Variant of MSBlast - Alert for Win9x and other systems

According to this bit of info from the Symantec site, there is a variant of
the MSBlast Worm which potentially could target the following OS's: W95 /
W98 / ME / NT / Win2000 and XP.

W32.Randex.E
Discovered 12/Aug/2003; Norton Anti-Virus updated 13/Aug/2003 @ 6:23 pm.

Symantec Security Response
http://www.symantec.com/avcenter/venc/data/w32.randex.e.html

For those you have accessed this advisory with the MS web page, copy and
paste this URL into your browser address window.

Recommendations are to get the latest AV updates and Definitions. Check for
any updates for your Operating System at the Windows Update Page. Block any
of the affected ports with a firewall.

Thanks to ~PA Bear for bringing this latest bit of info to my attention.

LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
----------------------------------------------------------------------------
----------

Jerry
Thu Aug 14 19:36:35 CDT 2003

Keep in mind that this variant has some other component that affects ME and
98 machines. ME and 98 machines are not affected by the RPC DCOM
vulnerability.

--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.
"LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com> wrote in
message news:O5rL$5qYDHA.3436@tk2msftngp13.phx.gbl...
> According to this bit of info from the Symantec site, there is a variant
of
> the MSBlast Worm which potentially could target the following OS's: W95 /
> W98 / ME / NT / Win2000 and XP.
>
> W32.Randex.E
> Discovered 12/Aug/2003; Norton Anti-Virus updated 13/Aug/2003 @ 6:23 pm.
>
> Symantec Security Response
> http://www.symantec.com/avcenter/venc/data/w32.randex.e.html
>
> For those you have accessed this advisory with the MS web page, copy and
> paste this URL into your browser address window.
>
> Recommendations are to get the latest AV updates and Definitions. Check
for
> any updates for your Operating System at the Windows Update Page. Block
any
> of the affected ports with a firewall.
>
> Thanks to ~PA Bear for bringing this latest bit of info to my attention.
>
> LuckyStrike
> LS@smokedamagedfurniture.youcandriveitawaytoday.com
> --------------------------------------------------------------------------
--
> ----------
>
>
>

Ray
Thu Aug 14 19:58:31 CDT 2003

Any thoughts on why we have Windows 95 computers showing as vulnerable by
eEye's scanner and other scanners? Just a few, all belonging to programmers.

Ray

"Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
news:u7mZTVsYDHA.1736@TK2MSFTNGP10.phx.gbl...
> Keep in mind that this variant has some other component that affects ME
and
> 98 machines. ME and 98 machines are not affected by the RPC DCOM
> vulnerability.
>
> --
> Regards,
>
> Jerry Bryant - MCSE, MCDBA
> Microsoft IT Communities
>
> Get Secure! www.microsoft.com/security
>
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com> wrote
in
> message news:O5rL$5qYDHA.3436@tk2msftngp13.phx.gbl...
> > According to this bit of info from the Symantec site, there is a variant
> of
> > the MSBlast Worm which potentially could target the following OS's: W95
/
> > W98 / ME / NT / Win2000 and XP.
> >
> > W32.Randex.E
> > Discovered 12/Aug/2003; Norton Anti-Virus updated 13/Aug/2003 @ 6:23 pm.
> >
> > Symantec Security Response
> > http://www.symantec.com/avcenter/venc/data/w32.randex.e.html
> >
> > For those you have accessed this advisory with the MS web page, copy and
> > paste this URL into your browser address window.
> >
> > Recommendations are to get the latest AV updates and Definitions. Check
> for
> > any updates for your Operating System at the Windows Update Page. Block
> any
> > of the affected ports with a firewall.
> >
> > Thanks to ~PA Bear for bringing this latest bit of info to my attention.
> >
> > LuckyStrike
> > LS@smokedamagedfurniture.youcandriveitawaytoday.com
>
> --------------------------------------------------------------------------
> --
> > ----------
> >
> >
> >
>
>

Bruce
Fri Aug 15 08:28:50 CDT 2003

Greetings --

W32.Randex isn't a variant of the Blaster Worm. It's an entirely
different threat.

