Windows worm, picking up speed

[Nick]

Hi Links Shadow,

Thanks for the post. Is this something that the Windows Update site would have released as a "critical update"? I have automatic update in WinXp and it looks like there's nothing new for me to update. Then again, you did say that the Windows patch is not effective? What about Norton Anti-Virus or V-Com System Suite 5, for example?

By the way, I got to administrative tools by way of Start> Program Menu> Administrative Tools, then clicked on "Services" from the drop down menu. That in turn opened up a menu list. One of the items is entitled "Remote Procedure Call (RPC)" which I double-clicked.

However, I didn't change anything just yet. I'll wait for your next post, and also try educating myself about this nasty worm. Thanks for the eweek link and the "heads up" too.

Very best,

[Links Shadow]

Dear Nick,

I don't know to much about the worm itself.  All I know is what my mom brought home from work with her today, she works for the United States Postal Service, a government agency.  The government is really concerned about this because many of their systems run Windows XP which is the most vunerable of all operating systems.  Windows NT and Windows 2000 are supposed to be vunerable as well, but I don't know whether the fix I provided will work on them as well or not.  Windows 98 and earlier, have not yet had any reported cases so there is a chance that they are not vunerable.

According to the information my mom brought home antivirus programs are not yet equiped to prevent this worm from infecting your computer nor are they able to help if you havae been.  Hopefully they will have a fix soon.  I know I was pretty reluctant to change the settings myself, but I figured if the government is having it done on all of their computers it is probably not a bad idea.

About the patch, my mom said that many of the computers at the post office had downloaded the patch with no success in resolving the problem but they still recommend having it anyway.  It would be one of the "critical updates".  Your local newspaper may have an article about the worm in it today, because mine did you can check and see what you paper has to say about it.  I will try to find out more about this worm and let everyone know what I find.

Respectfully,
Link's Shadow

Also I should add that they are not yet sure how the worm is spreading because it is not necessarily through emails.  So just be careful of where you go on the internet for a little while, until it is under control.

[Nick]

Thanks Links Shadow! [] Think I'll log off and run a virus scan.

Take care,

[Lasher]

quote:Originally posted by Links Shadow

There is a worm out and it is in full swing right now.  I have heard of many people being infected by it.  Here is an article that briefly talks about it.  

http://www.eweek.com/article2/0,3959,1208127,00.asp

Your computer will say something to the effect that "Your computer needs to be shutdown in a certain amount of time."  Something about "RPC".  I have not been infected by it so I don't know exactly what it says.  I have heard of several people installing the windows patch with no success in correcting the problem.  I have found a method to prevent yourself from getting infected though and to find out if you have been infected even if you have not gotten any messages yet.

Prevent for windows xp the main operating system affected:

1.  Go to control panel and select "administative tools"
2.  Scroll down and find "Remote Procedure Call (RPC)", double click it.  You may have one called "Remote Procedure Call (RPC) Locator), don't choose this one.
3.  Select the Recovery tab.
4.  Change the "first failure", "second failure", and "subsequent failures" boxes to "take no action.
5.  Click apply and then okay.  You are now protected.

Fix

1.  Click start and select "Search"
2.  Search for "Lovsan.exe", "LoveSan.exe", and "MSBlast.exe"
3.  If you find any of them delete them and empty the recycle bin on the desktop.
4.  Go here to get updates if you have not done so in a while just for future securities sake.  http://windowsupdate.microsoft.com/

Good advice, LS!  

I would only add a step 1.5 between steps 1 and 2 of your first set of instructions.

1.5 Double click on "Services". (this brings up the menu where you can select "Remote Procedure Call (RPC)")

My wife is in Information Services and has been dealing with this all week.  Apparently, there are already many variants coming out to further complicate matters.  But your advice should still do the trick for now.  Unfortunately, http://windowsupdate.microsoft.com is getting slammed with all the people downloading the update, and it may go down entirely when the worm launches it's special attack on that site.  I understand that you can also get patches and info at http://securityresponse.symantec.com/

Good luck everyone.  This is a nasty one.

Lasher

[Links Shadow]

Thanks Lasher, I meant to have that part about "services" in there but I was distracted when I was typing it.  Thank you for finding that error.  I edited the above post so that people looking at the topic for the first time have all the instructions in one place.

