Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Shutdown Initiated by NT Authority /System 5

Status
Not open for further replies.
bcastner

bcastner

IS-IT--Management
Aug 13, 2002
29,271
US
To all:

This is a very hard one to figure out, only that there has been a flurry of these recently. I honestly believe it is a deliberate attack on port 139 that is being launched. This CNN Report of last week is typical of the warnings now being issued in the US:
There is a recent hotfix that addresses this RPC vulnerability:
Install or enable a firewall immediately.

Run an updated virus scan.
Or Scan for Viruses online:

Also be sure to update immediatly to prevert this in the future:

This will tell you more:
 
If your system is continuously restarting with this error:

Try early and often pounding of the F8 key. You want to use the "Last Known Good" configuration option.

If that does not work, I can only guess. Some anti-virus software can run from a DOS session even with NTFS disks. If yours is able to do this start there.

If no joy, do a registry replacement. This requires booting from the XP CD and hitting the first R(epair) choice you receive in order to access the Recovery Console. See this site and print out all of the instructions found there:
If still no joy you need to do a maintenance re-install of XP. You will not lose your data or applications but you will lose your Service Packs and Hotfixes:
 
Stay tuned.

This is a very hot problem and other than the Hotfix other solutions should become clearer.

Avoid any drastic steps for now.
 
PATCH IT - but if you can't, try these.

Workarounds (From Microsoft).


Are there any workarounds that can be used to block exploitation of this vulnerability while I am testing or evaluating the patch?

Yes. Although Microsoft urges all customers to apply the patch at the earliest possible opportunity, there are a number of workarounds that can be applied to help prevent the vector used to exploit this vulnerability in the interim.

It should be noted that these workarounds should be considered temporary measures as they just help block paths of attack rather than correcting the underlying vulnerability.

The following sections are intended to provide you with information to help protect your computer from attack. Each section describes the workarounds that you may want to use depending on your computer’s configuration.

Each section describes the workarounds available depending on your required level of functionality.


Block RPC interface ports at your firewall.
Port 135 is used to initiate an RPC connection with a remote computer. In addition, there are other RPC interface ports that could be used by an attacker to remotely exploit this vulnerability. Blocking the following ports at the firewall will help prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability:

TCP/UDP Port 135
TCP/UDP Port 139
TCP/UDP Port 445

In addition, customers may have configured services or protocols that use RPC that might also be accessible from the Internet.

Systems administrators are strongly encouraged to examine RPC ports that are exposed to the Internet and to either block these ports at their firewall, or apply the patch immediately.


Internet Connection Firewall.
If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet.

Disable DCOM on all affected machines
When a computer is part of a network, the DCOM wire protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against this vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.

If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterwards to reenable DCOM. To reenable DCOM, you will need physical access to that computer.

To manually enable (or disable) DCOM for a computer:

1. Run Dcomcnfg.exe.


If you are running Windows XP or Windows Server 2003 perform these additional steps:

Click on the Component Services node under Console Root.
Open the Computers sub-folder.
For the local computer, right click on My Computer and choose Properties.
For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.
2. Choose the Default Properties tab.
3. Select (or clear) the Enable Distributed COM on this Computer check box.

4. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.




Patch availability
Download locations for this patch for XP


 
Google News has started tracking the problem. See the Sci/Tech subsection on this Worm. Several articles already.
 
MS newsgroups are flooded with complaints.
 
Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)


1. Apply the patch, NOW!
2. Update your virus defintions

3. Do a virus scan

4. Check your registry:

Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"windows auto update"="msblast.exe"

if you find it there.

Exit the Registry Editor.
 
hey people

If have the problem you write about here.

I found this out after i installed zonealarm: As soon as i started my computer 2 networks tried to connect with my pc and a program called msblast.exe tried to access the internet. I am not sure what msblast.exe is I cant find it anywhere on the internet. I have blocked access from these 2 networks and blaocked the access from msblast to the internet and the problem with RPC are gone

Hope this helps


Hans
 
Yeah I allready downloaded it. But is it a virus? It is strange because when i had the problem i formatted my hdd and installed XP. As soon i was in Windows again there problem was there again (within 1 minute or so).

