A worm that takes advantage of what some security experts have called the most widespread Windows flaw ever has started spreading, fulfilling the predictions of many researchers.

Dubbed "MBlast" by its author, the worm is spreading quickly, according to an initial analysis posted to the Internet Storm Center, a digital threat-tracking site. Ever since mid-July, when Microsoft announced a vulnerability in a widespread component of Windows, security experts have been waiting for some online vandal to create a worm that takes advantage of it.

"It is pretty widespread," said Johannes Ullrich, chief technology officer for the Storm Center. "It is sort of getting to the point where it is causing some slowdown."

Some system administrators posting to a mailing list run by the North American Network Operators' Group, a popular forum for engineers who maintain large networks, believe that as much as 10 percent of the data coming into their networks has been created by the worm.

Full story here (http://news.com.com/2100-1002-5062364.html?tag=nl)

Patch info here (http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp)

Thanks for the info, I doubt I'm at risk, but I'd rather not find out the hard way

i have it right now. haha.

Yup, firewall is busy blocking packets sent to port 135. Last week I saw more activity on the other two common RPC ports.

As always folks, a firewall, an up to date virus scanner, and the latest software patches keep you out of trouble. Add to those items prudence and common sense and enjoy a trouble free computer experience.

yeah, phalkon, i'm sure your fine, if you regularly update your system your protected. I'm just suprised at the number of people that don't, and it can be done automatically, it baffles the mind that some people don't realize exactly how dangerous being online is.

its not affecting windows 98 users but avg is a good virus scanner to use to protect against this and its free.
it contains a heuristics scanner built in, and can detect unknown viruses using varies factors.
nuff said.
i love all

What woul'd you guys recommend I get for a firewall? I'm on a network of 2 computers connnected to a DSL line by a wireless router.

I wouldn't sweat it Dcool. That Dlink router has pretty good built in security. I checked it out when I first got mine and in normal operating mode I went to some website www.dslreports.com and in their tools section is a bot that checks your ports for breaches and it found none. Now when you set up to sharefiles and you will share files :^) you have to sometimes setup special ports to open for that app. PM me if you need help in that area.

I will. I actually don't have it set up yet but I'm gonna in about a week. Most of it's in the mail. Hope everything works.:wings

I patched one machine, left the other unpatched, and just as i finished a movie to switch to the uppatched machine, it was rebooting. I viewed the event log,

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Date: 8/11/2003
Time: 9:58:31 PM
User: N/A
Computer: BLACK-OPS
Description:
The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Information
Event Source: DrWatson
Event Category: None
Event ID: 4097
Date: 8/11/2003
Time: 9:58:30 PM
User: N/A
Computer: BLACK-OPS
Description:
The application, C:\WINDOWS\system32\svchost.exe, generated an application error The error occurred on 08/11/2003 @ 21:58:30.530 The exception generated was c0000005 at address 0018759F (<nosymbols>)

Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 8/11/2003
Time: 9:59:41 PM
User: N/A
Computer: BLACK-OPS
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cp p. Please contact Microsoft Product Support Services to report this error.


I havent researched the events yet, but dont take any chances.
This machine was running a firewall, well configured. Use the Windows updates, and keep your antivirus up to date also.

I enjoy watching when things go awry and so far tonight I have watched news reports and info blast across the net like nothing else.

I saw on one site that hundreds of thousands of users will be infected by the end of this week. I am really interested to see the mainstream news reports tomorrow and to see how this will all play out.

This virus is supposed to focus an attack on the Windowsupdate.com site on Saturday, I am interested to see what happens then...

well i'm safe, still running windows me haha

yea i just helped a dude get thru this.. just delete the file in c:/windows/system32 and also delete its registry file in the run

I havent researched the events yet, but dont take any chances.
This machine was running a firewall, well configured. Use the Windows updates, and keep your antivirus up to date also. [/B]
Let me know what the deal was with this, b/c I just got back a few hours ago from my bro's house and was fixing it b/c it was going haywire.

Come to find out, (after patching XP, updating virus definitions, and spybot) PC-Cillin 2000 caught the MSBlaster.exe in the C:/Windows/System folder and quarantined it as it was not "deleteable" at the time. At the same time, I also got the message you got. The machine rebooted in 1 minute.

