PDA

View Full Version : blaster worm - VIRUS WARNING URGENT!!!!


M&M
Aug 12th, 2003, 02:31 PM
article on it in german (http://computer.t-online.de/comp/sich/vire/ar/CP/ar-blaster-lovesan-wurm.html)

security patch (http://microsoft.com/downloads/details.aspx?FamilyId=1B00F5DF-4A85-488F-80E3-C347ADCC4DF1&displaylang=en)

ACTIVE YOUR FIREWALL!!!!

Hulet
Aug 12th, 2003, 02:35 PM
I read that activating a firewall might not be enough. Make sure you disable dcom support (don't know how to do that), and apply the patch. It's news like this that make me glad that I dumped MS windows operating system long time ago from my desktop.

More info on how to remove this worm from your computer if it's affected from good people at slashdot: http://slashdot.org/articles/03/08/12/1326237.shtml?tid=185&tid=190&tid=201

M&M
Aug 12th, 2003, 02:36 PM
well i had problems to start my comp yesterday. after i started a window got opened and told me i have one minute to quit all programms etc. then the comp rebooted (i think 8 or ten times in a row).

i didn't know what to do, and today found out this. download this security patch
i will also post the remove tool soon.

take care of your computers and your privacy!!!

M&M
Aug 12th, 2003, 02:39 PM
removal tool (http://computer.t-online.de/comp/sich/vire/ar/CP/ar-blaster-lovesan-wurm.html)

well, this tool will look at your comp system and search for the worm. if he will find it, it will be delated.

!!!!FIGHT WITH THE HACKERS!!!!

M&M
Aug 12th, 2003, 02:59 PM
well i have successfully removed it now!!!

The process "msblast.exe" is viral. It is terminated.

Deleted the value "windows auto update" from the registry key
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run".

The tool has deleted the viral file "C:\WINDOWS\system32\msblast.exe".

W32.Blaster.Worm has been successfully removed
from your computer!

Here is the report:

The total number of the scanned files: 39627
The number of deleted files: 1
The number of repaired files: 0
The number of viral processes terminated: 1
The number of registry entries fixed: 1

M&M
Aug 12th, 2003, 03:00 PM
so if u don't wanna have a long search, here is teh link to the viral file

C:\WINDOWS\system32\msblast.exe

Luna_Angel_84
Aug 12th, 2003, 03:16 PM
I'm on my sister's puter at the mo cos when I connect mine to the net it has a system shutdown after one minute- what am I going to do cos obviously I can't download any of this stuff? Will my normal virus guard be enough to take it out since I only just updated it?

Btw, how does this virus get into your puter? I've hardly been using mine lately but my sister is never off it so is it possible she could have got it from a download or something or through her inbox?

bis2806
Aug 12th, 2003, 03:26 PM
OMG!!!! i have the same fucking problem this morning?!??!?!?!?!?!?!? i thought something must be wrong with my computer.. help someone!!! please tell us all the steps on how to delete the virus?!?!??!

M&M
Aug 12th, 2003, 03:31 PM
well u really should try to download the removal tool somehow, for some of us it didn't work first cause so many poeple are downloading it at the same time - the link is in a previous post.

then update your windows system and download the security patch, i t really should work.

M&M
Aug 12th, 2003, 03:39 PM
OMG!!!! i have the same fucking problem this morning?!??!?!?!?!?!?!? i thought something must be wrong with my computer.. help someone!!! please tell us all the steps on how to delete the virus?!?!??!

maybe just make a quickserach in your system for msblast.exe

then u can delate it... but the removal tool should be better.

btw: yes, if u r downloading big files, like movies and many mp3, the possibility to get the worm is much bigger. they eneter your sytem at an open port...

gorecki
Aug 12th, 2003, 03:45 PM
from symantec website:

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download and run the Msblast.exe file.

Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:


TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Luna_Angel_84
Aug 12th, 2003, 03:50 PM
Pffffft my puter can't find the file to be deleted so I am well and truly screwed here.

YSL
Aug 12th, 2003, 03:58 PM
luna, if you reboot your machine then go download the patch and then instantly log off as soon as it's downloaded. You should be OK. The RPC shutdown thing only happens when you're online

Luna_Angel_84
Aug 12th, 2003, 04:07 PM
Can someone tell me how to do this thing to abort shutdown so I have enough time to download this stuff? At that site they say to do this shutdown \a thing or something, but what does that mean? My mum is going to be so mad about this if we can't get it fixed cos our computer is pretty new and she paid for most of it. :sad:

Luna_Angel_84
Aug 12th, 2003, 04:10 PM
The thing is, the timer thing comes up as soon as I come online. Some people seem to have a gap but my bloody thing starts its 60 second countdown. I mean how long will the patch take to download?

YSL
Aug 12th, 2003, 04:12 PM
Oh dear, what speed connection you got? I'm on broadband and it took abouts 20secs

Luna_Angel_84
Aug 12th, 2003, 04:15 PM
Rightio, I'm on boradband too. So if I get the patch installed will that automatically get rid of it since I won't have much time left?

Dava
Aug 12th, 2003, 04:16 PM
What should I do I have broadband. I will wait until my Dad gets home before I do anything about it.

YSL
Aug 12th, 2003, 04:20 PM
disconnect from the Net once it's downloaded. You don't need to be on the Net to install it :)

carot
Aug 12th, 2003, 04:35 PM
Luna > either deplug the modem
OR
start - control panel - system - advanced
then "startup and recovery" - settings
and then decross "automatically restart"

that way your computer won't reboot anymore so you can easily download and install the necessary patches

Shuji Shuriken
Aug 12th, 2003, 04:53 PM
OMG!!! I was just about to post this. I was complaining to Mase about my system rebooting all the time. When i did a web search a couple minutes ago, i came across info on this shitty worm and I succesfully remoed it. If you system keeps restarting saying that the nt authority\system has encountered a problem and your computer will be restarted in 30 secs, you have been hit :rolleyes:. Or press Ctrl-Alt-Del and look for the msblast.exe file :fiery:. This article from ZDNET helped me out.

http://insight.zdnet.co.uk/software/0,39020463,39115651,00.htm


Tuesday 12th August 2003

Cleaning up after the MSBlast worm
Patrick Gray
ZDNet Australia
August 12, 2003, 14:59 BST

How to rid your system of the latest fast-spreading worm

The MSBlast worm has caused widespread infection on the Internet. This ZDNet Australia analysis contains infection information, detection strategies, and clean up instructions.


Infection

The worm exploits a widely publicised "DCOM" vulnerability found in several versions of Microsoft Windows. While the vulnerability affects Windows NT4, Windows 2000, Windows XP and Windows Server 2003, the worm only infects Windows 2000 and XP.

Because the method by which the vulnerability is exploited varies between the two operating systems, there have been numerous confirmed reports of the worm "crashing" systems. This happens when a worm uses a Windows 2000 exploitation technique on an XP machine and vice versa. The worm will use the Windows XP method 80 percent of the time, and the remaining attempts are directed at Windows 2000.

It is worth noting that an updated version of the worm could affect other Microsoft operating systems, so it is recommended that all systems are patched against the DCOM vulnerability.

Detection
The worm is very easily detected by users.

Pressing control-alt-delete, then clicking on "Task Manager" and selecting the "Processes" tab will bring up a list of processes running on the machine. Clicking on "Image Name" will sort the processes alphabetically. If there is a process named "msblast.exe" running on the system, then it has been infected by the worm.

Clean up
The worm is relatively easy to clean up after detection.

Step one is to patch the infected system against the vulnerability that allowed the worm to "get in" in the first place. This process requires the user of the computer to have administrator level access to the system.

Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to windowsupdate.microsoft.com. The user will be prompted by some pop up windows, and directed through a fairly easy to understand and intuitive process.

The next step is to reboot the system.

After the system has rebooted it will be necessary to delete the worm's executable file, msblast.exe. However, its process must be stopped before it can be deleted.

Once the user logs back in with administrator rights, they should load up the "Task manager" again as described above. Click on the "Image Name" field under the "Processes" tab and click once on the "msblast.exe" process. Press "End Process" to stop it from running.

The worm's executable file will be found in the system32 directory, which is a subdirectory of (by default) the "winnt" directory in Windows 2000 machines, and the "windows" directory in Windows XP installations.

Use Windows Explorer to navigate to the system32 directory, locate the mblast.exe file and delete it. Reboot your system. Done!

The final step, removing the registry key created by the worm, is optional. It isn't really that important -- the key simply causes the worm to start every time the system is re-booted, but once the worm file itself is deleted it's redundant anyway.

This is done manually by using the registry editor. It is important to note that making incorrect changes to the registry can have catastrophic consequences.

Load the registry editor by clicking on the start button, navigating to "Run..." and typing in "regedit". Run regedit and navigate to the following "key".

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

In the right hand section of the registry editor, the following value will be found:

"windows auto update"="msblast.exe"

Delete it.

Reboot. Done!

controlfreak
Aug 12th, 2003, 05:27 PM
I don't know how people manage to get viruses. I have spent thousands of hours online and used all kinds of dodgy programs, plugins and extensions with no protection whatsoever, and I have never managed to get a virus. I honestly don't understand it.