Bruce Chambers

--
Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH


"LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com>
wrote in message news:O5rL$5qYDHA.3436@tk2msftngp13.phx.gbl...
> According to this bit of info from the Symantec site, there is a
variant of
> the MSBlast Worm which potentially could target the following OS's:
W95 /
> W98 / ME / NT / Win2000 and XP.
>
> W32.Randex.E
> Discovered 12/Aug/2003; Norton Anti-Virus updated 13/Aug/2003 @ 6:23
pm.
>
> Symantec Security Response
> http://www.symantec.com/avcenter/venc/data/w32.randex.e.html
>
> For those you have accessed this advisory with the MS web page, copy
and
> paste this URL into your browser address window.
>
> Recommendations are to get the latest AV updates and Definitions.
Check for
> any updates for your Operating System at the Windows Update Page.
Block any
> of the affected ports with a firewall.
>
> Thanks to ~PA Bear for bringing this latest bit of info to my
attention.
>
> LuckyStrike
> LS@smokedamagedfurniture.youcandriveitawaytoday.com
> --------------------------------------------------------------------
--------
> ----------
>
>
>

LuckyStrike
Fri Aug 15 11:47:56 CDT 2003

Perhaps I would have been more accurate to write the term variant as
"variant"; and to state that W32.Randex.E is a virus that had been changed
to take advantage of a vulnerability (DCOM) in NT based systems.

LuckyStrike
LS@smokedamagedfurniture.youcandriveitawaytoday.com
----------------------------------------------------------------------------
-----------
"Bruce Chambers" <bchambers@nospam.cableone.net> wrote in message
news:vjpnsiqq7ar99b@corp.supernews.com...
> Greetings --
>
> W32.Randex isn't a variant of the Blaster Worm. It's an entirely
> different threat.
>
> Bruce Chambers
>
> --
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on
> having both at once. -- RAH
>
>
> "LuckyStrike" <LS@smokedamagedfurniture.youcandriveitawaytoday.com>
> wrote in message news:O5rL$5qYDHA.3436@tk2msftngp13.phx.gbl...
> > According to this bit of info from the Symantec site, there is a
> variant of
> > the MSBlast Worm which potentially could target the following OS's:
> W95 /
> > W98 / ME / NT / Win2000 and XP.
> >
> > W32.Randex.E
> > Discovered 12/Aug/2003; Norton Anti-Virus updated 13/Aug/2003 @ 6:23
> pm.
> >
> > Symantec Security Response
> > http://www.symantec.com/avcenter/venc/data/w32.randex.e.html
> >
> > For those you have accessed this advisory with the MS web page, copy
> and
> > paste this URL into your browser address window.
> >
> > Recommendations are to get the latest AV updates and Definitions.
> Check for
> > any updates for your Operating System at the Windows Update Page.
> Block any
> > of the affected ports with a firewall.
> >
> > Thanks to ~PA Bear for bringing this latest bit of info to my
> attention.
> >
> > LuckyStrike
> > LS@smokedamagedfurniture.youcandriveitawaytoday.com
> > --------------------------------------------------------------------
> --------
> > ----------
> >
> >
> >
>
>

jhardis
Fri Aug 15 21:35:46 CDT 2003

"Ray" <reply_in@news.only> wrote in message news:<uThgnisYDHA.2548@TK2MSFTNGP09.phx.gbl>...
> Any thoughts on why we have Windows 95 computers showing as vulnerable by
> eEye's scanner and other scanners? Just a few, all belonging to programmers.

Somewhere along the way DCOM95 was installed along with something else.

I don't mean to multiply-post the same information, but...

