Tuesday, August 12, 2003
Whole night wasted
Had a wonderful time last evening battling the new windows RPC worm making it's way around. I guess it says something about me that when my machine starts mysteriously blowing up, I break into a cold sweat, thinking about all the email I'm not gonna get backed up, and all the documents and other work I'm gonna lose. When did I become so dependent upon these stupid humming beige boxes? I remember seeing the security bulletin, and that it was marked "critical", and then doing nothing about it, so this is at least partially my fault.
Anyway, a few tips for those who may be afflicted:
1.) The default XP install is set to give you a 1-minute warning and irrevocably restart the whole damn ball of wax when the RPC service dies. In order to do the work needed to correct this problem, you need to at least turn that effect off, or else you'll just have to be really fast (and lucky). You can alter this behavior by running the "services" admin thingy ("services admin service" sounds like it needs to be reported to the department of redundancy deparment). Under the properties for the RPC service, you can either increase the time you're given before the restart, or turn it off altogether, which is what I did (temporarily). You could also just disconnect your network cable, which is what I ended up doing later anyway.
2.) One of the things this worm seems to be doing is rendering the nice little windows mechanisms that would automatically get the patch for you insensate. I have no idea whether this is happening becuase the RPC service on your own machine is blown up, or if the auto-update services at MS are getting hammered, but I don't suppose it matters. Myself, I chose to download the patch manually (since that functionality still works even after the RPC service blows up) and run it manually. The download page for the XP Home patch is here.
3.) I remained under attack while trying to get the patch to run. I finally just disconnected my stupid cable modem, rebooted, ran the patch, shut down, reconnected the cable modem, and started back up.
4.) Remember to set the windows response to the RPC service dying back to something safe (reverse what you did in step 1, if you did it).
5.) After these steps, I think you're safe from further attack. But you most likely are infected. Congratulations. I originally thought that the attack on my machine had been uneffective, since the symptom I was observing was the just RPC service dying. As it turned out, though, I had been infected. My unconfirmed impression is that once the attack is complete, and the executable content is in your windows/system32 directory, and a nice new registry key is created to run that executable content on startup, the thing blows up the RPC service on purpose, so that windows will restart, and it can get itself running. I'm irresistably reminded of a scene from the movie "Die Hard" at this point (You wanted a miracle? I give you Microsoft.)
6.) You need to get that key out of your registry. It's under (don't quote me here) "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run", and it's name is "windows auto update". Sounds nice and professional, no?
7.) After that's done you need to reboot, and then remove the file "msblast.exe" from your windows/system32 directory.
Or better yet, after patching you could just get a nice little removal tool here.
Anyway, a few tips for those who may be afflicted:
1.) The default XP install is set to give you a 1-minute warning and irrevocably restart the whole damn ball of wax when the RPC service dies. In order to do the work needed to correct this problem, you need to at least turn that effect off, or else you'll just have to be really fast (and lucky). You can alter this behavior by running the "services" admin thingy ("services admin service" sounds like it needs to be reported to the department of redundancy deparment). Under the properties for the RPC service, you can either increase the time you're given before the restart, or turn it off altogether, which is what I did (temporarily). You could also just disconnect your network cable, which is what I ended up doing later anyway.
2.) One of the things this worm seems to be doing is rendering the nice little windows mechanisms that would automatically get the patch for you insensate. I have no idea whether this is happening becuase the RPC service on your own machine is blown up, or if the auto-update services at MS are getting hammered, but I don't suppose it matters. Myself, I chose to download the patch manually (since that functionality still works even after the RPC service blows up) and run it manually. The download page for the XP Home patch is here.
3.) I remained under attack while trying to get the patch to run. I finally just disconnected my stupid cable modem, rebooted, ran the patch, shut down, reconnected the cable modem, and started back up.
4.) Remember to set the windows response to the RPC service dying back to something safe (reverse what you did in step 1, if you did it).
5.) After these steps, I think you're safe from further attack. But you most likely are infected. Congratulations. I originally thought that the attack on my machine had been uneffective, since the symptom I was observing was the just RPC service dying. As it turned out, though, I had been infected. My unconfirmed impression is that once the attack is complete, and the executable content is in your windows/system32 directory, and a nice new registry key is created to run that executable content on startup, the thing blows up the RPC service on purpose, so that windows will restart, and it can get itself running. I'm irresistably reminded of a scene from the movie "Die Hard" at this point (You wanted a miracle? I give you Microsoft.)
6.) You need to get that key out of your registry. It's under (don't quote me here) "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run", and it's name is "windows auto update". Sounds nice and professional, no?
7.) After that's done you need to reboot, and then remove the file "msblast.exe" from your windows/system32 directory.
Or better yet, after patching you could just get a nice little removal tool here.
