What's closing down my comp

  • Thread starter Thread starter Kanga
  • Start date Start date
K

Kanga

I downloaded a couple of cracks from Agent this morning. My computer
now randomly closes down. Various messages appear prior to close down
re problem with Generic Host process for Win32 Services,another
referred to a remote procedure call (CRPC). Help would be appreciated
 
There is a reason that people always say that you need to stay up to date
with security updates that Microsoft releases. For the love of God, if
nothing else, use Windows Update. There is a CRITICAL security update for
the RPC service that came out last month that you should have installed
immediately.

Ray at work
 
Kanga said:
I downloaded a couple of cracks from Agent this morning. My computer
now randomly closes down. Various messages appear prior to close down
re problem with Generic Host process for Win32 Services,another
referred to a remote procedure call (CRPC). Help would be appreciated
Click to expand...

Looks like one of the cracks cracked your computer. A virus or a
trojan?

Roger
 
I had Norton Antivirus loaded, it gave no warning of any virus. I've
used a Trojan detector as well without result. Another message
received says that the machine is closing down by the "NT Authority
System" whatever that is. If the machine syays up long enought I'll
download XP Sp2 and install again. Thanks for your help.
 
From a notice posted by Jerry Bryant in microsoft.public.security -

SEVERITY: CRITICAL
DATE: August 11, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT
4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026 should
prevent infection from this worm.

Customers that have previously applied the security patch MS03-026 before
today are protected and no further action is required.

IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets
re-booted or has mblast.exe exists on customer's system.

TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable
systems on TCP port 135. The worm attempts to exploit the DCOM RPC
vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customer may not notice any symptoms at all. A
typical symptom is the system is rebooting every few minutes without user
input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from your
anti-virus vendor and scan your machine.

For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:

Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp

Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows
Server 2003) or use a third party firewall to block TCP ports 135, 139, 445
and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits
download and TCP 4444 for remote command shell. To enable the Internet
Connection Firewall in Windows: http://support.microsoft.com/?id=283673

1. In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and
then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my
computer or network.

This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. Install the
patch MS03-026 from Windows Update http://windowsupdate.microsoft.com

As always, please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.

RECOVERY: Security best practices suggest that previously compromised
machine be wiped and rebuilt to eliminate any undiscovered exploits that can
lead to a future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise.
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

For additional information on recovering from this attack please contact
your preferred anti-virus vendor.

RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.

If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary. Support for virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsoft.public.security.virus.
 
Dear Customer,

I am just writing to add some supplement to this problem. This issue is
caused by a worm virus "W32.Blaster.worm". It will use TCP port 135 to
download and run the file Msblast.exe and it can cause the system reboot
unexpectedly.

To prevent the system from rebooting every few minutes, please try the
steps in the "Workaround" section. However, you are strongly recommended to
install the patch which is mentioned in "Prevention" section to prevent the
system from infected again. After that, please use the most recent Anti
Virus program to clean the system.

Workaround
========

The workaround can help you stop the system from rebooting every few
minutes. However, it should be noted that these workarounds should be
considered temporary measures as they just help block paths of attack
rather than correcting the underlying vulnerability.

1. Block RPC interface ports at your firewall if you are not using Windows
XP.

Blocking the following ports at the firewall will help prevent systems
behind that firewall from being attacked by attempts to exploit this
vulnerability:

- TCP/UDP Port 135
- TCP/UDP Port 139
- TCP/UDP Port 445

If you are using the Internet Connection Firewall in Windows XP to protect
your Internet connection, it will by default block inbound RPC traffic from
the Internet. Therefore, please enable Internet Connection Firewall
immediately.

To configure Internet Connection Firewall manually for a connection:

- In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
- Right-click the connection on which you would like to enable ICF, and
then click Properties.
- On the Advanced tab, click the box to select the option to Protect my
computer or network.

For more information, please refer to the following Microsoft Knowledge
Base article.

283673 HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
http://support.microsoft.com/?id=283673

2. Disable DCOM on all affected machines

When a computer is part of a network, the DCOM wire protocol enables COM
objects on that computer to communicate with COM objects on other
computers. You can disable DCOM for a particular computer to help protect
against this vulnerability, but doing so will disable all communication
between objects on that computer and objects on other computers.

To manually enable (or disable) DCOM for a computer:

1). Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003, perform these
additional steps:

- Click on the Component Services node under Console Root.
- Open the Computers sub-folder.
- For the local computer, right click on My Computer and choose
Properties.

2). Choose the Default Properties tab.

3). Select (or clear) the Enable Distributed COM on this Computer check
box.

4). If you will be setting more properties for the machine, click the Apply
button to enable (or disable) DCOM. Otherwise, click OK to apply the
changes and exit Dcomcnfg.exe.

Prevention
=======

To prevent the computer from infected by the virus, please install the
security patch MS03-026. The patch is available from Windows Update as well
as on www.microsoft.com\security

For Windows XP, the direct link of the patch is listed below. Please
download and install it immediately.
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532
-3DE40F69C074&displaylang=en

Please note that you still need to use Anti Virus program to clean the
system after you apply the patch. If you do not have Anti Virus software
installed, youcan use the following tool to detect the worm.

http://housecall.antivirus.com


Restoration
=======

After a Trojan has successfully been installed on a system, it may be
impossible to trust that system in the future. These steps will help
restore your computer's environment to a trusted state.

