"NT AUTHORITY\SYSTEM" Virus and fix

[kansasskydiver 0]

Some of you guys may have noticed or heard about the Blast worm. here is the Fix for it to be able to use your computers again. Keep in mind, your computer won't reboot if you don't have it connected to the internet. Even if you haven't seen the error yet on your computer, NT 2000 XP and 2003 can be infected and I HIGHTLY recommend downloading the patch. I work at SBC and it's been living hell here for the last 2 days

Below is what I posted in another forum

Blue skies

Chris

-----------------------------------------------

I work for SBC and yesterday the "blast worm" was launched with success accross the world. Any computer running nt, 2000, xp and 2003 server is and should be protected from the attack. The attack is brought thru tcp/ip port 135 thru the RPC. With win xp it will promt every 60 secs and advise that your computer if going to be rebooted in 60 secs by

"NT AUTHORITY\SYSTEM"

this is a sign of the worm communicating with the host computer.

To fix this problem there is a way to fix it, if you can get to the website before your damn computer reboots to do so...

1-Boot up you computer but DON'T connect to the internet yet, if you stay off the internet, then RPC won't connect

2-if you're running a broadband connection, unplug yoru modem or something to keep it offline

3-open IE, netscape, crazy browser, whatever you use to surf and get ready.

4-in the address bar type in www.microsoft.com, but don't hit enter

5-connect to the internet and go as fast and freaking possible!!!

6-microsoft.com right hand side, downloads, blastworm

7-download the program and DISCONNECT ASAP!!!

8-install the patch, let computer reboot

9-the patch is installed but the virus is sitll there. update your virus definition files or if all else fails you can go to

http://housecall.antivirus.com

run their antivirus (better than norton i've found) and clean the infected files.

remember that jus the patch alone does not fix the problem. I will post this again in the forum for all. If anyone wants to pm me, feel free to and I can walk you thru the process.

Hope this helps everyone

Blue skies

Chris

"Dad I'm not slacking, I'm taking Gravity 101 this semester"

<--- See look, pink dolphins DO exist!

[kansasskydiver 0]

Here is the link for the patch

http://www.microsoft.com/security/security_bulletins/ms03-026.asp

<--- See look, pink dolphins DO exist!

[lummy 4]

OR, you could just put the RPC patch and Symantec's removal tool on floppy and run it from there. WE're turning off ports at the router to contain this

I promise not to TP Davis under canopy.. I promise not to TP Davis under canopy.. eat sushi, get smoochieTTK#1

[CrazyIvan 0]

If you people had a firewall/router and all the Windows updates this wouldn't happen, I know, only geeks do that right?

__________________________________________
Blue Skies and May the Force be with you.

[kansasskydiver 0]

actually, I'm a geek and I got it last week. Was one of the firsts I guess. I run norton corporate and blackice... it got thru. my windows wasn't updated, but it got thru norton and blackice.

i fixed it in safemode, took me awhile, but i got it.

<--- See look, pink dolphins DO exist!

[jtval 0]

I just got hit!

I guess I will go thru the recommended steps! thanks

My photos

My Videos

[CrazyIvan 0]

A LinkSys+ZoneAlarm combo is a GREAT defense, I've never had a virus problem.

Glad to hear you caught the bastard.

__________________________________________
Blue Skies and May the Force be with you.

[kansasskydiver 0]

if anyone would like a walkthru to get rid of it pm me, i can call from the help desk here and help you while i'm on lunch

chris

<--- See look, pink dolphins DO exist!

[kansasskydiver 0]

i run a hub at home, should use a router huh. oh well, i got the bastard, had to do alot of looking into etc. RPC was a pain in the ass to shut down while i looked into it, but i found out and helped launch the aumbush thru SBC. no one believed me at first, then when we qued over 100, they all came to my desk asking for answers. hahaha funny how that shit works huh? they blow you off until you're needed, then they all kiss your ass

<--- See look, pink dolphins DO exist!

