PDA

View Full Version : please help if you can



amievil?
12th Aug 2003, 22:49
ever since yesterday evening, everytime i get onto the internet(dial up), a couple mins later i get the message "this system is shutting down....and then something about it was initiated by nt authority/system and it also says something about a remote procedure call being terminated unexpectadly......i dont know what the hell is going on with it....anyone came across this?


i just as i was typing got another message about generic host process for win32 has encountered prob.....virus??

theBlackman
12th Aug 2003, 22:58
Original posted at TTLG. Also check the COMMUNITY CHAT FOR MORE: http://forums.eidosgames.com/showthread.php?s=&threadid=21707

Let us not beat around the bush, lots of virus warnings are bull****, this one is not.
It infects Windows NT, Windows 2000, Windows XP and Windows Server 2003 machines initiating an RPC shutdown. This will pop up a small message box that says something along the lines of "The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM" and will give either 30 seconds or one minute before being shutdown.

The major cause of this is an 6176byte exe called MSBLAST.exe, however it is apparently able to infect remotely so the user is unaware of being infected if they do not have an effective firewall system.

Microsoft have issued a patch which is only available via Windows update at the moment. Although apparently another feature of this worm is that it is to DOS the windowsupdate.com servers on the 16th of August,.so you might not be able to get the patch in time.

Grab the patch, update your virus scanners and grab Symantec's standalone removal tool if you think you may have been infected.

This worm is extremely common at the moment, please be careful.

MSBLASTER virus. Patch is here:

http://windowsupdate.microsoft.com/

amievil?
13th Aug 2003, 00:47
thanks theblackman. that sure is what it was. i said "whats that? who goes!"

i used the fixworm thing from symatec to kill it, and just d/led the patch. the thing is, i have no idea what i could have d/led to get the worm in the first place. all ive d/led recently are a few fms, and none of those were new files. i dont open attachements in emails period(unless im absolutly sure what they are and who from, and then i still scan them anyway)....apparently this worm d/ls msblast.exe. that was the first thing i noticed, i hit ctrl+alt+del to see what was running in the background and it was at the top of the list. i had my suspicions as soon as i saw it. anyway thanks for the heads up, didnt see the other thread about it to begin with sorry to create another thread about the same thing.

Peter_Smith
14th Aug 2003, 03:37
Very interesting.

You can be much more secure if you (a) hide behind a router that has address translation, so your local machine has a non-routable IP address, and (b) you use a software firewall in addition, so anything that gets to you by e-mail or whatever is more likely to be caught; (c) you keep your virus software up to date automatically.

Before installing my router (a LinksysEtherfast Cabale / DSL router), my Norton Personal Firewall was constantly detecting intusions. Now it is ghosly quiet. An occasional piece of software tries to get out, but unless I know what it is and want it to go out, I block it.

bravus
14th Aug 2003, 03:52
I heard that msblaster doesn't require you to execute anything on the local machine to infect it. Not sure of a huge amount of detail, but I'm certainly cranking the firewalls, AV programs etc.

Bravus

theBlackman
14th Aug 2003, 04:21
Originally posted by Peter Smith
Very interesting...

Before installing my router (a LinksysEtherfast Cabale / DSL router), my Norton Personal Firewall was constantly detecting intusions. Now it is ghosly quiet. An occasional piece of software tries to get out, but unless I know what it is and want it to go out, I block it.

Me too, but just today I have over 300 intrusion attempts listed in the the log file for my Firewall. Blocked, of course, but in the whole week before the MS worm, I did not have that many for the week.

However, I (and Peter) at least am not one of the 180,000 that have reported problems in the last two days. *wipes sweat from fevered brow, in relief*

Cabale :D by the way isn't that spelled Cabala?

DJC
14th Aug 2003, 15:16
Originally posted by bravus
I heard that msblaster doesn't require you to execute anything on the local machine to infect it.

Quite true, as I posted in the TTLG post theBlackman quoted it is able to infect you remotley,although if you have a decent firewall (software of hardware) it is unable to get in.

FYI if you get the RPC shutdown error you can prevent the system shutting down by typing <i>shutdown -a</i> at the Run... command from the Start Menu