 |
Worm Alert: Lovesan
Updated 8/14/03 at 3:13pm
This worm, which is spreading rapidly across the Internet, uses the RPC security
flaw to
spread between Windows NT Server, Windows 2000, and Windows XP
computers. This worm does not
require any user
intervention to infect a machine: any computer that is not patched
against the flaw can become infected and can spread the worm further.
Some computers that are in the process of being infected will reboot after
several minutes
with an error message about a "generic host process" problem
or a "RPC service" failure: it may say that the shutdown is
being initiated by the "NTAUTHORITY\SYSTEM" (note: there are
instructions on how to stop such a shutdown
further down on this page).
The only proven protection against this worm is to patch the RPC flaw on
your computer. Instructions on how to do that are available on our RPC
alert page at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.
Individuals who are running McAfee anti-virus products may see a virus
warning pop-up regarding a virus/worm called
Exploit-DcomRpc. That alert is an indication that the
worm is attempting to infect your system, and that McAfee is attempting to
block it. If you see this warning, your system has probably been
protected from the worm by McAfee, but the worm may still have
succeeded in creating a command shell that is open to hackers, so
you should still go through the
removal steps below just to be safe.
There are now two variants of Lovesan (see http://www.helpdesk.umd.edu/virus/alerts/lovesan_variants.shtml
for details) in existence, as well as a virus called Spybot (see http://www.helpdesk.umd.edu/virus/alerts/spybot.shtml) which
uses the RPC flaw to spread. So far, these variants and this virus have
not yet been seen on campus and are not yet considered a significant
threat by anti-virus vendors, but that could change as time goes on.
More Details
The worm (also referred to by some vendors as Blaster or MSBlast) travels
by scanning random IP addresses for the presence of the
RPC flaw via TCP port 135. When it finds a computer that still has the
flaw, it creates a remote shell on TCP port 4444 on that machine and then
starts a TFTP session to transmit the worm to the Windows system32
directory, where it creates a copy of itself with the filename
msblast.exe. The worm then creates one of the following
registry keys to ensure that the worm runs every time Windows is started:
- HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
"windows auto update" = msblast.exe
- HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Run
"windows auto update" = msblast.exe I just want to say LOVE
YOU SAN!! bill
The worm is also programmed to start a denial-of-service attack on the
Windows Update website (http://www.windowsupdate.com
starting on August 16th, which could render that website
inoperable.
Avoiding the Worm
Since no user intervention is required for the worm to move from computer
to computer, the only way to avoid having the worm transmitted to your
system is to apply the RPC security patch. Instructions on how to do this
are available at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.
Removing the Worm
The removal steps have been revised in light of new information and in an
effort to make them more clear:
-
The first step is to prevent the worm from potentially restarting your
system while you're trying to remove it. Click
on the Start button on the desktop (or if you have key on
your keyboard with the Windows symbol, hit that). When the start menu
appears, choose Run. In the text box that appears, type
the word command and hit the Enter or Return key on your
keyboard. A command window will appear. At the command prompt, type
shutdown -a and hit the Enter or Return key. That command will
abort the shutdown process that the worm sometimes initiates. To exit the
command window, type exit and hit the Enter or
Return key.
-
The next thing to do is to
patch the system. Otherwise, your system would be infected again the
moment you removed the worm. Download and install the appropriate patch
as instructed at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.
You will have to reboot your system once the patch is installed.
-
If you are running Windows XP, you must disable the
System Restore feature in Windows XP to ensure that the worm will be
removed successfully. Instructions for disabling System Restore in
Windows XP (and Windows ME) are available on McAfee's website at http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm.
If you are not running Windows XP, then just go to the next step below.
-
Repeat step 1 to prevent the potential shutdown of your machine as you try
the next step.
-
Download and install Stinger, which is a stand-alone
removal tool from McAfee. Run the tool to remove the worm from your
system. Instructions for installing and using Stinger are available at http://vil.nai.com/vil/stinger/.
