MS Blaster Worm - (Win 2k/XP/NT only) - fix now available

[Guest Monolithix [MVP]]

You may or may not have heard of this virus, its new this week and wreaking havoc all over the internet.

See this register article:

http://www.theregister.co.uk/content/56/32286.html

If you haven't done recently, i'd advise you Windows Update your machine fully up to date and install the following patch:

http://microsoft.com/downloads/details.asp...32-3DE40F69C074

If you're already infected the best advice is to get offline asap to reduce further infections (it will use your PC to connect to others and propgate).

The best advice currently available if your are already infected is simply to rebuild your machine, there is no known 100% effective cure for it yet.

Sorry kids, this is a nasty one. Have fun if you've been getting random "this machine is shutting down messages"...

[Guest Lojt]

Hm, very interesting. I had those "this machine is shutting down" messages yesterday and after i installed the patch and good 'ole zonealarm, some program called msblast.exe was trying to access the internet...

I stopped it and did a google search but nothing came up :|

[Guest Monolithix [MVP]]

Yeah, after playing around a little (womans machine is infected), it seems at the very least, turning on the XP firewall on your connection will block the virus' connection attempt, which is causing the instability.

[Guest Lojt]

Well, yeah, turned it off as it was blocking some ports im using... :roll:

[Guest]

Norton Antivirus Website has an excellent article about this and a small program that can be downloaded to remove the virus.

Off to try, will keep all posted :roll:

[Guest amo]

I have a tool to remove the virus. Wont let me upload it though :)

[Guest Monolithix [MVP]]

Zip it up?

[Guest amo]

If you are running windows Xp, remember to disable System Restore prior to running the remove tool! This is vital!!!!!

To do this, simply right click my computer and then select the "system restore" tab. Then simply check the disable box.

After the fix has been run, reboot and then run it again. Then reboot again and then you can re-enable system restore. If you get any error messages saying it cant fix a file etc, simply reboot in safe mode (when you reboot, to get into safe mode, simply keep pressing the F8 button untill a selection list appears and choose boot into safe mode). While in safe mode, network connections are disabled and therefore the virus shouldnt be able to attack. Re run the fix and it should work. Again, reboot and re-run the file to ensure it has been successful. Just make sure system restore is disabled first.

Usual disclaimer, i cant be held responsible blah blah...im jus supplying the help and information for anyone that doesnt wanna reformat :)

fixblast.zip

[Guest awarner [MVP]]

Cheers amo :)

[Guest Flash]

This is probably a silly question but could it effect the smart phone using activesinc? Ive got the pesky virus and am praying that it hasnt been passed on :-(

Posted from my SmartPhone!

[Guest James]

how do you get infected?

Posted from my SmartPhone!

[Guest Flash]

Haven't got a clue, but everytime I turn off my Norton Firewall or AntiVirus progs, I get the pop-up saying that windows has to shut down in 55seconds, or whatever. Funny thing is I've run fixblast.exe both in standard mode and safe mode yet it hasn't been found. Oh, and I did turn off system restore before doing this. It seems fine when Norton is running though.

[Guest Emad]

Install all the latest updates via windowsupdate.

[Guest amo]

awarner Posted: Cheers amo

My pleasure :)

Flash posted: This is probably a silly question but could it effect the smart phone using activesinc? Ive got the pesky virus and am praying that it hasnt been passed on

This is a Windows 2000 and Windows XP virus/worm and would not work on a smartphone. The worm itself simply exploits a known DCOM RPC vunerability and uses port 135 over TCP to download the MSBlast.exe virus. It attacks Windows update to prevent you from being able to download the patch (attatched above) which can secure the vunerable loophole and therfore it must be installed manually. i have heard the worm can spread (via Msn etc - and beleive this is how I have received the worm) to other people accross the net. So load up a Firewall!

Quoted from Symatec -

Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"  

UDP Port 69, "TFTP"

These are the ports through which the worm will spread. Ensure they are blocked and other users are safe®.

Now how all this could be done on a smartphone is beyond me :wink:

jlowap Posted: how do you get infected?

Read above - install the patch which is attatched to ensure your Win 2k/XP system has the vunerable DCOM RPC patched up. Also, load up a Firewall to be extra careful. (www.zonelabs.com)

Flash Posted: Haven't got a clue, but everytime I turn off my Norton Firewall or AntiVirus progs, I get the pop-up saying that windows has to shut down in 55seconds, or whatever. Funny thing is I've run fixblast.exe both in standard mode and safe mode yet it hasn't been found. Oh, and I did turn off system restore before doing this. It seems fine when Norton is running though.  

Try loading up Norton and ensuring the Msblast.exe hasb't been quarenteened. Im not sure how Norton works but perhaps if it isnt running the quarenteened files are able to be executed. If it is, simply delete it through the software. If it isn't quaranteened - load up windows with Norton enabled to make sure the auto reboot doesnt kick in, then go to Start>Search> and search for the file Msblast.exe in all directorys. If it is found then you definetly have it, if it isn't the coast may still not be clear. Make sure a firewall is loaded up and blocking the appropriate ports. And disconnect from the internet for now. Try running the fix program while the Firewall is enabled and while it isn't. If it isnt enabled, the virus should be able to become active and therefore detectable (theoretically).

The patch posted above is for Windows XP (32Bit version) only!!! For other versions of the windows update please go to here.

Please post the outcome of this.

[Guest amo]

Install all the latest updates via windowsupdate.

The worm prevents access to Windows update :wink:

[Guest Flash]

Amo thanks for all your helpful and indepth replies. I've done much of what you have suggested already - guess I'll just have to run through it again :-(

[Guest janagan]

Ha Ha HA is how i laughed at my friend who got it, even though i recommended that he got a firewall as soon as he got broadband.

[Guest Flash]

I've GOT a firewall, and the little critter still got through :x

Incidentally, I don't see whats so funny janagan? It seems to be affecting a lot of people :?

[Guest Gorskar]

Well I have a router which should stop it getting through

I applied the update to be on the safe side.

[Guest amo]

Firewall doesn't nescessarily prevent someone from receiving as virus/worm - a virus protector should do that :wink:

[Guest James]

how does the thing arrive? e-mail???

[Guest Lojt]

Nope, it arrives through a hole in that RPC service thingie, so you can get it very easy, without knowing... just like i did.

[Guest James]

ahhh! just read the article....

"TruSecure does not expect LANs to suffer from denial of service conditions due to this infection, even if it becomes infected. This is because internal infections will only propagate if outbound TFTP requests are allowed. If a source is found it can be blocked at either the firewall or router."

[Guest Flash]

Dont know jlowap, cant pinpoint any recent emails that might have been the cause. I guess this is how I got it though.

>edit< oops, should have read the replies before posting ;-)

Posted from my SmartPhone!

[Guest Lojt]

Heres the removal tool from symantec btw: http://securityresponse.symantec.com/avcen...moval.tool.html