Aces High Bulletin Board
Help and Support Forums => Technical Support => Topic started by: Skuzzy on August 12, 2003, 11:48:10 AM
-
The worm MSBlaster uses port 4444 on your computer for propagation/checking. You can go ahead and block access to that port in your firewall and still play Aces High just fine.
-
How would i block individual ports with say.. blackice?
-
Sorry, I am a simpleton, but I have the worm.
Do we do this to prevent getting it, or if we have it? Or in any event?
-
To remove it, go to this site and download the worm removal tool.
download (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html)
ack-ack
-
is this the worm that caused me to keep losing RPC?
-
very likely.
-
Does this effect Win2k/XP only or all Windows OS's?
ack-ack
-
2000 and XP only (to date).
-
This vulnerablity affects Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003. The dead giveaway that you've got it is the message about the RPC service failing and system reboots.
You can get the patch for the vulnerability here:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp
Be aware that if you do not get the patch, you WILL get this virus again even if you remove it.
-
Hmmm. Funny. According to British news sources if effects only XP and ME and uses port 135.
(http://image1ex.villagephotos.com/extern/640697.jpg)
-
I got this on my games machine. Why? because I had disabled firewall and pc-cillin to play Aces High and forgot to put it back on after playing aces high to go surfing!
My advice is, if you don't have disco problems, leave it all running all the time. If you turn off firewall/virus scanning YOU WILL GET CAUGHT OUT.
Luckily it is not too difficult to get rid of, as far as I can see anyway:rolleyes:
-
Do we do this to prevent getting it, or if we have it? Or in any event?
In any event. Or better yet, disable all incoming ports in your firewall..
-
Originally posted by Swoop
Hmmm. Funny. According to British news sources if effects only XP and ME and uses port 135.
(http://image1ex.villagephotos.com/extern/640697.jpg)
They are incorrect Swoop. XP/2K/NT are the problem operating systems.
I will never understnad ISP's that allow ports 13x to propagate to/from the Internet. It is just plain wrong.
-
Originally posted by Skuzzy
They are incorrect Swoop. XP/2K/NT are the problem operating systems.
I will never understnad ISP's that allow ports 13x to propagate to/from the Internet. It is just plain wrong.
With Cable Modems it is unavoidable on shared cable segments unless you have a personal firewall solution between the 'hood and your network.
-
Skuzzy, you sure about the port? BlackICE has caught ten TCP MSRPC probe attempts in the past hour, all from various ports not listed as coming from 4444. The source ports are listed as...
2865
2875
3103
2875
3884
2404
1150
All were targeting port 135, and BlackICE caught 'em all. Funny part is, I helped my ISP nail down three of the offenders; turns out three other users' systems were pinging mine!
-----------------------
Flakbait [Delta6]
Delta Six's Flight School (http://www.worldaccessnet.com/~delta6)
Put the P-61B in Aces High
(http://www.worldaccessnet.com/~delta6/sig/geek.gif)
-
Source ports are irrelevant, it's the destination port that is important.
4444 is the destination port used by the worm once it infects a system. Port 135 is the port the worm initially enters.
-
Ahhhh, gotcha. Thanks Skuzzmeister!
-----------------------
Flakbait [Delta6]
Delta Six's Flight School (http://www.worldaccessnet.com/~delta6)
Put the P-61B in Aces High
(http://www.worldaccessnet.com/~delta6/sig/veggie.gif)
-
The worm starts on an infected system (A) a TFTP-server and attacks other Windows systems (B) on port 135. If an attack was succesful the infiltrated code will be executed, which opens a shell on port 4444 on system B. System A prompts system B via TFTP (tftp get msblast.exe) to download the file msblast.exe into the directory %WinDir%\system32 and execute it. After it, the worm installs itself on system B, closes port 4444, and opens a TFTP-server and attacks other systems.
The worm needs to know which system it attacks to be succesful. As it can't do that it uses offsets for Win2k and WinXP so far. In 80% of the cases it chooses WinXP, which causes the RPC service on Win2k to crash.
The microsoft patch for this exist since mid july. One problem is that the patch doesn't solve a problem in the RPC service which enables the ability for DoS attacks, therefor all ports UDP and TCP 135-139, 445 and 593 should be closed.
FYI, w32.blaster attacks also non-Windows systems if they have the Distributed Computing Environment (DCE) installed. DCE enables communication between different systems and uses also RPCs on port 135. It's often used in heterogeneous enviroments.
As w32.blaster is not able to detect what system he attacks, he attacks all systems with open port 135 and can crash the DCE-service on non-windows systems. Patches from IBM and Entegrity are available.