The Subaru SVX World Network   SVX Network Forums
Live Chat!
SVX or Subaru Links
Old Lockers
Photo Post
How-To Documents
Message Archive
SVX Shop Search
IRC users:

Go Back   The Subaru SVX World Network > SVX Main Forums > Not Exactly SVX

Reply
 
Thread Tools Rate Thread Display Modes
  #1  
Old 08-12-2003, 11:03 AM
RSVX RSVX is offline
Network Design Administrator
 
Join Date: Feb 2002
Location: Boiling Springs, SC
Posts: 4,344
New Pc Virus!!!!

I got the virus at work today... here are all of the symptoms...

yeah, I had it on my work PC... here is some of what it did to me... Luckily enough I was smart enough to fix it...


disables copy/cut paste

makes office crash

no web viewing

click a link on a website that opens a new window, and that new window never opens

if you have XP it puts you in a 60 second reboot cycle

disables the search feature in your start menu

Control Panel opens up in the sidebar as opposed to the main window

Gives you a SVCHOST.EXE error and crashes that process

The kicker is if you are not on the Internet or some sort of a network, your PC will work FINE untill you gain access to the internet, and thats when all hell breaks loose. The first thing I saw was the SVCHOST error, and then your screwed.

The REAL kicker is the fact that you dont have the DL anything, open an email or anything like that... it just gets you through a nice little windows RPC loophole. That is unless you have already run the lastest windows update files...
__________________
Chris
SVX World Network Administrator
-1993 Subaru SVX LS-L, Barcelona Red, #46, 160,000+ Miles (Sold to SomethingElse)
-2011 Toyota Sienna SE, Black, 30,000+ Miles (Swagger Wagon )
-2002 BMW R 1150R ABS, Black, 26,000+ Miles (Daily Driver )
SVX Owner from February 1997 to March 2008
SVX Online Community Member since February 1998
SVX World Network Member since February 2002, Member #520

Life is a game. Play to win.
The world belongs to those who can laugh at it.
Reply With Quote
  #2  
Old 08-12-2003, 11:07 AM
RSVX RSVX is offline
Network Design Administrator
 
Join Date: Feb 2002
Location: Boiling Springs, SC
Posts: 4,344
to supplement that, there was only 1 guy in my office that didnt get the virus. He went to nortons website and DLed a fix for it. This easily found and erradicated the virus. It then tells you to go get the patch from M$ website... well while you are getting the patch, guess what, you get infected AGAIN, why is that you say, well because of the stupid RPC loophole... we had my buddy DL the file and that was the only way to fix it... was to pass it around on a, you guessed it, FLOPPY DISK...
__________________
Chris
SVX World Network Administrator
-1993 Subaru SVX LS-L, Barcelona Red, #46, 160,000+ Miles (Sold to SomethingElse)
-2011 Toyota Sienna SE, Black, 30,000+ Miles (Swagger Wagon )
-2002 BMW R 1150R ABS, Black, 26,000+ Miles (Daily Driver )
SVX Owner from February 1997 to March 2008
SVX Online Community Member since February 1998
SVX World Network Member since February 2002, Member #520

Life is a game. Play to win.
The world belongs to those who can laugh at it.
Reply With Quote
  #3  
Old 08-12-2003, 11:11 AM
Chicane Chicane is offline
Anti-BS Vigilante
 
Join Date: Feb 2003
Location: Madison, WI
Posts: 3,057
Send a message via ICQ to Chicane Send a message via AIM to Chicane
Will it hurt my mac??!
Reply With Quote
  #4  
Old 08-12-2003, 11:12 AM
RSVX RSVX is offline
Network Design Administrator
 
Join Date: Feb 2002
Location: Boiling Springs, SC
Posts: 4,344
I doubt it, seriously, since it uses an exploit in windows software...
__________________
Chris
SVX World Network Administrator
-1993 Subaru SVX LS-L, Barcelona Red, #46, 160,000+ Miles (Sold to SomethingElse)
-2011 Toyota Sienna SE, Black, 30,000+ Miles (Swagger Wagon )
-2002 BMW R 1150R ABS, Black, 26,000+ Miles (Daily Driver )
SVX Owner from February 1997 to March 2008
SVX Online Community Member since February 1998
SVX World Network Member since February 2002, Member #520

Life is a game. Play to win.
The world belongs to those who can laugh at it.
Reply With Quote
  #5  
Old 08-12-2003, 11:37 AM
mohrds's Avatar
mohrds mohrds is offline
Fight Eminent Domain Abuse!
 
