There is a new virus (worm) floating around that is targeting a known problem with RPC services on Windows platforms. Whilst I wouldn't normally post Virus stuff here (not really relevant) it can affect your ability to play EQ, and is therefore probably close to everyone's heart :D

McAfee Virus Profile (W32/Lovsan.worm) (http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547)

And here is a link to the relevant M$ security bulletin...

Security Bulletin MS03-026 (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp)

---------------

To make it easier for people, here are direct links for a couple of operating systems... Click on the link, and select Open, or Save. You're choice. For those worried about me trying to infect your machines with a trojan (I know you're out there), make note of the link destination. It's direct to M$'s download servers..

Windows 2000 patch (http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe)

Windows XP 32-bit edition (http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe). - Don't worry about the "32-bit edition" thing. If you were running the 64-bit edition of XP, you'd know about it.

Please note that the Windows 2000 version REQUIRES Service Pack 3 or Service Pack 4 (for the anal among you, again, I know you're) there, M$ do say that it will work under SP2, but they no longer support SP2. So your milage may vary).

---------------

To bring your system up to date with all the latest and greatest patches from M$, go here...

Windows Update (http://windowsupdate.microsoft.com)

Regards,

CJ

EDIT: Updated this post with some additional information...

The company I work for got nailed today...so much so that we all got to go home an hour early.

I got an RPC error when trying to start Query Analyzer...and also when clicking on the employment link on our web site.

I also couldn't drag/copy/paste files...

Another guy in our group got MFC errors...and couldn't open a project in VB.

The only folks not affected by this were the ones with NT.

The company I work for got nailed today...so much so that we all got to go home an hour early.

I got an RPC error when trying to start Query Analyzer...and also when clicking on the employment link on our web site.

I also couldn't drag/copy/paste files...

Another guy in our group got MFC errors...and couldn't open a project in VB.

The only folks not affected by this were the ones with NT.There's a patch for NT OS's too.. we'd been pushing security patches for 2 weeks now at work and just got done mid-last week. Luckily out of like 11,000 users I haven't heard of anyone getting the virus yet.

If you have the virus, it's probably too late for you to be reading this..but oh well.

If you can't get your computer online long enough to hit the MS website and get the patches for this, then here's what you can do.

Right click on My Computer
Left click on Manage
Left Click on Services & Applications
Double click Services

Look for "Remote Procedure Call (RPC)" [not locator, just rpc]

Double click that and click the recovery tab.

Change all three of the drop down boxes to "Take no action" and apply and ok out of it.

Then you can stay online long enough to fix this problem...

Arnwolf

I went ahead and ran the patches on my home PC's. I also updated the virus libraries.

As a side note, this highlights exactly why you should make the effort to stay up to date on both your Windows updates, and your Virus definition files.

If you choose to run M$ operating systems, you have to live with the fact that security holes do appear (Statistically speaking, running Linux is worse). It's a big program, and after dealing with SoE for so long, you can appreaciate that bugs and holes do appear that need to be fixed.

It doesn't take that much time to make the effort every once in awhile to visit Windows Update (http://windowsupdate.microsoft.com) and get your machine up to scratch.

And if you're not running both some kind of personal firewall (I recommend ZoneAlarm (http://www.zonelabs.com/). There's a free version, and it's pretty solid), AND a virus scanner of some kind, well, you're just asking for trouble. If you're not running either or both, then sit back and wonder how many DDoS (Distributed Denial of Service) attacks you've participated in. Because you probably have.

Regards,

CJ

LOL

Just found Nimda on my other machine...maybe that's why EQ has slowed down CONSIDERABLY as of late. I'm not sure if that has anything to do with it though.

EQ saves my ass again. I've fought with this problem all day on my Aunt's machine, not realizing that it was a worm. damn, all that beer for something that simple :P

It brought shit around here to a damn near halt. I could hardly get anything on the internet to respond, and we didn't have the issue here on our computers, it was that so many other folks did (the ISP too..) that shit went downhill fast.

Funny thing is, before I knew what was going on, I called my mom to pull up some airline reservations for me and she started bitching about her computer just resetting itself, blah blah.

I didn't know about shutting off the RPC in services, but I did have her install zone alarm quick to stop whatever it was from accessing. First thing it asked for was that damn MSBlast.exe, which I told her to shut off. I didn't know what it was at the time, it just wasn't something I recognized, and I was of the opinion that she could always allow it later if necessary.

Had to call her back an hour later to tell her she had a virus and FOR GODS SAKE TO STOP DOWNLOADING SHIT SHE FOUND ON THE INTERNET.

I'm convinced much of this shit is perpetuated by my mother & grandmother's generations :P They seem predestined to forward every cute fucking story that comes their way, heh.

Fortunately for her, I'll be there tomorrow, altho there shouldn't be anything left as she has been to housecall & with zone alarm up, I should just have to configure for her and start trying to convince her that Norton Antivirus is the devil ;)

FOR GODS SAKE TO STOP DOWNLOADING SHIT SHE FOUND ON THE INTERNET.

Heh, in this case...it wasn't her fault, sort of...