[CrazyIvan 0]

A HUB is no protection, just a way to link several machines, if you want to secure your home-network and you have a broadband connection, you should have a config like this:

Cable -> Cable/DSL Modem -> ROUTER -> Hub <- PC's

And install ZoneAlarm on each PC, that's the ticket.

You can install ZoneAlarm Pro on the Router, but I like the approach I mentioned.

__________________________________________
Blue Skies and May the Force be with you.

[jtval 0]

what kinda problems does this virus cause? my pc seems fine as of now?

My photos

My Videos

[Slowfaller 0]

Your PC will be on for about 5-10 minutes then a pop up will say your PC needs to restart. it'll count down for 60 seconds and resart. Big pain in the arse

--"Someday you will die and somehow somethings going to steal your carbon" -MM

[jtval 0]

damn...its going to keep doing that?


it is kinda funny I guess!

My photos

My Videos

[Slowfaller 0]

My PC has been doing that since yesterday afternoon. I'm anxious to go home and try the instructions Kansas posted

--"Someday you will die and somehow somethings going to steal your carbon" -MM

[kansasskydiver 0]

i had no need for a router before ivan, i just used a hub and had 2 ips traveling over the line. blackice and norton seemd to be working fine. i can probe ports and ping the attackers back with blackice. didn't run into anything wrong with the setup i had for years. i understand how you are hooked up, i'm a computer nerd too

<--- See look, pink dolphins DO exist!

[MrHixxx 0]

I got hit too. Thanks for the fix. I just had a talk with my PC about STDs. Let's hope it doesn't happen again...

-Hixxx

death,as men call him, ends what they call men
-but beauty is more now than dying’s when

[kansasskydiver 0]

I'm glad I could help people out, did you do the symantic fix as well to completely remove the virus?

chris

<--- See look, pink dolphins DO exist!

[CanuckInUSA 0]

I did the symantec fix last night as well as installing the patch. It was easy to disinfect my home computer, but kudos must go to Kansasskydiver and others for providing the information up front.

Try not to worry about the things you have no control over

[PhillyKev 0]

Quote

A HUB is no protection, just a way to link several machines, if you want to secure your home-network and you have a broadband connection, you should have a config like this:

Cable -> Cable/DSL Modem -> ROUTER -> Hub <- PC's

And install ZoneAlarm on each PC, that's the ticket.

You can install ZoneAlarm Pro on the Router, but I like the approach I mentioned.

Actually a router is a hub. It's an active hub as opposed to a passive hub. What you really mean is a hardware firewall, which can be combined with a router, ala linksys or netgear personal firewall/routers.

[wildblue 7]

If I remember my Network+ material correctly, I think you've got the wrong idea of a 'passive hub' -- a passive hub is non-powered, an active hub is powered.
But anyway, you're both right - just the linksys/netgear personal "things" usually combine the functionality of a router, firewall, hub, and sometimes WAP.

it's like incest - you're substituting convenience for quality

[kansasskydiver 0]

not a problem, just tring to prevent people calling into their oem's and paying to have to fix it when it was something that could easily be fixed with the proper information and direction. Please pass the information along to others about the symantic fix

http://securityresponse.symantec.com/avcenter/FixBlast.exe

Blue skies

chris

<--- See look, pink dolphins DO exist!

[Muenkel 0]

My home pc has it too. Just started a few days ago. Atleast it gives a warning for you to save whatever you are working on. I'll try to run the fix tonight.

_________________________________________
Chris

[DTOXX 0]

Running TrendMicro PC-Cillin 2003 with router/firewall..

Keeping my fingers crossed I can avoid this one.

-------
D.T. Holder
SIMstudy

[kansasskydiver 0]

you won't get it, but regardless, you should install teh windows patch to close tcp/ip port 135

here is the patch for those who haven't gotten it yet.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=2354406c-c5b6-44ac-9532-
3de40f69c074

<--- See look, pink dolphins DO exist!

[PhillyKev 0]

Quote

If I remember my Network+ material correctly, I think you've got the wrong idea of a 'passive hub' -- a passive hub is non-powered, an active hub is powered.

Ah yes...you're right. What I meant was dumb hub vs. intelligent hub (aka switch).