Join Date: Mar 2001
Location: Milwaukee, WI
Posts: 3,175
Send a message via AIM to mohrds Send a message via Yahoo to mohrds
Quote:
Originally posted by RSVX
I doubt it, seriously, since it uses an exploit in windows software...
I think he was setting us up for a windows bashing comment

Doug

Description
-----------------
W32.Lovsan.worm is a worm the propagates by exploiting the RPC DCOM vulnerability reported in TruSecure Vulnerability Alert 6307. The worm scans for vulnerable systems over TCP and UDP ports 135 and exploits vulnerable systems. The worm launches a command shell and uses TFTP to connect to other infected systems to download the worm's executable. The file is then executed on the system and the registry is altered to ensure that the worm is executed when Windows starts.


Virus definitions are available.



Impact
-----------------
W32/Lovsan.worm installs a TFTP server on the infected machine and propagates. The worm's propagation routine could cause network congestion.



Warning Indicators
-----------------
The presence of the file msblast.exe may indicate an infection.

This worm often causes error messages or reboots of infected device.
Helpdesks may receive calls that workstations are constantly rebooting.

The worm contains the following strings:


I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!! windowsupdate.com BILLY



Technical Information
-----------------
The worm adds the value windows auto update = "msblast.exe I just want to say LOVE YOU SAN!! bill" to the following registry key to ensure the worm executes when Windows starts:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

This worm does not use e-mail as a means of propagation and it will launch a denial of service attack against Microsoft's Windows Update
system on August 16th.
__________________
1992 LS Touring (6/91) - Currently undergoing a five speed swap
Black over Claret with spoiler; 235,000 miles; Mods: 2002 Legacy 5 speed, ACT Pressure Plate, Excedy Clutch, Short Throw Shifter, Aussie Powerchip
1992 LS Touring (6/91)
Black over Claret with 2.5" setback spoiler; 202,000 miles; Mods: B&M Cooler
1994 LSi (4/93)
Bordeaux Pearl; 198,000 miles; Mods: Weight reduction.

1969 Mustang GT Convertible
1970 Mustang Convertible
2000 Ford Excursion
Sola lingua bona est lingua mortua.

My Locker
Reply With Quote
  #6  
Old 08-12-2003, 04:20 PM
SVX26517
Guest
 
Posts: n/a
Lightbulb

doesnt surprise me that someone made this virus, since mircosoft stole everything they came out with and is invading our privacy. Guess Bill "Gay"tes wants to get off teen convos because he never had a life. Friggin butthole
Reply With Quote
  #7  
Old 08-12-2003, 07:06 PM
Ron Mummert Ron Mummert is offline
Invisible avatar
Alcyone Gold Contributor
 
Join Date: Apr 2001
Location: Shawsville, VA (Formally Ellicott City, MD)
Posts: 3,797
Send a message via AIM to Ron Mummert Send a message via Yahoo to Ron Mummert
Question

Will it do anything to Win. 95?
Gee...why do I ask you may wonder.

Ron (Wow, this 200MMX 'puter really hums)!
__________________
Good s**t happened. 69 was worth the wait.

'92 stock semi-pristine ebony - 160K
'96 Grand Caravan - 240K
'01 Miata SE - 79K
'07 Chrysler Pacifica - 60k - future money pit.
Reply With Quote
  #8  
Old 08-13-2003, 02:53 AM
Trevor's Avatar
Trevor Trevor is offline
Registered User
 
Join Date: Feb 2002
Location: Auckland, New Zealand
Posts: 5,223
Registered SVX
Hi you PC users. best of luck.

In this part of the world we demand service. This is what I received from my server some time ago : --

Dear Xtra customer,

Microsoft has issued a worldwide warning about a computer worm
commonly known as W32 Blaster that can infect computers running
Windows XP, Windows NT4, Windows Server 2003 and Windows 2000.
Your computer can be infected simply by connecting to the
Internet.

The worm is not being transferred by email and, as a result, your
computer will not be protected by Xtra's anti-virus email filter.

Tools to fix the problem have been released and if you are running one
of the operating systems mentioned above, it is vital you protect your
system from this worm immediately.

When you connect to the Internet after August 15th, all infected
computers will try and flood Microsoft's Windows update Web site with
large volumes of traffic.

The steps you need to take are:

If you have Windows XP or Windows Server 2003, enable the Internet
Connection Firewall (ICF). To do this you will need to:

1. Ensure you are not currently connected to Xtra

2. Click the Start button

3. Click Control Panel

4. Click Networking and Internet Connections, and then click Network
Connections (some computers may have the Network Connections icon directly
inside the Control Panel).

5. Right-click the connection on which you would like to enable the
firewall (normally this is labelled as "Xtra"), and then click Properties.