-
As an alternative to running Stinger...if you are running
McAfee VirusScan or McAfee Netshield, you can
manually update your virus definitions and run a full scan of your system.
Users of the McAfee VirusScan or
Netshield software can manually update their software in one of two
ways. One way is to go to the McAfee corporate edition website
(www.mcafeeb2b.com), click on
Downloads (in the left column of options), then click on
the link for DATs under the Virus Protection
section. There
you will find download links for both the DAT File and the SuperDAT file
(the first two links). Click on and download the SuperDAT file, then
double-click on the downloaded file to fully update your software.
The other way to update the software is through the VirusScan/NetShield
Console component. VirusScan users can open the VirusScan Console by
clicking on Start | Programs | Network Associates | VirusScan
Console. Once the console window is open, select
AutoUpdate from
the list
of tasks and then click on the Start button (the one with
the green triangle) to perform
the update
(remember that you will need to be connected to the Internet at the time
you perform this operation).
-
If Stinger reports that it cannot "repair" the file that
contains the worm, change Stinger's preferences so
that it deletes any virus it encounters. To do this, open
up Stinger and click on the Preferences
button. In the Preferences window, go to the section in the upper
right, which is the On virus detection section,
and choose Delete from the list of choices. Click
the OK button to close the window, then click on the Scan
Now button to re-run Stinger.
If Stinger STILL cannot remove the worm, then it is possible that Stinger
cannot remove the worm
because the worm is already running in memory. Reboot the computer in
Safe Mode and then run Stinger again
(when your computer is in Safe Mode, it cannot run the worm, so Stinger
should be able to delete it). To boot into Safe Mode, restart your
computer. As your computer restarts, you normally see either the logo of
the company that made your computer or you see lines of text telling you
things about your computer system. At this point, hit the
F8 key on your
keyboard--hit it several times until you see a menu list of startup
choices (the list varies depending on what version of Windows you are
running). Using the arrow keys on your keyboard, choose Safe
Mode from
the list and hit the Enter key.
After a few minutes (Safe Mode usually causes the computer to boot more
slowly), Windows should load in Safe Mode. Don't be alarmed if the video
settings look strange and the icons are much larger--that is normal in
Safe Mode. Now go ahead and run the Stinger tool again. Once it has
removed the worm, reboot the computer: it will reboot in its normal mode.
Note: While the computer runs in Safe Mode, it will not
be able to connect to the network because the network capability of
Windows is deactivated while you are running in Safe Mode.
-
Once Stinger or VirusScan has removed the worm, reboot your
machine. If you are running Windows XP, re-enable System
Restore by reversing what you did in step 3: the McAfee webpage on that
subject can again help you with that (http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm).
-
Your computer is now free of the worm and protected from the RPC security
flaw.
Frequently Asked Questions
As this worm has continued to spread, we are receiving questions about
the worm and its effects. Here are those questions and the answers.
Question: My computer is acting strange--sometimes I
get an error message that "svchost has generated an
error",
and then I can't cut and paste things or move my icons, or I get
errors from .dll files in Microsoft Office. I've run the Stinger tool (or
my up-to-date
anti-virus software) and there is no msblast file in my
Windows system32 directory, so what's going on?
Answer: According to McAfee, these
symptoms, as well as slow system performance and an empty Add/Remove
Programs list, can occur when an unpatched computer is under attack from
Lovesan-infected computers, even if the worm never gets installed on your
system because your anti-virus software is blocking it. The solution is
to install the appropriate patch for your system from
http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml. If
you ALREADY patched
your system once but you are seeing these problems, download and install
the patch again, as it may be that something interfered with the complete
installation of the patch the first time (your second attempt should be
successful).
Question: When I tried to use the Stinger tool to remove
the worm, it told me that it "couldn't repair" the infected
file. What should I do now?
