling bin. Just to be sure you got rid of the file do the same search once again and see if the file still comes up, if it does try deleting it again. If after the second attempt it still wont delete reboot the computer and run the tool once again. The second time it should remove it.

If you don't have the problem yet or haven't seen this window you are not excused. You will need to try the following, first off go to search for files and enter in mblast.exe and if nothing comes up you are fine. Now you still wanna make sure you don't get it, it can majorly hurt your system I urge everyone to get the patch.

The downloadable patch can be found at the following address for each different system.

Windows NT 4.0 Server- http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en

Windows NT 4.0 Terminal Server Edition
http://microsoft.com/downloads/details.aspx?FamilyId=6C0F0160-64FA-424C-A3C1-C9FAD2DC65CA&displaylang=en


Windows 2000
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Windows XP 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Windows XP 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en

Windows Server 2003 32 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=F8E0FF3A-9F4C-4061-9009-3A212458E92E&displaylang=en

Windows Server 2003 64 bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=2B566973-C3F0-4EC1-995F-017E35692BC7&displaylang=en

Download these patches, they can potentially ruin your systems, This may be in the wrong forum so please kick it to whereever is needed. Alot of people I know are already infected and have had major problems. I was lucky and found everything I needed so take the time to make your computer safe against this deadly virus exploitation.

Thanks to a chat with Neo and Ramon tonight and then an alert from Oda, I searched my files and nothing there, so downloaded the patch and put up a firewall.

Thanks guys!

I'LL YELL LOUDER NEXT TIME !!

/120/1f/4228/1.html

This is the same one that Homeland Security sent the warning out about, and Microsoft has been screaming their head off over it since mid July.

Yet the entire state of Maryland was practically shut down today. They are hoping to be able to issue drivers licenses and things like that again tomorrow.

The other interesting thing is that once the thing is on your computer (so far) it has been attacking the same Microsoft site from which you can download the patches. Hence that sight has been unavailable off and on too.

But keep trying. It's important.

If you are behind a firewall you are probably pretty safe. But get it anyway.

(use Neo's patch links not mine, as his may be updated for this specific variant)

I had this a few days ago, i got it fixed though thanks to Gwydeon

Umm, which firewall PC? I've been unable to run NPF 2002 since the advent of SL v1.0.3; still have to disable the firewall to get in.

Makes me a nervous SL'er.

=SV

Have you tried ZoneAlarm?

Just the XP one Sinc, and call me Pit. LOL I looked at PC and thot "Personal Computer" or "Politically Correct" Took me a bit to compute what you were saying. I have been called "Pit" (or "Tuca" for almost 5 yrs.

To stop the shutdown (so you can get patches and removal tools and whatnot running) go Start->Run and run this command:
shutdown /a

Also, Mac:

2:00 pm: HOLY CATS! A critical security warning from Microsoft, I'd better install it the patch post haste!

2:10 pm: EGADS! Another critical security warning from Microsoft, those evil hackers sure have been busy, TO THE PATCHMOBILE!

2:15 pm: GOODNESS! It seems the most recent critical security patch introduced 7 new critical security holes. PATCH PATCH BABY!

2:25 pm: HELLO! The last patch totally boned my system because I was running the latest service pack. How silly of my to install a service pack as soon as it came out. Time to reinstall, THEN MORE PATCH ROULETTE!

There is always a lot of debate about whether to install Microsoft patches as soon as they come out. I monitor a mailing list of Windows system administrators and they are absolutely livid over the Microsoft handling of recent security issues. If you are being paid to administer a companies network your job can be at risk for making the wrong choice, but thanks to th End User License Agreement Microsoft can never be held responsible no mater how bad they screw up or what the damages are.

Here is a Slashdot post in which someone claims they actually lost their job by applying Microsoft patches too soon:

http://slashdot.org/comments.pl?sid=74531&cid=6682516

Here was the last message from the mailing list I mentioed above:

Date: Tue, 12 Aug 2003 18:42:03 -0400
Reply-To: Windows NTBugtraq Mailing List <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sender: Windows NTBugtraq Mailing List
<NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Some laughs about the worm...
To: [email]NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM[/email]

I'm going to pack it in for a few hours now, possibly until tomorrow unless lightening strikes nearby, but I thought I'd leave you with a few humorous anecdotes. People wonder why people get bitten by attacks like these, consider;

1. AV Vendors can't agree on what to call this worm, or, for that matter,
what not to call it.

2. Patch Management solutions can't seem to agree as to whether or not the patch is or isn't applied, or even if it is or isn't needed.

3. Microsoft wrote the patch specifically for W2K SP2 and SP3, but because SP4 shipped prior to the patch being released, said it was supported only on the current and N-1 SP (SP3 and SP4). Its taken them 27 days to officially say it will work on a platform they designed it for.

4. People DoS'd (more or less) WindowsUpdate trying to get the patch today. So much for warning them in advance, what we need is fatter pipes to handle the traffic when things happen.

5. Older is more secure, since no mention has come my way of a Win9x system being infected. Isn't that supposed to be working the other way around?

Anyway, just chuckle, don't argue, the points above...;-]

Cheers,
Russ - NTBugtraq Editor

so whens this ever going to stop going around?