W32.Blaster.B/C - Rischio 3 - Update

[Giorgius]

Sembra che siano state già rilevate le prime 2 varianti del Virus LovSan/Blaster


Aliases:

- Variante "B":
W32.Blaster.B.Worm (Symantec), WORM_MSBLAST.B (Trend Micro), Win32.Poza.C (Computer Associates), W32/Lovsan.worm.c (McAfee), WIN32/LOVSAN.B (Enciclopedia Virus (Ontinent)

- Variante "C":
W32.Blaster.C.Worm (Symantec), W32/Blaster-B (Sophos), W32/Lovsan.worm.b (McAfee), Win32.Poza.B (Computer Associates), WORM_MSBLAST.C (Trend Micro), WIN32/LOVSAN.C (Enciclopedia Virus (Ontinent)


Effetti:

- Variante "B":
W32.Blaster.B.Worm is a variant of W32.Blaster.Worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The excutable for this variant is named "Penis32.exe".
Symantec Security Response is currently analysing this threat and will post more information once it becomes available.

- Variante "C":
W32.Blaster.C.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the Teekids.exe file to the %WinDir%\System32 folder, and then execute it.
Users are recommended to block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (www.windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.


Info:

http://www.enciclopediavirus.com/vir...rus.php?id=498
http://www.enciclopediavirus.com/vir...rus.php?id=500
http://www.symantec.com/avcenter/ven...er.b.worm.html
http://www.symantec.com/avcenter/ven...er.c.worm.html
http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.B
http://vil.mcafee.com/dispVirus.asp?virus_k=100551
http://www.sophos.com/virusinfo/anal...2blasterb.html
http://www.sarc.com/avcenter/venc/da...er.b.worm.html
http://www3.ca.com/virusinfo/virus.aspx?ID=36309
http://www.alerta-antivirus.es/virus....html?cod=2887
http://www.alerta-antivirus.es/virus....html?cod=2886


Tool aggiornati per rimozione Varianti "B" e "C" :

http://securityresponse.symantec.com...r/FixBlast.exe
http://www3.ca.com/Files/VirusInform...on/ClnPoza.zip
http://www.trendmicro.com/download/tsc.asp
http://download.nai.com/products/mca...rt/stinger.exe
http://www.trojaner-info.de/cgi-bin/...ile=antimblast

[Giorgius]

Update 14/08/03

La stringa di registro dove trovare manualmente l'eseguibile del Virus è questa:

- Variante "B":

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Eseguibile:

"windows auto update"="penis32.exe"

Il 16 Agosto scatta il Time Bombing di questa variante


- Variante "C":

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Eseguibile:

Run "Microsoft Inet Xp.." = teekids.exe Microsoft can suck my left testi! Bill

Il 16 Agosto scatta il Time Bombing anche di questa variante

[Giorgius]

Test "GIBSON" per verificare la sicurezza della Porta "135"
https://grc.com/x/portprobe=135

(Y)

Altra utility software per verificare in rete Lan aziendale eventuali Client affetti dalla porta 135:

AhnLab RPC Scanner
http://www.ahnlab.co.jp/upload/RPCScan.exe

(Y)

[Daniela]

Quota:

Originariamente inviato da Giorgius
La stringa di registro dove trovare manualmente l'eseguibile del Virus è questa:

Variante "B" e "C":

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Microsoft Inet Xp

Gli eseguibili da eliminare su Windows sono:

"teekids.exe"
"penis32.exe"

Il nuovo messaggio all'interno del Virus:

"Microsoft can suck my left testi!
Bill Gates can suck my right testi!
And All Antivirus Makers Can Suck My Big Fat Cock"

Però! Che finezza eh?

