Solved

Runaway Modem

Posted on 2003-11-04
3
234 Views
Last Modified: 2006-11-17
Dual boot. Win2K on C: and Win XP Pro on D:. Had to format C: because of infection of MS_BLAST/WORM_NACHI. Have an HSP Micromodem-56K/V.92. When online with a browser (any) open I am sending and receiving info. without me wanting to or not. I can have Opera open with a blank page and the transfer of info still takes place. This is all per the status popup box for the modem. Will show receiving @ 7.1kbs and the data could be as much as 10MB without me even knowing it. I know that my machine will send bits of info, but 2MB worth? Zone Alarm is up and running with no alerts or permissions requested while this is going on.
1) What is going On?
2) From where and to where are these tranfers taking place?
Check system every 24 hrs. with AVG and no evidence of any virus. Only other thing that is going on is that I keep getting the message that "svchost.exe has experienced problems and is shutting down". I really need help as I refuse to go online until this is taken care of. I will correspond from a remote. Thank you in advance.

cactusdr (markaz@mfire.com)
0
Comment
Question by:cactusdr
  • 2
3 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9681464
The worm still seems to be active. Have you applied the MS patch

It is a worm that causes this problem

What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

first do this

Start > Run services
Double Click on Remote Procedure Call (RPC)
Click the Recovery tab
Set all three failure boxes to "Take No Action"

Then open the task manager Start > Run taskmgr and under the Processes tab look for msblaster.exe and if you find it end the task.

then

Removal tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
Download
http://securityresponse.symantec.com/avcenter/FixBlast.exe

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

Click here http://securityresponse.symantec.com/avcenter/security/Content/8205.html for more information on the vulnerability being exploited by this worm and to find out which Symantec products can help mitigate risk from this vulnerability.

...


technical details

When W32.Blaster.Worm is executed, it does the following:

Creates a Mutex named "BILLY". If the mutex exists, the worm will exit.

Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

Calculates the IP address, based on the following algorithm, 40% of the time:

Host IP: A.B.C.D

sets D equal to 0.

if C > 20, will subtract a random value less than 20.

Once calculated it will start attempting to exploit the computer based on A.B.C.0 and count up.

NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.

Calculates the IP address, based on many random numbers, 60% of the time:

A.B.C.D

set D equal to 0.

sets A, B, and C to random values between 0 and 255.

Sends data on TCP port 135 that may exploit the DCOM RPC vulnerabilty to allow the following actions to occur on the vulnerable computer:

Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the randomness with how it constructs the exploit data, it may cause computers to crash if it sends incorrect data.

Listens on UDP port 69. When it recieves a request, it will send back the Msblast.exe binary.

Sends the commands to the remote computer to connect back to the infected host and download and run the Msblast.exe.

If the current month is after August, or if the current date is after the 15th it will perform a denial of service on "windowsupdate.com"

With the current logic, the worm will activate the Denial of Service attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

...

Restarting the computer in Safe mode or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document, "How to start the computer in Safe Mode."

Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry, http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617 " for instructions.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.


Now apply the patch

The Patch
Microsoft Windows XP 64-bit Edition :
Microsoft Windows XP Home SP1:
Microsoft Patch WindowsXP-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Microsoft Windows XP Home :
Microsoft Windows XP Professional SP1:
Microsoft Patch WindowsXP-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Microsoft Windows 2000 Advanced Server SP4:

Microsoft Patch Windows2000-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Microsoft Windows 2000 Advanced Server SP3:
Microsoft Patch Windows2000-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Microsoft Windows 2000 Advanced Server SP2:
Microsoft Windows 2000 Datacenter Server SP4:
Microsoft Windows 2000 Datacenter Server SP3:
Microsoft Windows 2000 Datacenter Server SP2:
Microsoft Windows 2000 Professional SP4:
Microsoft Patch Windows2000-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Microsoft Windows 2000 Professional SP3:
Microsoft Patch Windows2000-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Microsoft Windows 2000 Professional SP2:
Microsoft Windows 2000 Server SP4:
Microsoft Patch Windows2000-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Microsoft Windows 2000 Server SP3:
Microsoft Patch Windows2000-KB823980-x86-ENU.exe
http://microsoft.com/downloads/details.aspx?FamilyId=C8B8A846-F541-4C15-8C9F-220354449117&displaylang=en

Microsoft Windows 2000 Server SP2:
Microsoft Windows NT Enterprise Server 4.0 SP6a:
Microsoft Patch Q823980i.EXE
http://microsoft.com/downloads/details.aspx?FamilyId=2CC66F4E-217E-4FA7-BDBF-DF77A0B9303F&displaylang=en
0
 
LVL 44

Accepted Solution

by:
CrazyOne earned 100 total points
ID: 9681470
0
 

Expert Comment

by:-DV8R-
ID: 9830215
Also look for teekids.exe

this is the new version of msblast.exe I just got it and just got rid of it. It was simple as pie to remove same process as msblast but look for teekids.exe instead.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now