MSBlast worm alert ( Originally called Billy)

Looks like a worm based on the recent windows RPC exploit is slowly infecting the windows hosts on the net. In the past hour, there has been a lot of traffic and random machine reboots ( of even machines that are not even connected directly to the net, but inside a LAN – a sure sign of a worm).

If you are sysadmin please block ports 135/139/445 and 4444 ( the worm executes commands remotely via this port ) at your router. If your windows machine is rebooting after every 1 min or so, then unplug your machine from the network, search for msblast.exe and delete that file

Billy Blaster worm updates
I’ve setup this page for more updates on this. Wont be updating about this in my blog.

21 Comments

  1. agnosticessence · August 11, 2003 Reply

    I am still in the process of fixing my laptop from this RPC bullshit. I’m damn lucky to have another computer. I’m just about to put the microsoft patch on a 3.5 floppy to transfer it to the laptop. Grrr, this has taken hours of my time today to figure out what was up.

  2. agnosticessence · August 11, 2003 Reply

    Also, thanks for the tip for which file to delete. I’m back online with the laptop! Serious appreciation!

  3. admin · August 11, 2003 Reply

    Glad to know the information came of some use.

    As the worm started to spread, the number of mails I was getting started exponentially increasing too. Anyway this is a badly written worm and it made everyone patch up their systems before the killer one came out.

  4. agnosticessence · August 11, 2003 Reply

    I still seem to have a slight problem. I installed the MS patch and erased msblast.exe once, but later tonight it was there again. There also seems to be a file in C:\Windows\SYSTEM32 called msblast (no suffix) that doesn’t seem to want to be erased. Is there a way I can eliminate this?

  5. admin · August 11, 2003 Reply

    I dont work on windows, so dont know too well. Perhaps this should help ya : http://www.cert.org/advisories/CA-2003-20.html

  6. darkknightradic · August 11, 2003 Reply

    technically, the exploit isn’t recent. It’s only recently been discovered (and it has also been discovered it effects every version of Windows except ME). Just a little nit-pickyness (I run RedHat Linux 9.0 myself ;)).

  7. admin · August 12, 2003 Reply

    right. this is an exploit which is about a month old. But since this effects all windows machines, a worm ( well designed ) can cause havoc. Thought this one was badly designed, I’m sure a worm could have been written which could have done more damage then slammer.

    In a way its good this thing came out. Most of the people are applying the patches 🙂

  8. tariquesani · August 12, 2003 Reply

    A relatively oldish one – but yes seems to be an epidemic in last couple of days…

    I am pissed that this is such a shabby job. I want to see something which does the winduhs equivalent of rm -rf /* 😉

  9. admin · August 12, 2003 Reply

    well the worm runs tftp in dos. I’m sure it can be made it do

    c:> del *.*

    😉

  10. a1057soul · August 12, 2003 Reply

    i had realized the problem and deleted the file, but good to know i did the right thing… guess it was time for me to set up virus checking and a firewall huh?

    THANKS for the post!

  11. arafel · August 12, 2003 Reply

    I deleted the file and still have the problem. Damn it.

  12. khorgath · August 12, 2003 Reply

    deltree! del *.* wouldn’t do anything.

  13. arafel · August 12, 2003 Reply

    Thanks for the link. Norton was my first stop after I posted that comment. I appreciate the help. 🙂

  14. nebel · August 12, 2003 Reply

    hahah! so all of us who have been bitching of the pain of ME for three years now find it’s worth something after all…

  15. darkknightradic · August 12, 2003 Reply

    month old? lol Yeah right. It exists in EVERY copy of Windows except ME, which makes the exploit more then a month old. Think of the date when Win95 was released to the time this exploit was “found”. That’s a hella lot of time.

    It just hasn’t been exploited until the past month when it was independently discovered. The fact that M$ released a patch in a day says alot for how long they knew the exploit existed.

  16. admin · August 13, 2003 Reply

    The flaw was dicovered about a month ago. and this is one of the many flaws that have been discovered over the years.

    I knoew there are zillon more, but its about people knowing them and exploiting them. Hard core hackers know all the holes, but they dont publish them o\r write mass worms

  17. darkknightradic · August 13, 2003 Reply

    It was discovered independently a month ago. I have no doubts M$ knew about it earlier. If not, they are entirely incompetent.

    True, true hackers DON’T write virii and worms, they are clever programers. Virii and worms are the work of script kiddies with nothing better to do.

  18. msram · August 13, 2003 Reply

    You’ve been Rediffed. Not quite like being Slashdotted, but you’ve been Rediffed all the same.

  19. admin · August 13, 2003 Reply

    wah

    did not realise it all. And I was wondering why people were pinging me in email. I havent updated the page in 2 days. Now all the sites have info about it. When I caught the worm in the 1st 5 min, Mine was the only site which had any info at all about the existance of the worm. Infact thats why i created the page.

    Anyway happy to see it was rediffed 🙂

    I got slashdotted couple of months ago and you wont believe the size of my access log 🙂

Leave a Reply