1. If you have a full system backup, please restore from the last know
good backup.

2. In the case when no backup is available, we recommend reformatting the
affected system and re-installing the operating system from scratch. If you
system is a client of a network, make sure you patch or rebuild with
MS03-026 BEFORE putting it back on the network to avoid being re-infected.

3. If you cannot restore or rebuild, please try to contact your Anti Virus
vendors for removal/cleaner tools.

The following tools or information from 3rd party vendors may helpful for
removing the virus.

Symantec

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

McAfee:
http://vil.nai.com/vil/stinger

Please note that these tools or information are provided by the 3rd party
vendors which are independent of Microsoft; we make no warranty, implied or
otherwise, regarding their products.

If anything is unclear, please feel free to let me know. I am glad to be of
assistance.

Laura Zhang
Microsoft Online Support Engineer
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
| From: Kanga <[email protected]>
| Newsgroups: microsoft.public.win2000.general
| Subject: What's closing down my comp
| Message-ID: <[email protected]>
| X-Newsreader: Forte Agent 1.92/32.572
| MIME-Version: 1.0
| Content-Type: text/plain; charset=us-ascii
| Content-Transfer-Encoding: 7bit
| Lines: 4
| Date: Tue, 12 Aug 2003 08:56:28 +1200
| NNTP-Posting-Host: 203.114.157.72
| X-Complaints-To: (e-mail address removed)
| X-Trace: news02.tsnz.net 1060635386 203.114.157.72 (Tue, 12 Aug 2003
08:56:26 NZST)
| NNTP-Posting-Date: Tue, 12 Aug 2003 08:56:26 NZST
| Organization: TelstraClear
| Path:
cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onlin
e.de!npeer.de.kpn-eurorings.net!news-out.newsfeeds.com!propagator2-maxim!new
s-in-maxim.spamkiller.net!news02.tsnz.net!not-for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.general:66610
| X-Tomcat-NG: microsoft.public.win2000.general
|
| I downloaded a couple of cracks from Agent this morning. My computer
| now randomly closes down. Various messages appear prior to close down
| re problem with Generic Host process for Win32 Services,another
| referred to a remote procedure call (CRPC). Help would be appreciated
|
 
In a message reply posted recently said:
There is a reason that people always say that you need to stay up to date
with security updates that Microsoft releases. For the love of God, if
nothing else, use Windows Update. There is a CRITICAL security update for
the RPC service that came out last month that you should have installed
immediately.
Click to expand...

Actually, Ray, that's only reasonable advice for anyone on a broadband
connection with unlimited downloads.

For the rest of us, Microsoft needs to realise that the huge volume of
updates required to keep your machine fully up-to-date is a burden for many
people.

I am on a broadband connection, but have a 1GB download limit per month. We
use about 25-30MB per day just in normal use (browsing, playing games,
email, etc for a family). So the only way I keep fully up to date is that my
ISP has a file downloads area where I can pick up files that are not charged
against my DL limit. So if the update is more than a coupe of MB, or there
are many of them, I have to find the files in a downloadable configuration
on the MS web site, figure out priority, request my ISP to download them for
me (one by one), wait to be notified, then download and install them on each
of my machines (now three).

I won't use the automatic facility at MS Update because it tells me lies. It
says a file is 100KB, but that turns out to be an installer that then
downloads 15 MB of files. Norton does similar stupid things with software
updates.

I realise that the updates are graded as critical, etc., but within the
critical list it would be a heck of a lot easier if MS color coded the list
or flagged it in some way so that ordinary people know when an update (like
the RPC one) is an absolute must-have-today. I was emailed by my ISP when
the RPC patch was released, and told to go to MS updates to download it. I
went there, but could not identify the patch among 26 other critical
updates, totalling over 20 MB, so I gave up. The next day, with more time
available, I researched it through the KB and found the KB patch number,
which I was then able to match to the patch on the update site. Then I had
to go to the downloads page and try to locate the same update file.

So if some people (especially those on slow dialups - and there are still
plenty of them around the world) are not fully up to date with their
patches, can I suggest that people like yourself give them a little
coaching, instead of chiding them?

Tony
 
Valid points! I'm sorry for your situation... If I were you, I'd launch a
DOS attack on your ISP until they lifted that 1 GB restriction. ;]

Ray at work

TonyG said:
In a message reply posted recently, "Ray at <%=sLocation%>" <myfirstname at

Actually, Ray, that's only reasonable advice for anyone on a broadband
connection with unlimited downloads.

For the rest of us, Microsoft needs to realise that the huge volume of
updates required to keep your machine fully up-to-date is a burden for many
people.

I am on a broadband connection, but have a 1GB download limit per month. We
use about 25-30MB per day just in normal use (browsing, playing games,
email, etc for a family). So the only way I keep fully up to date is that
Click to expand...
my


<etc.>
 
Back
Top