[Giorgius]

Steve Gibson sta realizzando una nuova utility per sistemare il problema Blaster/LovSan

--------------------------------------------------------------
Here's a little 5k console app which incorporates the DCOM/RPC vulnerability testing logic I've worked out to be used in the DCOMbobulator.
If you run it by double-clicking you'll just see a "flash" of a console window since it doesn't have a "pause" at the end. So you'll need to open an MS-DOS Prompt window and run "dcom.exe" from there. (Last time I did this I *did* have a pause so it could be run from Windows with an implied launch of the console window, but that confused people even more.)
For all of you who have already DCOM-patched your systems, and have left DCOM active, it should tell you that DCOM services are available and that your system is NOT vulnerable to the buffer overrun exploit.
For those of you who have disabled DCOM, it should tell you that DCOM services are not available on your system -- and since this means you're not vulnerable to the buffer overrun, it'll say that too. (It can not definitively test for your system's vulnerability with DCOM disabled.)
If any of you have not yet patched your systems, presumably because you're behind filters of one form or another which prevent unsolicited incoming connections to port 135 (as is the case for me), and if your DCOM is still enabled, this little tool should tell you that those systems ARE currently vulnerable to the DCOM remote buffer overrun exploit.
If this little app does anything else strange, I'll love to know!
This core technology will be moved into the DCOMbobulator where many more bells and whistles will be provided.
------------------------------------------------------------------

DCom Test:
http://grc.com/miscfiles/dcom.exe

Dopo averla scaricata su "C:\"

aprite una finestra Dos ed avviate l'eseguibile "dcom.exe"
Il Test verificherà l'eventuale presenza della falla MS.

[Giorgius]

Info Gallery:

[Giorgius]

What You Should Know About the Blaster Worm
Updated August 13, 2003, 10:20 P.M. Pacific Time
http://www.microsoft.com/security/incident/blast.asp

[Giorgius]

14 ago 17:16 Internet: l'Fbi, Blaster sta finendo

NEW YORK - Gli esperti dell'Fbi non hanno dubbi: si sta esaurendo Blaster, il virus informatico che gira in Internet infettando i sistemi operativi Windows e causando lo spegnimento continuo dei computer dopo l'avvio. "L'epidemia sta rallentando e questa e' una buona notizia" ha detto James Farnan, della divisione cibernetica del Bureau. (Agr)

[Giorgius]

E' stata rilasciata la nuova Release Stinger v1.8.2

Download:
Mirror: http://download.nai.com/products/mca...rt/stinger.exe

Rileva:
BackDoor-AQJ, Bat/Mumu.worm, Exploit-DcomRpc, IPCScan, IRC/Flood.ap, IRC/Flood.bi, IRC/Flood.cd, NTServiceLoader, PWS-Sincom, W32/Bugbear@MM, W32/Deborm.worm.gen, W32/Elkern.cav, W32/Fizzer.gen@MM, W32/FunLove, W32/Klez, W32/Lirva, W32/Lovgate, W32/Lovsan.worm, W32/Mimail@MM, W32/MoFei.worm, W32/Mumu.b.worm, W32/Nimda, W32/Sdbot.worm.gen, W32/SirCam@MM, W32/Sobig, W32/SQLSlammer.worm, W32/Yaha@MM

(Y)

[Giorgius]

LONDRA (CNN) -- Si concentrerà nel weekend del 16 e 17 agosto il picco di massima pericolosità del virus informatico mirato ad infettare i computer gestiti da Windows, che a loro volta attaccheranno il sito della Microsoft.

A partire da sabato 16 agosto i computer infettati dal virus chiamato 'MSBlaster' o 'LoveSAN' inizieranno ad inviare freneticamente pacchetti di dati ad un sito della Microsoft nel tentativo di mandarlo in tilt.

Il sito preso di mira è windowsupdate.microsoft.com, utilizzato dalla Microsoft per diffondere gli update del suo sistema operativo, Windows.

Il virus si è diffuso da lunedì su tutto il web colpendo i computer che montano i sistemi Windows XP, 2000, NT e Server 2003.

Gli esperti di sicurezza informatica ritengono che il virus, che si diffonde sfruttando una vulnerabilità di Windows, non abbia ancora causato significative interruzioni nel traffico di dati sul Web, ma che il rischio che questo avvenga è molto alto, poiché si sta diffondendo in modo decisamente veloce.

