windoze shut down
Discussion
I've been having problems recently with Windows XP shutting down due to 'Remote procedure call service terminating unexpectedly' It only happens when I'm on line and pops up an unclosable dialogue box displaying a one minute to shutdown counter. You can't stop the count you can only frantically save everything you're working on before it's goodnight vienna.
Anyone else seen this?
NRE
Anyone else seen this?
NRE
Sounds like the msblast virus to me
Read this from Mcafee.comV
Virus Information
Name: W32/Lovsan.worm.a
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 8/11/2003
Date Added: 8/11/2003
Origin: Unknown
Length: 6,176 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 4284
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Buy or Update
New Users Get Protected Now:
Buy VirusScan
Update VirusScan
Virus Characteristics
-- Update 25 August 2003 --
The risk assessment of this threat was lowered to Medium due to a decrease in prevalence.
-- Update 15 August 2003 --
Microsoft has removed the DNS entry for windowsupdate.com to prevent the Denial of Service attack against this domain. This does not prevent users from using Windows Update to patch their systems, as this is not the address used when clicking on the Windows Update link.
-- Update 13 August 2003 --
Two new variants were discovered and are detected exactly with the 4285 DAT files.
teekids.exe (5,360 bytes) [detected as W32/Lovsan.worm.b]
penis32.exe (7,200 bytes) [detected as Exploit-DcomRpc]
These are functionally similar to the original W32/Lovsan.worm.
--
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].
Once run, the worm creates the registry key (may be either of the following):
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
This will appear in regedit as:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "windows auto update" = msblast.exe
Although Win9x/ME/NT/2K/XP can carry the virus. Automatic execution and infection only occurs on Win2K/XP.
Indications of Infection
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
Method of Infection
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine.
Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine!
The author didn't code anything for Windows NT 4, so therefore it will only crash this platform!
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted.
This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP.
Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.
However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.
Other symptoms may include:
inability to cut/paste
inability to move icons
Add/Remove Programs list empty
dll errors in most Microsoft Office programs
generally slow, or unresponsive system performance
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pickup msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.
Removal Instructions
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).
What You Should Know About the Blaster Worm
Virus Removal :
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Stand alone remover
Stinger has been updated to include detection/removal of this threat.
Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Apply the MS03-039 patch (includes MS03-026 patch)
Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:windowssystem32 or c:winntsystem32)
Edit the registry
Delete the "windows auto update" value from
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.
Read this from Mcafee.comV
Virus Information
Name: W32/Lovsan.worm.a
Risk Assessment
- Home Users: Medium
- Corporate Users: Medium
Date Discovered: 8/11/2003
Date Added: 8/11/2003
Origin: Unknown
Length: 6,176 bytes
Type: Virus
SubType: Internet Worm
DAT Required: 4284
Quick Links
Virus Characteristics
Indications of Infection
Method of Infection
Removal Instructions
Aliases
Buy or Update
New Users Get Protected Now:
Buy VirusScan
Update VirusScan
Virus Characteristics
-- Update 25 August 2003 --
The risk assessment of this threat was lowered to Medium due to a decrease in prevalence.
-- Update 15 August 2003 --
Microsoft has removed the DNS entry for windowsupdate.com to prevent the Denial of Service attack against this domain. This does not prevent users from using Windows Update to patch their systems, as this is not the address used when clicking on the Windows Update link.
-- Update 13 August 2003 --
Two new variants were discovered and are detected exactly with the 4285 DAT files.
teekids.exe (5,360 bytes) [detected as W32/Lovsan.worm.b]
penis32.exe (7,200 bytes) [detected as Exploit-DcomRpc]
These are functionally similar to the original W32/Lovsan.worm.
--
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].
Once run, the worm creates the registry key (may be either of the following):
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
This will appear in regedit as:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "windows auto update" = msblast.exe
Although Win9x/ME/NT/2K/XP can carry the virus. Automatic execution and infection only occurs on Win2K/XP.
Indications of Infection
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
Method of Infection
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine.
Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine!
The author didn't code anything for Windows NT 4, so therefore it will only crash this platform!
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted.
This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP.
Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.
However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.
Other symptoms may include:
inability to cut/paste
inability to move icons
Add/Remove Programs list empty
dll errors in most Microsoft Office programs
generally slow, or unresponsive system performance
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pickup msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.
Removal Instructions
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).
What You Should Know About the Blaster Worm
Virus Removal :
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Stand alone remover
Stinger has been updated to include detection/removal of this threat.
Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Apply the MS03-039 patch (includes MS03-026 patch)
Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:windowssystem32 or c:winntsystem32)
Edit the registry
Delete the "windows auto update" value from
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.
nre said:
I've been having problems recently with Windows XP shutting down due to 'Remote procedure call service terminating unexpectedly' It only happens when I'm on line and pops up an unclosable dialogue box displaying a one minute to shutdown counter. You can't stop the count you can only frantically save everything you're working on before it's goodnight vienna.
Anyone else seen this?
NRE
Were have you been for the last 2 months?
One of Blaster or Welchia will land you with a running process call dllhost.exe, if I recall.
The crash you're seeing is because the worm can overload the DCOM/MSRPC stuff causing it to crash. Windows regards it as essential, and deems a reboot necessary to restart it. Why it can't just /restart/ the service without a reboot it beyond me, but that's Windows for you.
The crash you're seeing is because the worm can overload the DCOM/MSRPC stuff causing it to crash. Windows regards it as essential, and deems a reboot necessary to restart it. Why it can't just /restart/ the service without a reboot it beyond me, but that's Windows for you.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff