Shutdown Initiated by NT Authority /System

Forums: Computers, Blaster, Nt Authority System
Email this Topic • Print this Page

Edit (5/4/04): The information below is an old topic about the Blaster worm, which shows similar symptoms to the Sasser worm that is currently spreading. If you found this in a search engine after 4/30/04 you are probably looking for help for what is probably a Sasser infection. You can find help here: Sasser Virus Help

---------------

Howdy All:

Take care all as there is another worm doing what Blaster did..

http://www.able2know.com/forums/about24107.html

There is a nasty new "hit" taking place that is affecting alot of XP systems. Got this from another site I use.. make sure your system updates, av programs and firewall is up to snuff..

To all:

This is a very hard one to figure out, only that there has been a flurry of these recently. I honestly believe it is a deliberate attack on port 139 that is being launched. This CNN Report of last week is typical of the warnings now being issued in the US: http://www.cnn.com/2003/TECH/internet/07/31/internet.atttack.ap/index.html

There is a recent hotfix that addresses this RPC vulnerability: http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Install or enable a firewall immediately.
http://support.microsoft.com/?kbid=283673

Run an updated virus scan.
Or Scan for Viruses online:
http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=IRLFIZTYMWPAZTJWUFJ

Also be sure to update immediatly to prevert this in the future:
http://windowsupdate.microsoft.com/

This will tell you more:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

If your system is continuously restarting with this error:

Try early and often pounding of the F8 key. You want to use the "Last Known Good" configuration option.

If that does not work, I can only guess. Some anti-virus software can run from a DOS session even with NTFS disks. If yours is able to do this start there.

If no joy, do a registry replacement. This requires booting from the XP CD and hitting the first R(epair) choice you receive in order to access the Recovery Console. See this site and print out all of the instructions found there: http://www.digitalwebcast.com/2002/03_mar/tutorials/cw_boot_toot.htm

If still no joy you need to do a maintenance re-install of XP. You will not lose your data or applications but you will lose your Service Packs and Hotfixes: http://support.microsoft.com:80/support/kb/articles/q315/3/41.asp&NoWebContent=1

Murray

Topic Stats
Top Replies
Link to this Topic

Type: Discussion • Score: 2 • Views: 55,307 • Replies: 17

No top replies

Update
It appears a virii called Msblast is causing all the trouble..

McAfee Comments and removal Instructions: http://vil.nai.com/vil/content/v_100547.htm

Symantec Comments and Removal Instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Murray

0 Replies

Sounds interesting. Is the source for this one posted anywhere?

0 Replies

Msblast
Craven:

Google News has started tracking the problem. See the Sci/Tech subsection on this Worm. Several articles already.

Murray

0 Replies

Ok, no biggie. It's always hard to find source code for these things (for damn good reason, script kiddies would compile and disseminate them). I am certain I will not find it in Google news but every now and then a white hat (or black hat) site will post the code and curious folk like myself get to peek under the hood.

0 Replies

I'm seeing reports of this from customers in Japan. Thanks for the heads up, Murray.

0 Replies

Quick Fix
Howdy All:

The following instructions should keep you on long enough to get and apply the proper patch etc.

Boot to Safe Mode.

First open task manager, find and end the process 'msblast.exe' If it is there.

Second, delete the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Find the value windows auto update
if its value in the right panel is C:\windows\system32\msblast.exe delete the key.

Finally, delete the file c:\windows\system32\msblast.exe

reboot.

Logon as Administrator.
Don't try the Internet yet. Enable the Windows native Firewall.

Start, Run, services.msc

See if the Remote Procedure Call service is started. If not try to start it.

If it is running, go to the Internet and get the patch.

Even if msblast.exe is not there, by enabling the native firewall you should have enough breathing room to download and apply the patch.

Murray

0 Replies

Craven de Kere wrote:

Sounds interesting. Is the source for this one posted anywhere?

Dunno about if the source code itself is out there, but here's an interesting bit about its origin, from an article by ZDNet.

"... The worm attacks Windows computers via a hole in the operating system, which Microsoft warned of 16 July. Nine days after the software giant announced the flaw, hackers from the Chinese X Focus security group publicly posted a program to several security lists designed to allow an intruder to break into Windows computers. The Windows flaw has been characterized by some security experts as the most widespread ever found in Microsoft's OS. " ...
"The Chinese code worked on only three variants of Windows, but other hackers have since refined it. Nine days ago, a hacker posted an attack program to a security mailing list. Many facets of the current worm seem to be similar to that program."

0 Replies

I have dealt with 6 people infected thus far. This is going to be big (but I predict it won't have the longevity of other huge viruses).

I'll get the source from one of the infected computers if the people are able to follow the instructions to send it to me.

0 Replies

maybe this is what I have.

0 Replies

MSBlast W32.Blaster.Worm :: history and removal instructions

0 Replies

Craven have you seen the source yet? I just noticed astalavista posted a decompilation today.

0 Replies

Yeah, I got it back on the day I asked for it. I had a few coworkers infected so I snagged it then.

0 Replies

i dunno what gave me the inspiration.. but by turning on the internet connection firewall in windows xp network connections, the shutdown problem never happened again. i do believe it is some kind of bug or hacker attack.. well, correct me if im wrong, im no expert in this matter

0 Replies

Murray S.

Several thousand people a day are finding this thread (and other pages that show the fisrt post of this thread) when searching about the NT Authority. Thing is all the recent searchers are looking for help with the Sasser worm, and this is about Blaster.

Can you add a link to timber's Sasser virus removal writeup to your post to direct all these new Sasser victims to sasser removal info?

0 Replies

No Problem..

Sasser problem shows same symptoms as Blaster..

http://www.able2know.com/forums/about24107.html

Not sure how to put the link in my first post but if you can edit it to show the Sasser link, be my guest !!

Murray

0 Replies

I edited it and added it. To edit your posts there is an edit button BTW.

0 Replies

nt authority system shut down
Hi there
I now have the same problem ( After 4 years same problem )
I have windows Xp with service pack 2 with all the updates
And i have Norton antivirus with all the updates.
I can not able to find the worm , i think it is a new kind of Sasser.
It just gives just 7 seconds for shut down.

Does someone has the same problem

any comments

0 Replies

Shutdown Initiated by NT Authority /System

Related Topics

Quick Links

My Account

able2know