Respectfully,
Link's Shadow

[sahlyn]

I don't know anything about this new worm, but a good firewall will prevent alot of these problems. (Antivirus software is not enough).

The most popular and highly recommended firewall is 'zone alarm', which you can get for free at //www.zonelabs.com (paid version is also available).

With this firewall installed, your computer is invisible and untouchable to hackers etc.
You can test this yourself at these sites:
http://grc.com/default.htm
http://www.pcflank.com/

Note: Windows XP's built in firewall is hopeless compared to a software firewall like zone alarm.

Useful info:
http://www.pcworld.com/howto/article/0,aid,111124,pg,1,00.asp

[Nick]

Thanks for the Zone Alarm link, Sahlyn. []

Yes, regarding Zone Alarm and Zone Alarm Pro, they are consistently rated Editor's Choice by PC Magazine and I believe PC World magazine also raves about them. Maybe I should finally buy Zone Alarm. I agree that the XP firewall is pretty useless by comparison.

Take care,

[realism]

This is exactly why i love having a mac, none of this stuff can hurt me!!! I AM INVINCIBLE!!!!!!!!!!! **and deluded, but we wont bring that up**[]

[Nick]

Hi Links,

As a follow-up, I work for the County of Ventura, and the local government center got hit by the virus. The newspaper lists about $70,000. to fix and repair the infected systems.

So since I have Norton System Works, I went ahead and bought Norton Internet Security. They both integrate well so I stuck with Symantec products. Also, PC magazine actually picked Norton Internet Security as their editor's choice (most recent issue). I'm sure any good firewall will do though.

Later,

[Adrian]

Greetings everyone,

I wouldn't recommend Zone Alarm. It seems to be somewhat unstable at times, but worse, it is prone to trojans which automatically unload the firewall after a few minutes so hackers can get in.

I would highly recommend Agnitum Outpost Free:

http://www.agnitum.com/download/outpost1.html

Outpost Pro 2.0 is much more advanced again, and excellent value at $39.95. See:

http://www.agnitum.com/products/outpost/features.htm

It uses stateful inspection technology the same as hardware firewalls.

With best regards,

Adrian.

[sahlyn]

I received this email today from zone labs:

Zone Labs Security Advisory

MS-BLAST WORM, First documented exploit of the July 16, 2003 Microsoft Windows RPC vulnerability

Risk: High. All unprotected Internet-connected PCs with vulnerable versions of the Windows operating system could be affected.

Vulnerability: The MS-Blast worm exploits a vulnerability of the RPC (Remote Procedure Call) process built into Windows. The MS-Blast worm scans the local network for PCs that have UDP port 135 open. If the worm finds such a target, it exploits the RPC vulnerability and infects the PC with a copy of itself. The worm attempts to spread further and interfere with normal operation.

Harm: Loss of user productivity and potential business continuity issues. Infected machines may experience performance problems and users may not be able to use their Internet connections.

Impact on Zone Labs users: None. All computers employing properly configured ZoneAlarm® Pro, ZoneAlarm Plus and ZoneAlarm security products are protected against this and similar vulnerabilities.

Protection: When properly configured, Zone Labs products prevent the MS-Blast worm from infecting PCs. Also, Zone Labs products alert you when MS-Blast attempts to connect to other PCs. Denying the worm permission keeps it from spreading.

So it looks like I'm safe[]

Thanks for the recommendation, Adrian. I'll check it out if I start having problems with zone alarm.

[Adrian]

Greetings,

I received this newsletter from Agnitum, the makers of Outpost. I can only say what I said before, and that is in my opinion this firewall is way ahead of the others.

With best regards,

Adrian.

Agnitum Newsletter (2003-08-15)
http://www.agnitum.com

- IN THIS ISSUE -
(*) Microsoft Recommends Outpost Firewall as Protection Against Blast
Worm
(*) Agnitum and Buhl Data Service Sign New Pact
(*) PC Pro Moves Outpost Pro to Its A List
(*) Outpost Pro Defeats ZoneAlarm Pro Once Again


**********************************************************
MICROSOFT RECOMMENDS OUTPOST FIREWALL AS PROTECTION AGAINST BLAST WORM

All Windows users around the world are under the very real risk of being
infected by a new mass-mailed Blast worm (also known as Lovesan,
MSBlaster or Poza). This malicious program has already infected more
than 3000,000 computers and has caused internal disruptions in many
companies and Internet service providers.