I ricercatori hanno infatti già segnalato, tra uffici, università e postazioni domestiche, decine di migliaia di computer infetti.

"Sembra espandersi molto velocemente" – dice Johannes Ullrich, il direttore della D-Shield di Boston.

Il virus è stato soprannominato "LovSan" a causa di un messaggio lasciato sui Pc infetti, che recita: "I just want to say LOVE YOU SAN". I ricercatori hanno poi scoperto un secondo messaggio nascosto nel virus che si rivolge direttamente a Bill Gates sbeffeggiandolo così: "Bill Gates, com'è possibile? Smetti di far soldi e produci del software migliore!"

Il Governo Usa e l'industria informatica avevano preannunciato la diffusione del virus già dal 16 luglio - vedi articolo - quando Microsoft aveva reso nota la vulnerabilità di quasi tutte le versioni di Windows, offrendo nel contempo agli utenti un patch gratuito per proteggere il sistema operativo.

"È ancora troppo presto per aspettarsi qualsiasi cosa" – ha detto Vincent Gullotto, uno dei vice-presidenti della Network Associates – "Tutto dipende dall'ampiezza della diffusione".

Il tallone di Achille di Windows sfruttato dal virus, risiede infatti nella tecnologia usata per condividere file di dati attraverso le reti di computer, siano esse locali o, appunto globali, e riguarda una categoria di vulnerabilità detta "buffer overflow", che può ingannare il software facendogli accettare comandi pericolosi.



Si ricomincia, già segnalati casi stasera in alcuni Server Mondiali (fuso orario).

Occhio per i prossimi 4gg. specie per chi utilizza il Pc da Lunedì prossimo...

Vedremo se le Patch Ms reggeranno l'attacco...

[Giorgius]

Department of Homeland Security
August 14, 2003

Potential Internet Attack Targeting Microsoft Beginning August 16, 2003

OVERVIEW
The National Cyber Security Division (NCSD) of the DHS / Information Analysis and Infrastructure Protection Directorate is issuing this advisory to heighten awareness of potential Internet disruptions beginning August 16, 2003. An Internet worm dubbed "msblast", "lovesan", or "blaster" began spreading on August 11th that takes advantage of a recently announced vulnerability in computers running some versions of the Microsoft Windows operating system. DHS addressed this issue in an advisory available at http://www.dhs.gov/interweb/assetlib...mpact_MS2.PDF.

NCSD would like to highlight that this worm contains additional code which may cause infected computers to attempt repetitive connections to a popular Microsoft web site, www.windowsupdate.com beginning just after midnight on the morning of August 16th.

IMPACT
Because of the significant percentage of infected computers using high speed connections to the Internet (DSL or cable for example) the conditions exist for a phenomena known as a distributed denial of service (DDoS) attack against the Microsoft web site beginning on August 16th. Steps are being taken by Microsoft and by Internet Service Providers to mitigate the impact of the DDoS. Owners of computers infected by the worm may experience a general slowness of their computer along with difficulty in connecting to Internet sites or local network resources. Systems that are still infected on August 16th may stop spreading the worm and may begin flooding the Microsoft Update site with repeated connection requests. Other customers who attempt to use the site to update their Microsoft Windows operating systems on or after August 16th might experience slowness in response or inability to connect to the update site.

DETAILS
Windowsupdate.com is used as a starting point for users of Microsoft Windows operating systems for software updates. The code in the worm instructs infected computers to repeatedly connect to that site beginning on the 16th of August. Starting on January 1, 2004, the worm will switch to cyclic behavior in which it attacks the Microsoft web site from the 16th of each month to the end of the month. Between the 1st and 15th of the month, infected computers may attempt to scan for other vulnerable systems in order to spread the worm. The worm uses the clock in the infected computer to determine when to start and stop; therefore Microsoft may begin seeing attacks on the morning of the 15th due to time zone differences around the world. This pattern of spreading from the 1st to the 15th and flooding Microsoft between the 16th and the end of the month may continue indefinitely.