I have looked into the problem in detail for Windows 98 and can tell
you how to predict which Windows 98 boxes are "Vulnerable," and which
have a closed TCP/135 port. If you run System Information, on the
vulnerable systems there will be a "Running Task" RPCSS.EXE, and a
"32-bit Module Loaded" RPCLTSCM.DLL. There are no other differences
in the entire "Software Environment" that separates "Vulnerable" from
non-vunerable systems.

The file C:\WINDOWS\SYSTEM\RPCSS.EXE exists on most Windows 98 systems
whether it is launched at boot time or not. As shown below, it was
widely distributed as part of the DCOM98 package. Indeed, if on a
non-vulnerable system I run RPCSS (i.e., by double-clicking on the
file), the system becomes "Vulnerable." If I end the task, the system
becomes non-vulnerable again.

Installed Version DCOM Version or Build Number Release
Type
----------------- -----------------------------------------
-----------------
4,71,0,3328 DCOM95 1.3 and DCOM98 1.3, build 3328.1 Released
to the Web
4,71,0,2900 Build 2900.7 Released
to Windows 98 Second Edition, Microsoft Internet Explorer 5.0,
Microsoft Office 2000
4,71,0,2618 DCOM95 1.2 Released
to the Web
4,71,0,2612 DCOM98 Shipped
with Microsoft Visual Studio 6.0
4,71,0,1719 Build 1719 Released
to Windows 98 Gold, fix for build 1718.
4,71,0,1718 DCOM95 1.1 Released
to the Web in October, 1997; released to Internet Explorer 4.01.
4,71,0,1120 Build 1120
4,71,0,426 DCOM95 1.0 Released
to the Web in January 1997


While Win 95/98 may not be vulnerable to the Blaster worm itself, it may
still be vulnerable to other, future hacks that take advantage of the
buffer-overflow bug in the Port 135 handler.

- Jonathan

jhardis
Sat Aug 16 14:20:10 CDT 2003

"Ray" <reply_in@news.only> wrote in message news:<uThgnisYDHA.2548@TK2MSFTNGP09.phx.gbl>...
> Any thoughts on why we have Windows 95 computers showing as vulnerable by
> eEye's scanner and other scanners? Just a few, all belonging to programmers.

I'm fairly confident that I've solved it, though I can't test the
answer until Monday.

Look in the Registry under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

Change "EnableRemoteConnect" to "N" (if it is "Y")

Why do I believe this is correct? I dumped the registry of six Win 98
systems, three that scanned as "Vulnerable," and three that did not.
This variable correlates with their scanning state. I found it by
reading Microsoft Knowledge Base Article 825750, "How to Disable DCOM
Support in Windows."
http://support.microsoft.com/default.aspx?scid=kb;en-us;825750

This article says to "Change the EnableDCOM string value to N." It
turns out that EnableDCOM is "Y" in all of my reference Win 98 system,
both good and bad. However, the very next flag,
"EnableRemoteConnect," was "Y" on the bad (Vulnerable) ones and "N" on
the good ones.

- Jonathan

P.S. -- Is there a way a user can change this variable short of
editing the registry?

Torgeir
Sat Aug 16 20:18:30 CDT 2003

"Jonathan E. Hardis" wrote:

> "Ray" <reply_in@news.only> wrote in message news:<uThgnisYDHA.2548@TK2MSFTNGP09.phx.gbl>...
> > Any thoughts on why we have Windows 95 computers showing as vulnerable by
> > eEye's scanner and other scanners? Just a few, all belonging to programmers.
>
> Somewhere along the way DCOM95 was installed along with something else.
>
> I don't mean to multiply-post the same information, but...
>
> I have looked into the problem in detail for Windows 98 and can tell
> you how to predict which Windows 98 boxes are "Vulnerable," and which
> have a closed TCP/135 port. If you run System Information, on the
> vulnerable systems there will be a "Running Task" RPCSS.EXE, and a
> "32-bit Module Loaded" RPCLTSCM.DLL. There are no other differences
> in the entire "Software Environment" that separates "Vulnerable" from
> non-vunerable systems.