The worm uses a flaw in the Distributed Component Object service that is
hosted by a Remote Procedure Call (RPC) to take control of PCs.

Once the victim machine is infected, a hacker can execute any code on
it. A worm can consume memory or network bandwidth and cause the PC to
stop responding.

In order to replicate via the RPC vulnerability, Blast worm scans port
135. Fortunately, users of properly configured personal firewalls are
well protected against this malicious code. It is enough just to block
all incoming and outgoing connections to port 135 (TCP/UDP) to prevent
the infection.

Microsoft Corp. posted the article, "What You Should Know About the
Blaster Worm" on its web site:
http://www.microsoft.com/security/incident/blast.asp

Outpost Firewall is one of the few personal firewalls recommended by
Microsoft as defense against the Blast worm.

**********************************************************
AGNITUM AND BUHL DATA SERVICE SIGN NEW PACT

Agnitum, a publisher of Windows security applications, is continuing its
successful partnership with Buhl Data Service GmbH by signing a new
three year distribution agreement for Buhl Data to market Agnitum's
products: Outpost Firewall Pro and Tauscan. Both products will be
customized for the German market and given the Buhl brand, where they
will be sold as PCFirewall and Anti Trojaner.

"We signed a new contract with Agnitum because we were looking for a
partner with which we can pursue our technology leadership for a long
time in the German-speaking market", commented Thomas Becker, Marketing
Director for Buhl Data Services.

Buhl has been granted exclusive rights to market Agnitum's
German-language retail products in Germany, Austria, and Switzerland.
Buhl will also provide technical support for both products.

The first agreement between the two companies covered the distribution
of Outpost Firewall Pro. This now includes Tauscan.

For more information, here is the official press-release:
http://www.agnitum.com/news/agnitumbuhlcontinue.htm

**********************************************************
PC PRO MOVES OUTPOST PRO TO IT'S A LIST  

British magazine, PC Pro, elevated the new Outpost Pro 2.0 to its "A
List", the top hardware and software products it recommends to its
readers.

PC Pro distinguishes Outpost Pro 2.0 as "the best of its breed". This
honor is due mainly to its redesigned interface, new event logging
engine and improved stability.

Outpost toppled ZoneAlarm Firewall, previously on the "A List".

The entire review can be read at PC Pro's web site here:
http://www.pcpro.co.uk/reviews/reviews_story.php?id=44646

**********************************************************
OUTPOST PRO DEFEATS ZONEALARM PRO ONCE AGAIN

Last year German PC Welt compared two leading firewalls: Outpost Pro and
ZoneAlarm Pro. The article, "Firewall duel", described the pros and cons
of each product. Both firewalls were given specific points to determine
which was better.

Outpost Pro 1.0 won that battle last year and this year Outpost Pro 2.0
again won the contest, giving ZoneAlarm Pro 3.7.168 a resounding loss.

PC Welt pronounced Outpost the winner because of its higher protection
abilities and more intuitive interface.

Best Regards
Agnitum Ltd.:
Taking Care of Your Security
http://www.agnitum.com

[James S]

Just to add to Adrian's commendations of Outpost, It also has  built in active content and ad blocking so you can set it to stop cookies, popup windows and block ads. This it does very well once set up properly!

Enjoy,
James.

[shadowatcher]

Im a gamer, and often download demos, and trailers for upcoming games. Unfortunately, these files often contain hidden adware (or parasites). These run popup adds constantly, and track every site you visit online. Though not as dangerous, or as illegal as viruses, they can cripple your CPU by piggybacking your system and running in the background. Do you want your system taken over by adware? the products I reccomend are Spybot, which is a free download. Go to www.download.com, and search for  "spybot". Download the first file (ussualy) which is called SpyBot, Search and Destroy. It is very easy to use. Also, if you just want to check if your infected, go to www.doxdesk.com. This site has a detection script that checks your computer for adware.