6. On the Advanced tab, click the box to select the option to "Protect my
computer or network?"

7. Click OK

8. Close the Control Panel

If you are running Windows 2000 or Windows NT, install an Internet firewall
of your choice.


How do I know if I've been infected?
This may not be immediately obvious, however typical symptoms include your
computer closing down while you're online and restarting without any
warning. Visit this site http://www.xtra.co.nz/latest if you want more
information about whether or not your computer has been infected.


If your PC is not infected
Download the appropriate patch via
http://www.microsoft.com/security/incident/blast.asp. This site also
includes information about firewalls and worm removal tools. Note that the
patch required for Windows XP Home and Windows XP Professional is available
via the "Windows XP (32 bit)" link. Update and run your anti-virus software.
Customers who don't currently have an anti-virus program installed should
refer to http://www.microsoft.com/security/ar.../antivirus.asp for help
about anti-virus software or a list of Microsoft partners.
Download any other required patches at http://www.windowsupdate.com


Infected
If your computer's operating system has already been infected with this worm,
the Microsoft patch will not be effective on its own. You will need to visit
http://www.xtra.co.nz/latest where you will find information to help you.

Additional information for remedying the effects of this worm is also
available at http://www.microsoft.com/security/incident/blast.asp

For further support, please visit Microsoft at
http://www.microsoft.com/security or telephone 0800 800 004.

Microsoft assures us they are working hard to deal with this issue. We will
keep you informed of any updates on our Web site.


Kind regards

The Team@Xtra

We have made every effort to ensure the information in this email is accurate.
However it is intended to be for general information only. As a result, Xtra
does not accept any liability for any loss or damage whatsoever which may
arise as a result of your use of this email, or for any errors or omissions
in this email.

However I run a Mac. Don't we Rob !
__________________
Trevor, New Zealand.

As a child, on cold mornings I gladly stood in cowpats to warm my bare feet, but I detest bull$hit!
Reply With Quote
  #9  
Old 08-13-2003, 06:09 AM
RSVX RSVX is offline
Network Design Administrator
 
Join Date: Feb 2002
Location: Boiling Springs, SC
Posts: 4,344
Quote:
Originally posted by Ron Mummert
Will it do anything to Win. 95?
Gee...why do I ask you may wonder.

Ron (Wow, this 200MMX 'puter really hums)!
Anything pre-98 should be OK... untill someone releases variants of this one...
__________________
Chris
SVX World Network Administrator
-1993 Subaru SVX LS-L, Barcelona Red, #46, 160,000+ Miles (Sold to SomethingElse)
-2011 Toyota Sienna SE, Black, 30,000+ Miles (Swagger Wagon )
-2002 BMW R 1150R ABS, Black, 26,000+ Miles (Daily Driver )
SVX Owner from February 1997 to March 2008
SVX Online Community Member since February 1998
SVX World Network Member since February 2002, Member #520

Life is a game. Play to win.
The world belongs to those who can laugh at it.
Reply With Quote
  #10  
Old 08-13-2003, 06:56 AM
RRX
Guest
 
Posts: n/a
i do broadband internet tech support and......

That worm was a nightmare for me at work yesterday. Everbody was calling in with problems and to top it off we use windows 2000 for some of our servers so we had some major outtages......Glad i use a Mac..

Last edited by RRX; 08-13-2003 at 07:01 AM.
Reply With Quote
  #11  
Old 08-13-2003, 07:07 AM
mohrds's Avatar
mohrds mohrds is offline
Fight Eminent Domain Abuse!
 
Join Date: Mar 2001
Location: Milwaukee, WI
Posts: 3,175
Send a message via AIM to mohrds Send a message via Yahoo to mohrds
Three words:

Fifty Dollar Firewall.

I usually recommend the Linksys Cable/DSL routers. The built in firewall seems pretty good for the price.

Doug
__________________
1992 LS Touring (6/91) - Currently undergoing a five speed swap
Black over Claret with spoiler; 235,000 miles; Mods: 2002 Legacy 5 speed, ACT Pressure Plate, Excedy Clutch, Short Throw Shifter, Aussie Powerchip
1992 LS Touring (6/91)
Black over Claret with 2.5" setback spoiler; 202,000 miles; Mods: B&M Cooler
1994 LSi (4/93)
Bordeaux Pearl; 198,000 miles; Mods: Weight reduction.