Answer: First, change Stinger's preferences so
that it deletes any virus it encounters. To do this, open
up Stinger and click on the Preferences
button. In the Preferences window, go to the section in the upper
right, which is the On virus detection section,
and choose Delete from the list of choices. Click
the OK button to close the window, then click on the Scan
Now button to re-run Stinger.
If Stinger still says that it cannot clean or delete a file, try
disabling the Windows XP System Restore
feature (which sometimes prevents Stinger from working properly). Try
disabling System Restore before running the
Stinger tool: you can find out how to disable System Restore from the
McAFee webpage on the subject at
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm.
If that doesn't work, or if you are running Windows 2000 instead of
Windows XP, then it is possible that Stinger cannot remove the worm
because the worm is already running in memory. Reboot the computer in
Safe Mode and then run Stinger again
(when your computer is in Safe Mode, it cannot run the worm, so Stinger
should be able to delete it). To boot into Safe Mode, restart your
computer. As your computer restarts, you normally see either the logo of
the company that made your computer or you see lines of text telling you
things about your computer system. At this point, hit the
F8 key on your
keyboard--hit it several times until you see a menu list of startup
choices (the list varies depending on what version of Windows you are
running). Using the arrow keys on your keyboard, choose Safe
Mode from
the list and hit the Enter key.
After a few minutes (Safe Mode usually causes the computer to boot more
slowly), Windows should load in Safe Mode. Don't be alarmed if the video
settings look strange and the icons are much larger--that is normal in
Safe Mode. Now go ahead and run the Stinger tool again. Once it has
removed the worm, reboot the computer: it will reboot in its normal mode.
Note: While the computer runs in Safe Mode, it will not
be able to connect to the network because the network capability of
Windows is deactivated while you are running in Safe Mode.
Question: My anti-virus popped-up and
alerted me that either
Exploit-DcomRpc or W32/Lovesan.worm was found on my system, but when I
tried to clean or delete the worm, it said it could not do either
action. Why? Is my machine infected?
Answer: If your software detected the worm but could not
clean or delete it, that probably means that it actually caught the worm
in its attempt to copy itself to your computer, so there was no file to
clean or delete because the worm file was never created on your
system. Just to be sure, check in your System32 folder (either
C:\Windows\system32 or C:\Winnt\system32) for a file called
msblast or msblast.exe. If that file is
not present, then your machine is not infected, but you should go and
apply the RPC patch for your computer (http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml) because
the worm may have succeeded in opening a command shell on your system
(the shell will be destroyed when the patch is applied and the system
is rebooted). If
that file IS present, then use the removal steps
above to remove it.
Question: My computer keeps rebooting every few minutes
or so (either with or without an error message). You mentioned that the
worm could cause this behavior: am I infected?
Answer: It is very likely that your computer is either
infected or is being attacked by a computer that is infected. Either way,
you need to install the RPC patch for your system (http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml). Then
check
in your System32 folder (either
C:\Windows\system32 or C:\Winnt\system32) for a file called
msblast or msblast.exe. If that file IS
present, then use the removal steps
above to remove it.
Question: My machine is rebooting itself too quickly for
me to
finish installing the patch or removing the worm. What can I do?
Answer: As soon as your Windows desktop appears, click on
the Start button on the desktop (or if you have key on
your keyboard with the Windows symbol, hit that). When the start menu
appears, choose Run. In the text box that appears, type
the word command and hit the Enter or Return key on your
keyboard. A command window will appear. At the command prompt, type
shutdown -a and hit the Enter or Return key. That command will
abort the shutdown and allow you to apply the patch and remove the
worm. To exit the command window, type exit and hit the Enter or
Return key.
Additional Information
For further information, visit:
McAfee: http://vil.nai.com/vil/content/v_100547.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
F-Secure:
http://www.data-fellows.com/v-descs/msblast.shtml
To learn how to sign up to receive alerts via email about any new viruses
that threaten the university, click here.
To return to the previous web page, click on the Back button of your web
browser.
To return to the main VNP web page, click here.
|