Shuji Shuriken
Aug 12th, 2003, 05:32 PM
I don't know how people manage to get viruses. I have spent thousands of hours online and used all kinds of dodgy programs, plugins and extensions with no protection whatsoever, and I have never managed to get a virus. I honestly don't understand it.
maybe it's because I have the worse luck in the world and God hates me :mad:

Tratree
Aug 12th, 2003, 06:13 PM
My sister's computer did the shutting down thing yesterday and I Googled and found the patches, etc. yesterday afternoon and fixed hers. Here's another link to a program that will delete the file:

http://vil.nai.com/vil/stinger/

Hulet
Aug 12th, 2003, 06:18 PM
more info about this worm, it seems to be a very clever program
http://isc.sans.org/diary.html?date=2003-08-11
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A&VSect=T

Maajken
Aug 12th, 2003, 06:18 PM
i had it too and only just removed it by that stinger thingy :D

i cant believe how annoying the rebooting was all the time :mad:

Avid Merrion
Aug 12th, 2003, 07:06 PM
I had it too :mad:

My lovely friend has just been round and removed it. Thanks Gaz! :kiss:

Jennifer's wife
Aug 12th, 2003, 07:29 PM
ok, so i dont have the blaster worm! :woohoo: but i do have a similiar problem. whenever i log on it tells me that "svchost.exe has generated errors and will need to restart the program". so, i click ok and nothing happens! it dont restart or anything, just lets me carry on!! :confused:

Oizo
Aug 12th, 2003, 07:44 PM
I had it too :mad: It drove me nuts. Thank God Jordan saved me :D :wavey:

Mattographer
Aug 13th, 2003, 06:17 AM
Bump

Kirt12255
Aug 13th, 2003, 09:01 AM
:eek: I did a search on my computer and I don't have it, I feel sorry for everyone that has got it, must be so frustrating....going to get myself a giant condom to put over my computer...nasty lil virus that one :fiery:

Colin B
Aug 13th, 2003, 11:00 AM
The ZDNET article doesn't mention Windows ME. Does that mean ME is immune?

Thanks everyone for posting all this info btw.

YSL
Aug 13th, 2003, 11:03 AM
ME isn't really immune.. Those using Win98 or an earlier version of Windoze are generally seen as the safe ones.

DutchieGirl
Aug 13th, 2003, 01:16 PM
ME isn't really immune.. Those using Win98 or an earlier version of Windoze are generally seen as the safe ones.

hehehe *rubs hands together* I love Windows 98! :D

gorecki
Aug 13th, 2003, 01:18 PM
pardon me for being ignorant...:o

are Mac/Apple less prone to getting virus/worm attacks with their OS?

Kirt12255
Aug 13th, 2003, 01:25 PM
:( The late news was just saying 50% of the world's computers are inected....and talked about 7 others or something.....grrrrrr gonna start Messaging people for their Mobile numbers I am friends with....I still don't have it....but with my computer skills will guarantee I will. :fiery: Grrrr bet the person is from Al-Queda :fiery:

YSL
Aug 13th, 2003, 01:26 PM
Heh, no more or less prone to gerring virus or worm attacks. It's just that so many people use Windows that whn there is an attack (which is quite often) It makes bigger news cos it has the potential to affect a lot more people.

Kirt12255
Aug 13th, 2003, 01:37 PM
Heh, no more or less prone to gerring virus or worm attacks. It's just that so many people use Windows that whn there is an attack (which is quite often) It makes bigger news cos it has the potential to affect a lot more people.

:worship: :wavey: Ty will stop bothering my free anti-virus then LOL :wavey:

Hulet
Aug 13th, 2003, 01:38 PM
pardon me for being ignorant...:o

are Mac/Apple less prone to getting virus/worm attacks with their OS?
For this particular worm, no. And, that's true for most worms written too b/c the hackers tend to target operating system (windows for desktops and unix/linux for servers) which are used by most people. Besides, the worm writers tend to have some axe to grind against MS and Bill Gates. The MSblast worm has a line that reads "billy gates why do you make this possible ? Stop making money and fix your software!!" in the code. Also, from my experience, Windows in general seems to be a bit insecure b/c it was designed to be easy-to-use not secure.

Big Fat Pink Elephant
Aug 13th, 2003, 01:41 PM
lol sarah :devil: for once i love my comp lol :p

gorecki
Aug 13th, 2003, 01:50 PM
thanks eta psi :)

Darkheart
Aug 13th, 2003, 06:26 PM
The worm is not spread by email nor instant messaging. It is sent to you via FTP when you are online, without you even knowing. No window pops up asking you whether you want the file or not. It just comes to you.

Cariaoke
Aug 13th, 2003, 06:39 PM
yes, I work tech support on campus and damn if this piece of shit is wreaking havoc! everybody got it. :rolleyes:

Jennifer's wife
Aug 13th, 2003, 11:03 PM
can anyone help with my poota problem? i cant get offline now woithout unplugging the modem and my messenger is doing all sorts of strange things. everytime i open msn it sez "svchost has generated errors and will need to restart the program". however it dont restart. ive done a virus search on msn but it says i dont have one. :confused:

Josh
Aug 13th, 2003, 11:18 PM
hehehe *rubs hands together* I love Windows 98! :D

Couldn't agree more! :D
Thank god I removed win XP from my computer.

bis2806
Aug 14th, 2003, 04:42 AM
ehmmm Hi josh!!!!!!! long time no talk.....