[Nick]

Hi Shadowatcher,

I have been using SpyBot Search and Destroy for a couple of months after reading about it in several computer magazines. It really works well, and as you said, its free.

Adrian and James, I'll look into Outpost Pro. Thanks for all the advice and weblinks. I've used Norton anti-virus and system works for a while, and just added their "Internet Security" firewall. My attention level to firewalls has been low b/c in my neighborhood there is no DSL yet. Still, if a better firewall is out there, it's worth looking into.

Very best,

[Adrian]

Greetings everyone,

An excellentand free virus scanner is available from Trend, one of the top anti-virus companies.

It is called "Sysclean" and is available from here:

http://www.trendmicro.com/download/tsc.asp

You need to download the second file, "sysclean.com".

You will also require the latest virus definition file:

http://www.trendmicro.com/download/pattern.asp

You can download the latest virus definition files from the website anytime. The whole thing is free and very effective.

With best regards,

Adrian.

[Nick]

I've looked at the online reviews from PCPro (UK) and PCmagazine (US) about firewalls. The following link is a review out of PCmagazine. It's interesting to note the differences of opinion in the pc mags from one side of the Atlantic to the other.

http://www.pcmag.com/article2/0,4149,640289,00.asp

At the bottom of the article they cover a variety of firewalls. Perhaps Outpost pro will catch on here in the US, however I read 3 computer mags cover to cover each month (yes, I'm one of those) and am surprised that I hadn't picked up on Outpost until this thread.

Very best,

[Adrian]

Greetings Nick,

Agnitum are a fairly small company, in fact miniscule comapared to the really big companies like Mcafee. Like many small companies with state or the art products I suspect they have only limited funds for marketing, and rely mostly on reviews and word of mouth. People who find Outpost seem to stick with it however.

I have tested ZoneAlarm, Sygate and Tiny Firewall, and there is no doubt that Outpost is in a league of its own - even the free version - Outpost Pro 2.0 is definitely way above the rest.

With best regards,

Adrian.

[Anonymous]

Since we can all agree that Microsoft's software sucks major monkey balzz, I would just like to say that I agree with the worm's creator about Bill Gates making lots of money off of software that really sucks, but I don't see a need to create yet another worm for it. Also, this could be phase 1 of a terrorist attack (I mean that they could send out a far worse virus that would spread like crazy, disable our communications, then strike us while we are unprepared). This worries me because if I could think of this idea, imagine what they could do. There are holes in security in every aspect of our society, and this is a major problem. Because people are so dependent on computers, I think Microsoft should be investigated, and I think people should be more educated about computers. Macintosh's software is far more advanced and provides the user with better virus protection. Though the system may crash a lot, it is for different reasons, and one can mess with the skeletal structure of the program to weed out the bugs. Oh well, enough said. Macs rule, Microsoft drools. Next computer I get, I'm going Mac.

[Links Shadow]

There is a worm out and it is in full swing right now.  I have heard of many people being infected by it.  Here is an article that briefly talks about it.  

http://www.eweek.com/article2/0,3959,1208127,00.asp

Your computer will say something to the effect that "Your computer needs to be shutdown in a certain amount of time."  Something about "RPC".  I have not been infected by it so I don't know exactly what it says.  I have heard of several people installing the windows patch with no success in correcting the problem.  I have found a method to prevent yourself from getting infected though and to find out if you have been infected even if you have not gotten any messages yet.

Prevent for windows xp the main operating system affected:

1.  Go to control panel and select "Administative Tools".
2.  Double click on "Services" this will open a new window
3.  Scroll down and find "Remote Procedure Call (RPC)", double click it.  You may have one called "Remote Procedure Call (RPC) Locator", don't choose this one.
4.  Select the Recovery tab.
5.  Change the "first failure", "second failure", and "subsequent failures" boxes to "take no action".
6.  Click apply and then okay.  You are now protected.

Fix

1.  Click start and select "Search"
2.  Search for "Lovsan.exe", "LoveSan.exe", and "MSBlast.exe"
3.  If you find any of them delete them and empty the recycle bin on the desktop.
4.  Go here to get updates if you have not done so in a while just for future securities sake.  http://windowsupdate.microsoft.com/