You can get this virus without downloading or running anything. The only requirements to get this virus are:

Have any windows os more recent then millennium (2k, xp, etc).

Not have installed the most recent software update that came out just under a month ago.

Have port 135 or a handful of other ports open on your computer (which are opened by default unless you are running a firewall of some kind).

If you meet those three criteria, you can get this virus.

Arnwolf

Well, that's one advantage to working for a big company.. they're way more worried about things of this nature than I'd ever be so I get to find out about these things at work ahead of time before they become a problem ;)

Heh, in this case...it wasn't her fault, sort of...

You can get this virus without downloading or running anything. The only requirements to get this virus are:

Have any windows os more recent then millennium (2k, xp, etc).

Not have installed the most recent software update that came out just under a month ago.

Have port 135 or a handful of other ports open on your computer (which are opened by default unless you are running a firewall of some kind).

If you meet those three criteria, you can get this virus.

Arnwolf

I know, Arn, I just take any opportunity to tell her to stop downloading and forwarding everything that she sees. This isn't the first or last time she's had a virus, or spyware or god knows whatever else. Some day she'll learn ;)

Thank god there is a fix for this! I was trying to figure out what the hell the problem was on my girlfriends computer last night but it would not stay on the net long enough for me to check out any Tech Help Sites. However, I did create a windows dialer with a firewall and that seemed to let me stay online for quite awhile last night.

Bumping this cuz it's good info.

well I cant reach the MSUpdate site
Everytime I try to get 'service pack 1'
it goes to some remote site and dies with
'server not responding'

It would appear that site is down or under heavy traffic.

well I cant reach the MSUpdate site
Everytime I try to get 'service pack 1'
it goes to some remote site and dies with
'server not responding'

It would appear that site is down or under heavy traffic.


heh, I wonder if the M$ server got hit with the worm? :D

Regards,

CJ

I'm curious, will a router with NAT block this worm?

Maybe. I use a router, and the DSL modem I have has basic firewall capabilities too. According to grc.com's Shield's Up stuff, my RPC and NetBIOS ports are "stealth."
You can't turn off RPC under Win2K/XP either. The "service" is required for Windows to function.
http://www.blackviper.com/WinXP/servicecfg.htm
For WinXP services. He has one for W2K as well.

You can't turn off RPC under Win2K/XP either. The "service" is required for Windows to function.

Yeah, but you can change it so it doesn't do anything...see my post above. And I bet you could edit it out of the registry...but I haven't tried.

Arnwolf

thing is easy to control, if you have it, control alt delete and end it under processes, its called msblast.exe


then go to msconfig and remove it from starting up.


www.zonealarm.com free firewall stops it.

What Acetate said, also there is a downloadable, standalone purpose-built msblaster.exe removal tool at Symantec's site. You don't need Norton AV to run this tool. As a side note, I had the MS Critical patch updates and this thing was still on the comp, if you already have the worm the Critical updates will not clean it they only prevent Blaster from exploiting the security hole in RPC services on clean systems. In other words, you still gotta get the free removal tool from Symantec.

Quick check for this biotch is the vulcan nerve pinch, Task manager: Processes (tab). If it is on you system you will see it running in there, and you can right click and 'end process' it there (then follow the instructions here: go to 'Help and Support: Tools', next follow to 'System Configuration' then go to 'Start up' and 'Services' (tabs) and disable msblaster in those wherever you see it 2/ Close without re-starting system, go to control panel, Administrative Tools: Computer Management: Computer Mangement (local): Services and Applications: Services (bottom of console/directory tree there) and hunt down 'Remote Procedure Calls' in the right Window panel, once you find this guy right click and select 'Properties' then open the 'Recovery' tab and deselect 'Restart Computer' to make it 'Restart Service' on 1st, 2nd and 3rd subsequent failure (Apply and Ok)).

That get's you to the re-start computer bit you need to do now to apply the startup settings you had just configured before tinkering with RPC setup. Ok, Re-start comp. You now have to remove the worm, so download the removal tool right away. Follow Symantec's instructions on the web page.

signed:
Mistyglen Ironbright
60 Heirophant
Heart of Fenris

Rawr!
Norton Internet Security (Antivirus program) just did a security alert notification thinggy as I quit out of EQ. Interestingly, Norton asked if I wanted to trace the address of the attack and gave me the ip address, geographic location and a whole lot of other ip/tcp stuff to do with the netname, route address, inetnum, and 'description' tag of the computer.

The dude was from 'Philippines' and its net attack sig was MS_RPC_DCOM_BufferOverflow. I passed all the info to my isp's tech support with a short covering letter in the vainglorious hope it actually nails the culprit down before a court in the Philippines or provides for a similar eventuality to actually happen.

signed:
Mistyglen Ironbright
60 heirophant
Heart of Fenris

grc.com is a good place to go to check how secure your system is. Take with a grain of salt some of the stuff that Mr Gibson spouts on about. He's a bit of a wanker in my opinion, but that Shields UP! tool is pretty good.

And Misty... You probably got hit by someone who was infected by the machine. That's the way that the worm operates. It infects a machine, which in turn goes and spams a bunch of e-mail address hoping to pass on the infection.

Regards,

CJ