Major Windows Exploit

Commando

<div class="IPBDescription">You need to read this!</div> This doesn't really belong in general but it's a MAJOR problem and a lot of NS people are being hit by it so the message needs to reach as many as possible!

---

This isn't very new (About a month old) but recently it seems worms have been written to use exploit this and it's been happening to a lot of people, so if you haven't installed this patch or have been getting strange crashes you need this!

This does not effect 95/95/ME because they are not based on NT.

Firewalls will help against this exploit but it would be a good idea to install this patch anyway.

<b>Microsoft Patch + Information</b>
<a href='http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp' target='_blank'>http://www.microsoft.com/technet/treeview/...in/MS03-026.asp</a>

<b>Web based Virus Scanners</b> (If you had weird crashes run one)

<a href='http://forums.relicnews.com/showthread.php?s=&threadid=12473' target='_blank'>http://forums.relicnews.com/showthread.php...&threadid=12473</a>

Critical security rating for the following Windows Versions:

Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32 bit Edition
Windows XP 64 bit Edition
Windows Server 2003 32 bit Edition
Windows Server 2003 64 bit Edition

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
What?s the scope of the vulnerability?

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over a remote computer. This would give the attacker the ability to take any action on the server that they want. For example, and attacker could change Web pages, reformat the hard disk, or add new users to the local administrators group.

Who could exploit the vulnerability?

Any user who could deliver a TCP request to an RPC interface to an affected computer could attempt to exploit the vulnerability. Because RPC requests are on by default in all versions of Windows, this in essence means that any user who could establish a connection with an affected computer could attempt to exploit the vulnerability. <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

--

For anyone having problems getting the patch (Thanks NEWSBOT3):

1. Stop the problem from shutting you down, so you can fix it.
press Start-run, type 'dcomcnfg' (without the quotes) and press enter
Now goto Component Services, and double-click Computers.
Right-click My Computer and select properties. Goto the Default Properties tab, and DESELECT Enable Distributed COM on this computer
Press Apply, then ok, and close Component services.

2. THIS IS VERY IMPORTANT TO DO
Now, reboot your machine. If you do not do this, someone can still have access to your machine, and can be causing more damage etc.

3. Goto the MS site, and get the patch for this problem.

WinXP users should choose the '32 bit' option

4. Install patch

5. THIS IS VERY IMPORTANT TO DO
Reboot your machine for the final time.

At this stage you can re-visit step 1 and re-enable Enable Distributed COM on this computer , its fine to do this as long as you have followed all the steps above.

6. THIS IS EXTREMELY IMPORTANT TO DO
Virus scan your machine. Since potentially, someone could have had complete control of your pc, you need to be sure its clean.

--

Getting rid of msblast: <a href='http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547' target='_blank'>http://us.mcafee.com/virusInfo/default.asp...&virus_k=100547</a>

coil

Thanks for the heads-up.

RaVe

I iz lucky because I updated mine a looong time ago <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo-->

Thank god I updated in time,I hate worms

Epidemic

I've had some crashes lately.. uh..

moultano

I don't understand how we STILL have buffer overflows in modern software, I mean jesus. JUST USE strncopy()! Its just one more letter and one more argument!

devicenull

<a href='http://www.grc.com' target='_blank'>www.grc.com</a> Has more information
<a href='https://grc.com/x/portprobe=135' target='_blank'>Click this link</a> to see if you are vulnerable.
If the above link says "Closed" or "Stealth" You are not vulnerable, if it says "Open!" you are.

Of course, using the free software firewall <a href='http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp' target='_blank'>Zonealarm</a> causes any attempt to connect to my computer blocked and logged. It also prevents software from accessing the internet without your permission. It also closes the affected port, makeing me protected before it was detected
Lets look at what Zonealarm blocked on my computer: 13889, yes 13889 attempts at connecting to my computer by anyone on the internet, who wasnt supposed to. Out of those, 7852 have been high-rated. Not all of those are bad, but many are. Even more are people scanning the internet, looking for unsecured machines.. Is yours one of these unsecured machines?

I personally will be getting the GRC patch as opposed to the MS patch

See <a href='http://grc.com/default.htm' target='_blank'>http://grc.com/default.htm</a> for more information about this, Messenger annoyances, and various other security resources, including a web based port scanner (it can only scan your computer) and information about closing the netbios port.

Sirus

I'm going to guess that my router is probably going to make it impossible for them to gain control. But I've recently updated windows anyways.

Thanks for the heads up though Commando.

TerRaKanE

i have got some crashes, too.
I'll try to fix it up now
thx

Majin

I had this bug
It opened MS PAINT
someone drew a Boxing glove on my screen, then he clicked it and it flew out of my screen and punched me in the face! <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif'><!--endemo-->

J/K
Thanks for the Heads Up!

Tyrain

Thanks for the info. These worm kept closing my windows for 2 hours.

Infinitum

Gonna keep bumping this for a while.

