Virus #1:  the Blaster Worm
(W32.Blaster)
In July, Microsoft patched a flaw that allows RPCs (Remote Procedure Calls) to run a program on a remote system. Unpatched operating systems based on NT (Windows NT 4.0, 2000, XP, and 2003) are affected by this worm (aka Lovesan),  launching a DDoS (Distributed Denial of Service) attack on certain Websites. Symptoms include a 60-second reboot, making it difficult to install a patch.

To stop the shutdown, one must execute the shutdown /a command on the infected machine. Once shutdown’s stopped, Blaster can be removed manually. Disconnect from the Internet and end all instances of MSBLAST.EXE, which is being launched from the Registry. To remove the registry entry, open:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

deleting the MSBLAST.EXE entry from the windows auto update value. Restart the computer, find, and delete any MSBLAST.EXE file from the system.

The worm requires DCOM to function, so run DCOMCNFG.EXE to disable DCOM. Open Console Root\Component Services\Computers\My Computer, then right-click My Computer and choose Properties. Click Default Properties and un-check Enable Distributed COM on this computer and click OK. Once this is done, you can reconnect to the Internet. Install a firewall and re-enable DCOM. Finally, install the Microsoft patch.

Virus #2: Sobig
(W32.Sobig.F@mm)
Sobig is a mass-mailing worm, sending itself to e-mail addresses it finds in files with the following extensions: .dbx, .eml, .hlp, .htm, .html, .mht, .wab, and .txt. It uses its own built-in SMTP server to do this.

Using the addresses it’s found, it generates To and From addresses. Using varied subject lines and message bodies, it includes an attachment with either a .PIF or .SCR extension.

When Sobig runs, it copies itself as %Windir%\winppr32.exe and creates the file %Windir%\winstt32.dat. It then adds "TrayX"="%Windir%\winppr32.exe /sinc" to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and adds "TrayX"="%Windir%\winppr32.exe /sinc" to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

to start the worm when Windows starts. Sobig can discover network shares the infected computer has access to and can download and execute files. This ability can be used to establish a mail relay for the virus’s author, or enable the author to upload virus updates to the infected machine.

Sobig opens several network ports, so network administrators should block inbound traffic on UDP ports 99x and block outbound traffic on UDP port 8998. Administrators should also monitor UDP port 123, which will be polled once per hour by infected machines.

Sobig’s Spoofing Confusion
A few of my uninfected clients were blamed for sending infected messages!

Here’s what really happened. Laura (who is NOT my client) is using an infected computer. She doesn’t use anti-virus software. When Sobig got on her computer, it located Jodee’s e-mail address (who is my client). The worm used Jodee's address to send mail to Christi. Christi then contacted Jodee to tell her she sent a virus. However, when Jodee scanned her computer with Panda (which automatically updates with the latest definitions), she didn’t find anything because her computer wasn’t infected!

To manually remove Sobig, disconnect from the Internet and disable or password-protect all file shares. Install a current anti-virus program with the latest virus definition updates. Restart in Safe mode, run a full system scan, and delete all the files detected as Sobig. Next, delete the values (mentioned above) that were added to the registry. You may reboot after completing this step.

Lessons Learned
Three lessons can be learned from this latest virus experience:

First, it is extremely important to use a firewall on systems that are connected to the Internet. These days, hackers are constantly scanning systems for known vulnerabilities. Firewalls are used to block intrusions, generally based upon IP addresses and port numbers. The Blaster attack focused on Port 135, the port used for RPC communication. Sobig focused on ports in the 990’s. Having a properly configured firewall in place to protect these ports would have rendered the viruses totally ineffective.

Second, it is important to pay attention to security patches released from Microsoft. There are two ways to do this. Probably the most common method now is the use of the Windows Update site. Security patches are released as Critical Updates. Systems can be set to download and install these patches automatically. One may also sign-up for Microsoft’s security bulletin, which is available at the Microsoft.com Website under their Newsletters. The patch to protect against Blaster was available a full month before the virus surfaced.

Finally, install and maintain anti-virus software. Companies such as Symantec (Norton), McAfee, and Panda all provide current solutions to protect systems against worms and other viruses. These solutions all provide auto-update features in their current incarnations that keep virus definitions up-to-date. The definitions available on the day of the outbreak contained code to ward off Blaster. Having these definitions in place would have kept the virus away. All the anti-virus vendors have released automated tools to perform the manual cleans outlined above, as well. Simply download these file from any of their sites.

Until next month, keep your systems up-to-date and the viruses away. . .