RECOMMENDATIONS
The worm takes advantage of a serious vulnerability in several versions of the Microsoft Windows operating system. DHS encourages system administrators and computer owners to update vulnerable versions of Microsoft Windows operating systems as soon as possible before August 15th.

Details on which computers are vulnerable and instructions for cleaning infected computers are available at
http://www.microsoft.com/security/incident/blast.asp.

DHS also encourages system administrators and computer owners to update antivirus software with the latest signatures available from their respective software vendor.

In order to limit the spreading of the worm, DHS further suggests that Internet Service Providers and network administrators consider blocking TCP and UDP ports 69, 135, 139, 445, and 4444 for inbound connections unless absolutely needed for business or operational purposes.

DHS encourages recipients of this Advisory to report information concerning suspicious or criminal activity to local law enforcement, local FBI's Joint Terrorism Task Force or the Homeland Security Operations Center (HSOC). The HSOC may be contacted at: Phone: (202) 282-8101.

DHS intends to update this advisory should it receive additional relevant information, including information provided to it by the user community. Based on this notification, no change to the Homeland Security Advisory System (HSAS) level is anticipated; the current HSAS level is YELLOW.

[Giorgius]

UP! (Y)

Il livello di allerta dato dall'Ente Americano alla Sicurezza in Rete, per questa variante, è salito a "4"

[Giorgius]

MS03-026 Scanning Tool

Effetti:
Download a tool that can be used to scan networks to identify host computers that do not have the 823980 Security Patch (MS03-026) installed.

System Requirements:
Supported Operating Systems: TabletPC, Windows 2000, Windows Server 2003, Windows XP, Windows XP 64-bit, Windows XP Media Center Edition

Download:
Mirror: http://download.microsoft.com/downlo...69-X86-ENU.exe

[Giorgius]

Internet worm threat 'thwarted'

The virus threatened to bombard a Microsoft website
Software giant Microsoft says it is confident it has thwarted threatened massive disruption to the internet from the MSBlast worm.
The computer virus was set to bombard one of Microsoft's websites from infected machines around the world on Saturday, raising fears it would paralyse the network.

Microsoft implemented a series of countermeasures and reported "no problems" hours after the attack was due to have begun.

However, variants of the worm have already appeared and more dangerous versions are expected in the coming weeks and months, says the BBC's Kevin Anderson in Washington.

In the first phase of its attack, the worm infected an estimated 300,000 computers worldwide, causing them to reboot frequently.

Worm flawed

In the second phase, the computers were expected to fling data at the Microsoft website that helps Windows users patch their machines against viruses and other bugs.

However, a flaw in the worm may have enabled Microsoft to fend off its worst effects.

The worm instructed computers to call up http://windowsupdate.com - which is an incorrect address for reaching the actual Microsoft website that houses the software patch that protects against the worm.

Although Microsoft has long redirected those who visited that incorrect address to the real site, the company disabled the automatic redirection Thursday in preparation for the onslaught of infected computers.

Microsoft said its countermeasures had proved effective.

"We have been through a number of time zones now with no problems and we do not expect any as the [midnight Friday] deadline passes in the UK or US", said a Microsoft spokesman.

Microsoft said customers who have not yet installed software to remove the worm were still being affected by phase one of the virus' attack.

BBC journalist Julian Joyce said he was infected after being sent a link to a Microsoft website page by Microsoft customer support.

"My whole computer shut down and every time I was online for more than about five minutes it would kick in again and shut the computer down," he said.

[Giorgius]

Stando alle rilevazioni di Panda Software c'è stato questa mattina (06:15) un notevole incremento della diffusione del virus Blaster.
In questo momento (anche grazie perchè oggi è Domenica) l'indice d'infezione sta scendendo decisamente...
http://www.pandasoftware.com/virus_info/

Massima attenzione a tutti gli utenti che non hanno ancora aggiornato il Windows XP (patch sicurezza e aggiornamento AntiVirus).

L'FBI sta ancora indagando su un eventuale coinvolgimento del Virus con il Mega BlackOut americano...