I had it, it got fixed by the lovely dears here and it's all good now.

Monkeybonk

Just today I had two crashes in the RPC interface.

BlaqWolf

yeah i installed that fix you gave me and i got this thing.... help me get rid of it please.... <!--emo&:(--><img src='http://www.unknownworlds.com/forums/html/emoticons/sad.gif' border='0' style='vertical-align:middle' alt='sad.gif'><!--endemo-->

sheena_yanai

got the same 1 hour agou.. rebooted my puter 3 times.. the one of my neighbour to theexact same time...my boyfriends puter 30 secs after that.. but i already knowed at this time what it is..because somethin like that can only come from outside.. ive deactivated my modem,fired up my firewall.. activated it again ,installed the patch.. now the rpc buffer overrun does not apear anymore... but thx anyways..

Commando

Erm... what the hell did you download? <!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused.gif' border='0' style='vertical-align:middle' alt='confused.gif'><!--endemo-->
I don't know how you managed to get spyware from the official Microsoft page but try Spybot to remove it.

Spybot - Search & Destroy
<a href='http://security.kolla.de/' target='_blank'>http://security.kolla.de/</a>

Monkeybonk

www.lavasoft.de

Don't worry, it aint german.

cshank4

Heh whats SVCHOST.EXE for?

cshank4

HELZA! woot Im stealthed hack me now internet biatches! mwahhahahahahahah

Deronok

<!--QuoteBegin--cshank4+Aug 11 2003, 04:06 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (cshank4 @ Aug 11 2003, 04:06 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> HELZA! woot Im stealthed hack me now internet biatches! mwahhahahahahahah <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
Eh?

kuperaye

ive just got this today happend to me 3 times in a row before i figured it was internet related...


so i have windows home xp which one do i dl the patch? 32bit or 64bit how do i tell which one?

Tyrain

32

SVCHOST (or whatever) is a winxp system data. Don't end it.

devicenull

That box looks like something from IE.. prob some stupid MS thing.. Whoose download gave you that? Was it zonealarm?

Aaron

<!--QuoteBegin--moultano+Aug 11 2003, 02:57 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (moultano @ Aug 11 2003, 02:57 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->I don't understand how we STILL have buffer overflows<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

Or for that matter, why we still use languages which don't have built in concept of string length... <i>/me ducks</i>

Commando

For anyone having trouble installing the patch (Thanks NEWSBOT3):

1. Stop the problem from shutting you down, so you can fix it.
press Start-run, type 'dcomcnfg' (without the quotes) and press enter
Now goto Component Services, and double-click Computers.
Right-click My Computer and select properties. Goto the Default Properties tab, and DESELECT Enable Distributed COM on this computer
Press Apply, then ok, and close Component services.

2. THIS IS VERY IMPORTANT TO DO
Now, reboot your machine. If you do not do this, someone can still have access to your machine, and can be causing more damage etc.

3. Goto the MS site, and get the patch for this problem
<a href='http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp' target='_blank'>http://www.microsoft.com/technet/treeview/...in/MS03-026.asp</a>
has the links.
WinXP users should choose the '32 bit' option

4. Install patch

5. THIS IS VERY IMPORTANT TO DO
Reboot your machine for the final time.

At this stage you can re-visit step 1 and re-enable Enable Distributed COM on this computer , its fine to do this as long as you have followed all the steps above.

6. THIS IS EXTREMELY IMPORTANT TO DO
Virus scan your machine. Since potentially, someone could have had complete control of your pc, you need to be sure its clean.

Deronok

Does the online virus scanner remove the viruses? Because it picked up a trojan and I couldn't find the file, was wondering if it removed it :|

Commando

Getting rid of msblast: <a href='http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547' target='_blank'>http://us.mcafee.com/virusInfo/default.asp...&virus_k=100547</a>

Jim_has_Skillz

Yes, it seems this exploit popped up over the weekend. It hit two of my business computers and restarted them every couple hours. You can also stop this exploit by editing your registry. One of my friends figured out how to do it so I will have to talk to him to see exactly what he did.

JimBowen

I want to say a big thx to the guy who posted this here, it really helped me out.

Beast

You can thank me for the web-based virus scanner list <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin.gif' border='0' style='vertical-align:middle' alt='biggrin.gif'><!--endemo--> yes I'm the same Beast from the homeworld forums as these ones, as recognisable by the <!--emo&::skulk::--><img src='http://www.unknownworlds.com/forums/html/emoticons/skulk.gif' border='0' style='vertical-align:middle' alt='skulk.gif'><!--endemo-->s in my sigs/avatar <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' style='vertical-align:middle' alt='smile.gif'><!--endemo-->
Thanks commando for giving people the info here.

MrMojo

I didnt get this actually done to my system, but now I'm running the ZoneAlarm, and hoping everything is fine :O

devicenull

Use the test I had above, to check if its good, if not:
Open zonealarm
Click Firewall
Move the slider in internet to high

Repeat test