Wojtek
Aug 14th, 2003, 06:30 AM
can anyone help with my poota problem? i cant get offline now woithout unplugging the modem and my messenger is doing all sorts of strange things. everytime i open msn it sez "svchost has generated errors and will need to restart the program". however it dont restart. ive done a virus search on msn but it says i dont have one. :confused:

Sometimes i have the same problem with msn
:confused:

Filadidas
Aug 14th, 2003, 12:28 PM
My case was weird though.... I definitely got infected by the virus yesterday... when I tried to detect the "msblast.exe" file... It wasn't in my computer system at all..... Dunno why?

My internet is working ok right now... no more of that "1 minute shutdown" message pop up... I just hope the virus won't attack my pc again!!!

per4ever
Aug 14th, 2003, 12:49 PM
Couldn't agree more! :D
Thank god I removed win XP from my computer.
win2k rules ;)

gentenaire
Aug 14th, 2003, 12:52 PM
I got another virus, which was much more fun! It deleted my entire mailbox! Hurrah!

JonBcn
Aug 14th, 2003, 02:15 PM
Gah. My boyfriends pc got the virus and went completely out of control; we had to call a boffin in who said lots of things I neither understood nor cared very much about. Luckily for me I have skeggy old Windows '98 and am indestructable.

Sam L
Aug 19th, 2003, 09:50 AM
Hi can anyone help me?

Today at work, I got to go home early cause our computer systems became infected with this virus.

Before, I wasn't worried but I am now, for my home computer.

So far it is infected, it's all normal.

So I tried to download that patch and no problem, but when I tried to install it said:

"xpsp1hfm.exe is not a valid Win32 application"

What does this mean? How can I protect myself?

:confused:

Shuji Shuriken
Aug 19th, 2003, 03:32 PM
I think that worm fucked up something on my PC or I may have another virus :rolleyes:? I can hardly stay online without getting disconnected :mad:. And I have hell getting online :mad:

gentenaire
Aug 19th, 2003, 03:34 PM
This worm did something different to my computer. It didn't shut down my computer, but after a while I could no longer copy and paste or drop and drag files! Extremely annoying. Even after the virus was deleted, I still got it.

It wasn't until I installed the patch as well that the problem stopped.

gentenaire
Aug 19th, 2003, 03:35 PM
ok, so i dont have the blaster worm! :woohoo: but i do have a similiar problem. whenever i log on it tells me that "svchost.exe has generated errors and will need to restart the program". so, i click ok and nothing happens! it dont restart or anything, just lets me carry on!! :confused:

saw this just now. This is what happened to me as well. After I got that message, I could no longer copy and paste, drag and drop or open links in a new window.

Martian Willow
Aug 19th, 2003, 04:09 PM
I don't know why it's such a big deal, if you have your pooter properly secured with something like ZoneAlarm you're not going to have any problems.

Big Fat Pink Elephant
Aug 19th, 2003, 04:12 PM
hm,. i read today that there is a new virus out there, norwegian computers got infected - very badly, the worst virus infection ever they say :eek:

Big Fat Pink Elephant
Aug 19th, 2003, 04:15 PM
it's called Sobig.F btw.

http://www.messagelabs.com/viruseye/info/default.asp?tabIt=rep&virusname=W32/Sobig.F-mm

Warning: dangerous new Sobig.F spreading vigorously
General

On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. The initial copies all originated from the United States.

Characteristics

Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. In earlier versions of the Sobig family, the file extension has sometimes been truncated. MessageLabs have not yet observed this with the Sobig.F strain.


The email may also comprise the following characteristics:

Subject: Re: Details

Text:

Please see the attached file for details.


Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, document_9446.pif


In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers.

look at "latest info". Earlier today, Norway had 32% of that diagram :eek:

griffin
Aug 19th, 2003, 04:16 PM
can anyone help with my poota problem? i cant get offline now woithout unplugging the modem and my messenger is doing all sorts of strange things. everytime i open msn it sez "svchost has generated errors and will need to restart the program". however it dont restart. ive done a virus search on msn but it says i dont have one. :confused:

You may have the "welchia" worm

http://us.mcafee.com/virusInfo/default.asp?id=alphar

It messes with a couple of files that are supposed to be on your computer (like svchost.exe) - I think it may overwrite them, but I'm not sure.

McAfee and Symantec (Norton Antivirus) both have instructions on how to find the worm and remove it - McAfee even has a free scanning service (and don't feel bad, this one took down the network at my partner's office, and she works for a tech company)