If I use eEye's Retina DCOM scanner against a Win9x computer running RPCSS.EXE, I get the
result "Windows 9x/ME - Not Affected"" (while Microsoft's KB823980Scan.exe reports
"unpatched").


> (snip)
>
> While Win 95/98 may not be vulnerable to the Blaster worm itself, it may
> still be vulnerable to other, future hacks that take advantage of the
> buffer-overflow bug in the Port 135 handler.

Microsoft states that this buffer-overflow flaw in the RPC interface does not exist in Win9x/ME



--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter

jhardis
Mon Aug 18 12:20:59 CDT 2003

jhardis@tcs.wap.org (Jonathan E. Hardis) wrote in message news:<4e1ce551.0308161120.60d7d4f3@posting.google.com>...
> I'm fairly confident that I've solved it, though I can't test the
> answer until Monday.
>
> Look in the Registry under
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
>
> Change "EnableRemoteConnect" to "N" (if it is "Y")

This is a preliminary note to advise that the work-around I previously
reported for Win 9x systems may not be sufficient to remove the
vulnerability.

I have discovered a case where changing the Registry variable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE "EnableRemoteConnect"="N"
is not sufficient to stop RPCSS.EXE from launching at boot time. This
machine continues to report "Vulnerable" on the scan.

While I do not have time to pursue the matter in detail right now, a
preliminary search of suggestive elements in the Registry (and in
comparison to the Registries of computers that are rendered
invulnerable by the change referenced above), leads me to believe that
the installation of WBEM -- Web Based Enterprise Management --
provides an alternative mechanism for launching RPCSS.EXE at boot
time.

From: http://ma.ph-freiburg.de/tng/tng-technical/2001-08/msg00062.html
(Found using Google)

Service: Windows Management Instrumentation
-------
-> Path: C:\WINNT\System32\WBEM\WinMgmt.exe
Load Order:
-> Dependencies: RPCSS/
Service Start: LocalSystem
Service Type: 0x10
Start Type: Auto
Error Control: 0
Tag Id: 0

See also: http://www.jsware.net/jsware/viinfo.html#wmi


This speaks again for the need for Microsoft to provide a patch for
DCOM98 (and perhaps DCOM95) analogous to the fix provided for Win NT
(and derivatives).

- Jonathan

Jerry
Wed Aug 20 13:32:19 CDT 2003

Our analysis is that Win9.x systems are not affected by this vulnerability
even if DCOM is installed (which it is not be default).

--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.
"Jonathan E. Hardis" <jhardis@tcs.wap.org> wrote in message
news:4e1ce551.0308180920.e0174c6@posting.google.com...
> jhardis@tcs.wap.org (Jonathan E. Hardis) wrote in message
news:<4e1ce551.0308161120.60d7d4f3@posting.google.com>...
> > I'm fairly confident that I've solved it, though I can't test the
> > answer until Monday.
> >
> > Look in the Registry under
> >
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
> >
> > Change "EnableRemoteConnect" to "N" (if it is "Y")
>
> This is a preliminary note to advise that the work-around I previously
> reported for Win 9x systems may not be sufficient to remove the
> vulnerability.
>
> I have discovered a case where changing the Registry variable
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE "EnableRemoteConnect"="N"
> is not sufficient to stop RPCSS.EXE from launching at boot time. This
> machine continues to report "Vulnerable" on the scan.
>
> While I do not have time to pursue the matter in detail right now, a
> preliminary search of suggestive elements in the Registry (and in
> comparison to the Registries of computers that are rendered
> invulnerable by the change referenced above), leads me to believe that
> the installation of WBEM -- Web Based Enterprise Management --
> provides an alternative mechanism for launching RPCSS.EXE at boot
> time.
>
> From: http://ma.ph-freiburg.de/tng/tng-technical/2001-08/msg00062.html
> (Found using Google)
>
> Service: Windows Management Instrumentation
> -------
> -> Path: C:\WINNT\System32\WBEM\WinMgmt.exe
> Load Order:
> -> Dependencies: RPCSS/
> Service Start: LocalSystem
> Service Type: 0x10
> Start Type: Auto
> Error Control: 0
> Tag Id: 0
>
> See also: http://www.jsware.net/jsware/viinfo.html#wmi
>
>
> This speaks again for the need for Microsoft to provide a patch for
> DCOM98 (and perhaps DCOM95) analogous to the fix provided for Win NT
> (and derivatives).
>
> - Jonathan

