Exploit-DcomRpc MSBlast.exe W32/Lovsan.worm
Posted by Jim on 11 August, 2003
Category Viruses and Hoaxes
If a machine is a target of the currently available exploit program
for the MS03-026 vulnerability, it will in some cases pop up a window titled "System Shutdown"\" with the text:
This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: 00:00:59
Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly
(The machine then reboots in 59 seconds.)
This indicates an unsuccessful exploit attempt on an unpatched
machine. If customers see this message, they should most likely save their work and then disconnect from the network, or else patch the machine immediately after it reboots.
So what we did was get her a copy of the MS patch for this security hole. Deleted the MSBlast.exe file from her computer (she IM'd it to me for further handling). Applied the patch and now she's going through the tedious task of updating her computer with the lastest MS updates and then get an updated virus signature file and install a firewall.
Doing a search on Google for MSBlast.exe, which was showing up in her startup configuration, yielded no answers. The answers were found by searching for the specific error messages that her computer displayed. The winning keywords "nt authority\system shutdown" and I found the main clues to the problem at techsupportforum.com
When I got the file, my McAfee program identified this virus as the Exploit-DcomRpc. Since McAfee's search did not reveal anything on the MSBlast.exe file I forwarded it to their labs. Got a real quick response! Their labs said it was the W32/Lovsan.worm. And guess what? This MSBlast.exe is now showing up in their search. Here's what's even better! I sent the file to them at 4:28pm they responsed with an autoreply at 4:33pm, it was escalated to their techs and replied to at 4:34pm and added & updated in the virus information library at 4:57. This is why I really like McAfee.
for the MS03-026 vulnerability, it will in some cases pop up a window titled "System Shutdown"\" with the text:
This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: 00:00:59
Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly
(The machine then reboots in 59 seconds.)
This indicates an unsuccessful exploit attempt on an unpatched
machine. If customers see this message, they should most likely save their work and then disconnect from the network, or else patch the machine immediately after it reboots.
So what we did was get her a copy of the MS patch for this security hole. Deleted the MSBlast.exe file from her computer (she IM'd it to me for further handling). Applied the patch and now she's going through the tedious task of updating her computer with the lastest MS updates and then get an updated virus signature file and install a firewall.
Doing a search on Google for MSBlast.exe, which was showing up in her startup configuration, yielded no answers. The answers were found by searching for the specific error messages that her computer displayed. The winning keywords "nt authority\system shutdown" and I found the main clues to the problem at techsupportforum.com
When I got the file, my McAfee program identified this virus as the Exploit-DcomRpc. Since McAfee's search did not reveal anything on the MSBlast.exe file I forwarded it to their labs. Got a real quick response! Their labs said it was the W32/Lovsan.worm. And guess what? This MSBlast.exe is now showing up in their search. Here's what's even better! I sent the file to them at 4:28pm they responsed with an autoreply at 4:33pm, it was escalated to their techs and replied to at 4:34pm and added & updated in the virus information library at 4:57. This is why I really like McAfee.
Additional Links:
http://vil.nai.com/vil/content/v_100547.htm for the W32/Lovsan.worm virus
and
http://vil.nai.com/vil/content/v_100516.htm for the Exploit-DcomRpc virus