1969 Mustang GT Convertible
1970 Mustang Convertible
2000 Ford Excursion
Sola lingua bona est lingua mortua.

My Locker
Reply With Quote
  #12  
Old 08-13-2003, 07:12 AM
CigarJohnny's Avatar
CigarJohnny CigarJohnny is offline
Registered User
 
Join Date: Oct 2002
Location: Allentown, PA
Posts: 2,922
Send a message via Skype™ to CigarJohnny
We had a customer's box at work infected Monday. We loaded SP4 on it from CD (they obviously have not worried about upgrades) but everytime we tried to go online it would start acting up and would not let us get to the update site. It appeared to be waiting for the machines specific IP addy. I reallocated a new IP for the server and like magic we were able to go online and apply all the critical updates. Reset the IP back to the original and rebooted and we were good to go.

I'm not really sure if the virus works that way but if you are in a corporate environment and have unused IP space you can allocate temporarily then give it a shot. Don't reassign a new IP until you are ready to go online immediately for the updates. Best of luck! I am definitely not lookiing forward to the 16th when the crap hits the fan. We had another customer who's internal clock was set to the wrong day. The box went nuts when it thought it turned August 16. A real nightmare. This could really end up crippling the entire internet with all the traffic it will generate if those morons do not update their boxes ASAP!
__________________
Pearl '92 LS-L 179K (Historic 1st 5-speed SVX)
Mods: 5-speed, 4.11's, Group-N motor mounts, dual Magnaflows, cone air filter, Kenwood MP-228 CD/Receiver, white-faced gauges, '97 grill, custom window tinting.

Ebony Mica '92 LS 80K Oct 2002 - Dec 2004: Victim of theft. She served me well.

You can tell the lack of craftsmanship by the wrinkles in the duct tape.
Reply With Quote
  #13  
Old 08-13-2003, 07:27 AM
Andy's Avatar
Andy Andy is offline
Registered User
 
Join Date: Apr 2002
Location: Guernsey, Channel Islands
Posts: 2,606
Send a message via Skype™ to Andy
Two simple words

Zone Alarm.

It's free so why not use it?
__________________
Andy

------------------------------------------------------------------------------------

If I would be a young man again and had to decide how to make my living, I
would not try to become a scientist or scholar or teacher. I would rather
choose to be a plumber or a peddler in the hope to find that modest degree
of independence still available under present circumstances.
-- Albert Einstein, The Reporter, November 18 1954
Reply With Quote
  #14  
Old 08-13-2003, 08:02 AM
RSVX RSVX is offline
Network Design Administrator
 
Join Date: Feb 2002
Location: Boiling Springs, SC
Posts: 4,344
Quote:
Originally posted by mohrds
Three words:

Fifty Dollar Firewall.

I usually recommend the Linksys Cable/DSL routers. The built in firewall seems pretty good for the price.

Doug
Quote:
Originally posted by Andy
Two simple words

Zone Alarm.

It's free so why not use it?
Most Firewalls do NOT come configured to block UDP packets from the WAN (Wide Area Network, READ: Internet). So firewall or not, you would have gotten hit, unless you specified it to block UDP traffic already. A fifty dollar firewall would have done no better than the big dollar NetScreen firewalls that the big corps use, unless configured in this way.

Even still there are only TWO sure fire ways to block this WORM.

1. Windows Update, Windows Update, Windows Update (got it yet?)!!
2. Firewall configured to block UDP Packets. This is the ONLY sure fire way to keep this from happening ever again.
__________________
Chris
SVX World Network Administrator
-1993 Subaru SVX LS-L, Barcelona Red, #46, 160,000+ Miles (Sold to SomethingElse)
-2011 Toyota Sienna SE, Black, 30,000+ Miles (Swagger Wagon )
-2002 BMW R 1150R ABS, Black, 26,000+ Miles (Daily Driver )
SVX Owner from February 1997 to March 2008
SVX Online Community Member since February 1998
SVX World Network Member since February 2002, Member #520

Life is a game. Play to win.
The world belongs to those who can laugh at it.
Reply With Quote
  #15  
Old 08-13-2003, 08:33 AM
Andy's Avatar
Andy Andy is offline
Registered User
 
Join Date: Apr 2002
Location: Guernsey, Channel Islands
Posts: 2,606
Send a message via Skype™ to Andy
Windows update is free too (do you have to do it three times before it works?)
__________________
Andy

------------------------------------------------------------------------------------

If I would be a young man again and had to decide how to make my living, I
would not try to become a scientist or scholar or teacher. I would rather
choose to be a plumber or a peddler in the hope to find that modest degree
of independence still available under present circumstances.
-- Albert Einstein, The Reporter, November 18 1954
Reply With Quote
Reply

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 06:26 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
© 2001-2015 SVX World Network
(208)-906-1122