Hello All,

I had a laptop infected with Klez, and So.F, the Norton Anti virus found
these files, with the dos boot disk with virus patterns for 2-28-04. I
turned off sys restore, rebooted, rescanned with NAV boot disk, it deleted
all the files it found infected, then I restarted win XP ran Klez , and
SoBig.F AV tools from symantec deleted additional files. rescanned, all
clear.
Laptop is shutting down due to RPC @ 60 secs. The task manager does not show
msblast.exe, is there any other reason this pc is experiencing this problem?

Thanks for any ideas
MMJ II

"MMJII" > wrote in
:

> Hello All,
>
> I had a laptop infected with Klez, and So.F, the Norton Anti virus
> found these files, with the dos boot disk with virus patterns for
> 2-28-04. I turned off sys restore, rebooted, rescanned with NAV boot
> disk, it deleted all the files it found infected, then I restarted win
> XP ran Klez , and SoBig.F AV tools from symantec deleted additional
> files. rescanned, all clear.
> Laptop is shutting down due to RPC @ 60 secs. The task manager does
> not show msblast.exe, is there any other reason this pc is
> experiencing this problem?
>
> Thanks for any ideas
> MMJ II
>
>
>

Yes if you are not patched and there is a lot MSBlast RPC activity on
the network it can cause RPC failure. You need to make certain you have
MS03-039 patch installed.

Leonard Severt

Windows 2000 Server Setup Team

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

and install the following patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146
"MMJII" > wrote in message
...
| Hello All,
|
| I had a laptop infected with Klez, and So.F, the Norton Anti virus found
| these files, with the dos boot disk with virus patterns for 2-28-04. I
| turned off sys restore, rebooted, rescanned with NAV boot disk, it deleted
| all the files it found infected, then I restarted win XP ran Klez , and
| SoBig.F AV tools from symantec deleted additional files. rescanned, all
| clear.
| Laptop is shutting down due to RPC @ 60 secs. The task manager does not show
| msblast.exe, is there any other reason this pc is experiencing this problem?
|
| Thanks for any ideas
| MMJ II
|
|

Oooops, keyboard slip :-)

You must install the following patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39 http://support.microsoft.com/?kbid=824146

In addition:
If you post to UseNet with your TRUE, not a munged, email address then you have invited the
swen Internet worm [aka; W32/Gibe-F] to visit you.

The Swen is news spelled backwards. The reason it is called this is because the Swen worm
harvests email addresses from UseNet News Groups. It has an engine that allows it to post
itself to UseNet News Groups and well as it has its own email engine. From the list of
email addresses that it has harvested, it will then email itself to those addresses.

Dave



"MMJII" <m a c j o h n s o n @ angelojohnson.com> wrote in message
...
| Hello All,
|
| I had a laptop infected with Klez, and So.F, the Norton Anti virus found
| these files, with the dos boot disk with virus patterns for 2-28-04. I
| turned off sys restore, rebooted, rescanned with NAV boot disk, it deleted
| all the files it found infected, then I restarted win XP ran Klez , and
| SoBig.F AV tools from symantec deleted additional files. rescanned, all
| clear.
| Laptop is shutting down due to RPC @ 60 secs. The task manager does not show
| msblast.exe, is there any other reason this pc is experiencing this problem?
|
| Thanks for any ideas
| MMJ II
|
|

Thanks to all that responded, I will patch up IMMIDIATELY !!!
Thanks to Dave for the info on swen, fortunately the pc I'm on the net with
has all ms patches, ZA firewall, and updated NAV

Thanks Again for all your help.

MMJ II
"David H. Lipman" > wrote in message
...
> Oooops, keyboard slip :-)
>
> You must install the following patch for the RPC/RPCSS Buffer Overflow
Vulnerability that is
> addressed by Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146
>
> In addition:
> If you post to UseNet with your TRUE, not a munged, email address then you
have invited the
> swen Internet worm [aka; W32/Gibe-F] to visit you.
>
> The Swen is news spelled backwards. The reason it is called this is
because the Swen worm
> harvests email addresses from UseNet News Groups. It has an engine that
allows it to post
> itself to UseNet News Groups and well as it has its own email engine.
From the list of
> email addresses that it has harvested, it will then email itself to those
addresses.
>
> Dave
>
>
>
> "MMJII" <m a c j o h n s o n @ angelojohnson.com> wrote in message
> ...
> | Hello All,
> |
> | I had a laptop infected with Klez, and So.F, the Norton Anti virus found
> | these files, with the dos boot disk with virus patterns for 2-28-04. I
> | turned off sys restore, rebooted, rescanned with NAV boot disk, it
deleted
> | all the files it found infected, then I restarted win XP ran Klez , and
> | SoBig.F AV tools from symantec deleted additional files. rescanned, all
> | clear.
> | Laptop is shutting down due to RPC @ 60 secs. The task manager does not
show
> | msblast.exe, is there any other reason this pc is experiencing this
problem?
> |
> | Thanks for any ideas
> | MMJ II
> |
> |
>
>

On Wed, 3 Mar 2004 08:46:25 -0500, "MMJII"

>Thanks to all that responded, I will patch up IMMIDIATELY !!!

>Thanks to Dave for the info on swen, fortunately the pc I'm on the net with
>has all ms patches, ZA firewall, and updated NAV

The point that no-one ever seems to mention is that it is not
infection of your PC by Lovesan, Nachi, SDbot.RPC.A and other RPC
attackers that causes RPC service failure and shutdown DoS. It is
merely the attempts by these to penetrate RPC that does this.

So antivirus software on your PC can make no difference whatsoever to
this state of affairs. A firewall is supposed to - the party line is
that even the built-in XP firewall is enough to block entry and thus
RPC failure - but in my experience with XP's firewall and your
experience with ZA, this is not the case.

In my client's case, they had a PC that had always run the XP
firewall, and yet it had multiple RPC infectors present.

Finally, you can stop the shutdown Denial of Service effect simply by
changing one of Microsoft's more brain-dead default settings. Find
your way to Admin Tools, Services, and check the Properties of the
Remore Procedure Call service, on the Recovery tab. Instead of
"Restart the Computer" (= "Kill Me Now"), change those three choices
to "Restart the Service". That won't keep RPC running if attacked
through the hole, but at least keeps the system up.

You've done the most important thing, which is fixing the defective
RPC service. Asking MS why this has to run exposed to the Internet
would be a good idea; seems like a really dumb design to me.



>-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -

Some very good points Cquirke !

Let me just add this experience that happened to nodes located within our satellite office
at our Prime Contractor.

We had updated McAfee DAT files with a McAfee EXTRA.DAT but not yet had the RPC Buffer
Overflow Vulnerability patch. While the PC did have the 60 sec. count-down, McAfee's
on-access scanner blocked the writing of BLASTER.EXE to the hard disk and executing its
code. McAfee Alertmanager gave us, the admin., a NetBIOS pop-up and the event was logged.

Dave

So it's an in-joke is it, Dave?


Shane


"David H. Lipman" > wrote in message
...
> Some very good points Cquirke !
>
> Let me just add this experience that happened to nodes located within our
satellite office
> at our Prime Contractor.
>
> We had updated McAfee DAT files with a McAfee EXTRA.DAT but not yet had
the RPC Buffer
> Overflow Vulnerability patch. While the PC did have the 60 sec.
count-down, McAfee's
> on-access scanner blocked the writing of BLASTER.EXE to the hard disk and
executing its
> code. McAfee Alertmanager gave us, the admin., a NetBIOS pop-up and the
event was logged.
>
> Dave
>
>