Well, maybe this is the attack from Osama they all talk about

 
i have the same problem, once win xp is loaded fully i only have about 1 min before the box comes up saying its going to shut down in 60 seconds, i need help as i am new to this so laymens terms a must, please

thank you

Mark
 
you just have to do what Bcastner wrote.

I am trying it now.


 
Remember even the lowly XP native ICF "Internet Connection Firewall" is enough to block this worm.
 
If the machine can boot at all do this quick patch:

(Do not access the Internet yet)

First open task manager, find and end the process 'msblast.exe'

Second, delete the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Find the value windows auto update
if its value in the right panel is C:\windows\system32\msblast.exe delete the key.

Finally, delete the file c:\windows\system32\msblast.exe

reboot.

You can access the internet now.


 
And of course the first thing you should do after doing the quick fix above is:

1. Download and apply the patch
2. Update your virus definitions
3. Run a thorough virus scan

You should be fine now.

Note: It might be wise to view all restore points from the day you began having symptoms as suspect, and delete them.

 
Some interesting things are being found by analyzing the code of this MSBLAST worm. This is snippets from Steve and others in the Security Forum:

1. The next target is Windows Update Service:

"Of particular note is that on 8/16, this worm will start attacking windowsupdate.com with random packets to 80/tcp. Still digging into the details of what's there, but it looks pretty aggressive."

2. Who is Billy?

"The string "BILLY" is in the code: this is the name of a mutex that is used to keep more than one version running at a time." In an case he loves SAN apparently.

3. Why do I see more local IPs in my firewall logs than IPs way far away?

"The worm exhibits the following behaviors:

Spawn a new thread, checks system clock and launches a TCP-based denial of service attack at windowsupdate.com if the date is on or after the 16th.

Add itself to registry so the worm restarts upon a reboot.

Initializes the attack vector for Windows 2000 or Windows XP based on a simple mathematical calculation. Each infected instance will only attack Windows XP or Windows 2000. One out of five worm infections will attack windows 2000, and the remaining four will target Windows XP.

There is a 40% probability that the worm picks a random IP and then scans sequentially from the starting point. There is a 60% probability that the worm scans sequentially from its own IP address.

If a vulnerable machine is found, the exploit is launched and the newly infected machine connects back to the scanning machine via TFTP to obtain the worm binary. The binary is executed and the process begins again."

So it "likes" XP more than Win2k, and scans sequentially from your IP sequentially. Thus more local scans than remote IPs in your logs.
 
Tnx Bcastner

I have everything working here again
There is a lot of info on the net now about this

but as i said tnx you have been a great help


Hans

 
bcastner, i did everything you said but i still can't delet the msblast.exe file, any idea?
 
Make the registry change, very important.
Enable the native XP firewall (ICF). You do this from the properties of your Internet Connection, Advanced tab.
Now it is safe to reboot.

Boot into Safe Mode.
You should be able to delete it.
If you still have problems, check the links I provided above for McAfee and Symantec. Both offer detailed removal suggestions.

If you have a good anti-virus software, get the most recent updates and then have it do a scan. Most know about the problem now.

You will not be reinfected with the firewall active, and it will not run without the registry key active.
 
Status
Not open for further replies.

Similar threads

hamburg18w
  • Locked
  • Question
Task Host is Stopping the Shutdown
Replies
1
Views
398
Ign3us
Ign3us
Flinx
  • Locked
  • Question
Windows 10 Strange problems recently appear caused by microsoft ransomeware protection
Replies
3
Views
398
Andrzejek
Andrzejek
spamjim
  • Locked
  • Question
Sanitizing illegal filenames on NTFS volumes
Replies
2
Views
200
spamjim
spamjim
Thespian
  • Locked
  • Question
Transfer files and applications from a hard drive to a new system
Replies
4
Views
129
gbaughma
gbaughma
Shimmy613
  • Locked
  • Question
Systematically and safely deleting folder shortcuts seemingly to itself 1
Replies
6
Views
162
Mike Lewis
Mike Lewis

Part and Inventory Search

Sponsor

Back
Top