jhardis
Thu Aug 21 22:05:38 CDT 2003

jhardis@tcs.wap.org (Jonathan E. Hardis) wrote in message news:<4e1ce551.0308180920.e0174c6@posting.google.com>...
> jhardis@tcs.wap.org (Jonathan E. Hardis) wrote in message news:<4e1ce551.0308161120.60d7d4f3@posting.google.com>...
> > I'm fairly confident that I've solved it, though I can't test the
> > answer until Monday.
> >
> > Look in the Registry under
> >
> > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
> >
> > Change "EnableRemoteConnect" to "N" (if it is "Y")
>
> This is a preliminary note to advise that the work-around I previously
> reported for Win 9x systems may not be sufficient to remove the
> vulnerability.
>
> I have discovered a case where changing the Registry variable
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE "EnableRemoteConnect"="N"
> is not sufficient to stop RPCSS.EXE from launching at boot time. This
> machine continues to report "Vulnerable" on the scan.
>
> While I do not have time to pursue the matter in detail right now, a
> preliminary search of suggestive elements in the Registry (and in
> comparison to the Registries of computers that are rendered
> invulnerable by the change referenced above), leads me to believe that
> the installation of WBEM -- Web Based Enterprise Management --
> provides an alternative mechanism for launching RPCSS.EXE at boot
> time.

This preliminary assessment turned out to be incorrect. WBEM was not
involved. I found it on both affected and unaffected systems.

The cause turned out to be WIN32SL.EXE. This procedure starts up
RPCSS.EXE, and so WIN32SL.EXE must also be eliminated as a running
task.

WIN32SL.EXE is the Service Level interface of DMI -- the Desktop
Management Interface. This software is provided by a consortium of
companies to provide a common means of remote monitoring and remote
control of a desktop system.

Unfortunately, there is no simple recipe for dealing with WIN32SL.EXE.
All I can do is provide some clues for those technical experts for
which this is an issue.

Short of uninstalling software, while waiting for a patch that may or
may not materialize, the easiest route to disabling WIN32SL.EXE seems
to be editing the Registry to put a fault in the path of where it is
found. However, the details depend on which 3rd-party DMI application
system is installed.

I've had to deal with two different DMI systems, on two different
kinds of computers. The first is Dell, which has its "OpenManage"
system. To changes these from being "vulnerable" on our network
scanner, I made the following registry edit:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

"WIN32SL"="c:\\dmi\\win32\\bin\\win32sl.exe -i -p -r"

Change "2" to "X", resulting in:

"WIN32SL"="c:\\dmi\\win32\\bin\\win3Xsl.exe -i -p -r"


The second was an off-brand system that had Intel's LanDesk Client
Manager (LDCM) installed. For this one, the solution we implemented
was not pretty. I now suspect that a better solution would have been:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

"DMIStart"="C:\\Program Files\\Intel\\LDCM\\DMIStart.exe"

Change "S" to "X", resulting in:

"DMIStart"="C:\\Program Files\\Intel\\LDCM\\DMIXtart.exe"

(CAUTION: I haven't actually tested this, yet.)


Finally, there was one system where we had to do this:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

"nimxStartRpcss"="C:\\WINDOWS\\NIRpcss.exe"

Insert "X" in name, resulting in:

"nimxStartRpcss"="C:\\WINDOWS\\NIRpcssX.exe"

This did not involve WIN32SL.EXE, just PRCSS.EXE. We suspect that the
"NI" refers to National Instruments, and that LabView or LabWindows
was at one time installed on the machine.

- Jonathan