He was running ZoneAlarm Pro, PC-Cillin w/ outdated definitions, on an XP machine (also a bit unpatched). I don't understand how he got it on his machine but he did.

u cant delete the file until u end process in the task manager

Still haven't gotten it yet...I feel so un-loved....

LOL

I'm with Wingnut on this one...I'm gonna sit back and enjoy the ride as many many many many maaaaaaaaaaaaaaaany crappy systems get nailed....

Originally posted by Nothingface5384
well i'm safe, still running windows me haha

LOL im not alone. Most people have Windows 98 or XP . Both are pretty good OS. But im stuck with ME, which has a lot of holes and was rushed out i believe cuz theirs a lot of holes in it.
But the updates are only needed for XP then?

Originally posted by FutureIverson
LOL im not alone. Most people have Windows 98 or XP . Both are pretty good OS. But im stuck with ME, which has a lot of holes and was rushed out i believe cuz theirs a lot of holes in it.
But the updates are only needed for XP then?

NT based systems I suppose...as RPC call is the root/heart of NT OS....

I'm just gonna go surf on my overclocked 212mhz P1 with ME for awhile...lol

My friend just got this. If he installs the patch, will the problem go away?

you can find more info and the patch here (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp)

Question... how do I tell if I have the 32 bit or th 64 bit ver of XP? Is it that Home is 32 bit and Pro is 64? I tried using Aida32 and it told me exactly nothing about this. Does neone know?

You'd know if you had the 64 bit version, you would have an Athlon Opteron or Intel Itanium. I'm pretty sure you don't have either of those.

thanx infamousone

My friend just got this. If he installs the patch, will the problem go away?


No, go to www.symantec.com and download their removal tool.

Aron you are right,the patch will just prevent it from happening again, but to get rid of it you must use the removal tool as posted.

where do you exactrly get it? How effective is a firewall?

A firewall is very effective, but you need the patch, as in my opion you will see differient varrients of this trojan, and you need the update. My firewall is very effective, as being a grumpy old fart, i set nothing as being permitted automaticly, ever. I check my provider every time i boot up, and never click do not ask again. I trust nothing, if i worked for the IRS I would be the biggest prick you ever saw. Most people are not like that, so just install the patch, even I did.

I just patched up, and I have the Zone Alarm set at the titanium underwear level. If it gets me, it'll have to be by radioactive spider-bite. :gj

LOL, lets just leave our drawers out of this, shall we? This place is getting a bad aroma. Now who forgot the aftate for the jock itch? Ok folks, now lets just get the bloody patches installed, and get things cleaned up.

FutureIverson, you can find more information at www.symantec.com on the worm including what ports it exploits.

I have seen reports where experts say this is a poorly written worm (it is relatively easy to get rid of), so I think we will see a varient real soon that will do more damage so even if you have the patch, if you don't use any of the services lock down TCP: 4444 & 135, UDP: 69.

It might be poorly written, but it's been bloody effective, causing people to scramble and install the patch.

So the svchost.exe error is actually caused by this worm?

I've got my windows XP auto update running and have the Windows XP built firewall up, Norton antivirus 2003 professional updated daily, and installed Black Ice Defender suite with most current updates. I even went to microsoft website and checked for any additional updates their website didn't detect any critical updates that needed to be installed. Is this something i need to manually download and install and in your best opinion do you think i have enough protection running?

No, svchost.exe is not caused by a virus, it is part of the kernal. Its legit.


As far as what MORE you can do? Youre already over protected, so unless a nuclear bomb detonates on your front lawn, you should be fine.

Double firewalling will not help you. It will slow you down.

As previously stated, get the updates, patch the RPC vulnerablity, and dont open emails that are from "Admin" . . .

OK, tnx Krell, in that case, i just have to take earlier advice, and perhaps update my windows

if i am not mistaken the patch was out since last week.

Windows update should be done frequent;y at least once a week.

If there wasn't a patch, it is microsoft patch, but since the patch was available it is the user's fault

The patch was first released July 15.

I've been seeing this all day. All on port 135.