PDA

View Full Version : w32.Blaster.worm - The restart virus - Complete Solution!



XyZspineZyX
08-12-2003, 10:19 PM
Here's a complete solution in how to get it off your system:

http://homepage.ntlworld.com/michaelgadge/shutdownproblem.htm

and here's a complete virus description from Symantec:

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

XyZspineZyX
08-12-2003, 10:19 PM
Here's a complete solution in how to get it off your system:

http://homepage.ntlworld.com/michaelgadge/shutdownproblem.htm

and here's a complete virus description from Symantec:

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

XyZspineZyX
08-12-2003, 10:33 PM
It hit me last night and messed up my internet.
Although I recognised a previously unknown .exe program in the task manager it was well disguised as an MS updater so even though I removed it and it's registry entry, my problems remained.
Norton came up empty handed before the update as well.
I wouldn't have put two and two together if it were not for the people here who unvieled the evil worm to me.
I've never been hit my something like that before and thought that windows had simply screwd up on me again and gone balistic.
However, no reboots for me thankfully even though I still had to restart windows otherwise internet connection would not terminate, not to mention not being able to post here.
Microsoft patch solved the problem but it took Norton to spot and remove the remains of the worm.
And to think it's patch day, exactly 1 year and one day from the 2004 Olympic games and my first with a worm...

<center>http://users.compulink.gr/ilusin@e-free.gr/bf109[2)1.jpg

fluke39
08-13-2003, 01:20 PM
BUMP so people with little internet time might see this better (even though there are alot of threads about it - all been pushed out by patch posts)

my recommended solution

1) open task manager(ctrl+alt+delete) right click on msblast.exe and end process (this should buy a little more time on the net to DL appropriate things) (if u reboot again u will have to repeat this)

2) DL Removal tool (follow instructions carefully)

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

3) DL windows update

http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

If u follow all the instructions carefully this should do the trick /i/smilies/16x16_smiley-happy.gif

also - it may be wise to DL both things before running removal tool/ update - if u run removal tool then DL update you may risk getting it again whilst online - and therefore have to do it all again /i/smilies/16x16_smiley-wink.gif

edit - make sure u sort before 15th otherwise ur pc will be part of some huge d.o.s. attack on the microsoft site or something - unless you want it to be that is /i/smilies/16x16_smiley-wink.gif

<center><img src=http://mysite.freeserve.com/Angel_one_five/flukelogo.jpg>


Message Edited on 08/13/03‚ 12:23PM by fluke39

Message Edited on 08/13/0312:26PM by fluke39

XyZspineZyX
08-13-2003, 01:26 PM
I'm interested to know how it infects you?

My understanding of a worm is that it comes to you as an attachment through Email. If you don't open attachments you're pretty safe with worms, as a rule.

---------------- /i/smilies/16x16_smiley-very-happy.gif

XyZspineZyX
08-13-2003, 01:27 PM
Worms have the ability to spread by themselfs.

Viruses comes with e-mails.

But it's a thin line in the definition.

http://members.chello.se/ven/milton.jpg

XyZspineZyX
08-13-2003, 01:31 PM
Vengeanze wrote:
- Worms have the ability to spread by themselfs.
-
- Viruses comes with e-mails.
-
- But it's a thin line in the definition.
-
amen brother./i/smilies/16x16_smiley-wink.gif so are you gonna be social or no??../i/smilies/16x16_smiley-indifferent.gif /i/smilies/16x16_smiley-tongue.gif
(sorry bored)

http://musicphase.com/img/robzpic4.jpg
Americas Freak Yeahhttp://www.click-smilies.de/sammlung/teufel/devil-smiley-029.gif


http://scmod.splintercellsource.com
Splinter Cell and Prince of Persia Moderator.http://www.kurts-smilies.de/twak.gif

XyZspineZyX
08-13-2003, 01:32 PM
I work in tech support - spent the last 2 days talking a million people through patching their systems..... /i/smilies/16x16_smiley-sad.gif


nearmiss wrote:
- I'm interested to know how it infects you?
-
- My understanding of a worm is that it comes to you
- as an attachment through Email. If you don't open
- attachments you're pretty safe with worms, as a
- rule.

It's damn clever, that's how. The hole in windows (which the patch fixes) allows an infected PC to open a tcp port on your system and then push the worm itself onto your hard drive and then run....all in the background. The only thing you notice is a performance hit and then weird and wonderful crashes, lockup's, can't open files/folders etc. That's not actually the intent of the worm (it just tries to spread as far as possible) but a side-effect of buggering around with the RPC (the bit of windows that controls....just about everything).

I LOVE Microsoft. /i/smilies/16x16_smiley-wink.gif

fluke39
08-13-2003, 01:33 PM
nearmiss wrote:
- I'm interested to know how it infects you?
-
- My understanding of a worm is that it comes to you
- as an attachment through Email. If you don't open
- attachments you're pretty safe with worms, as a
- rule.


Worms are essentially viruses, with the exception that they are stand-alone programs that only infect through network connections. Worms actively seek out other network connections in order to place copies of themselves onto other systems. They will often take advantage of trusted network connections in order to spread.

viruses nowadays mainly use email to propagate - don't ask me anything else about worms - what i wrote above was out of a report i wrote on computer misuse for my degree - and i didn't get a right good mark for it !! /i/smilies/16x16_smiley-happy.gif

<center><img src=http://mysite.freeserve.com/Angel_one_five/flukelogo.jpg>

fluke39
08-13-2003, 01:39 PM
i'll treat you too another extract from my report

"It is important that the latest technology should be utilised, and any recent software patches be installed. All to often businesses have let in viruses or hackers by not keeping up to date with software patches; for example in 2001 the Code Red worm surfaced and spread at an alarming rate - infecting almost 250,000 web hosts in just 9 hours. The worm exploited a vulnerability in Microsoft's Internet Information Server in order to deliver a denial of service attack to computer systems- the vulnerability had been well publicised over a month before the worm surfaced. The worm caused an estimated $2.6 billion of damage, and would never have been able to take hold if network administrators had all installed the available patches. This also highlights the importance of keeping up to date with the latest security alerts and news, there a many sources for this, a good one being the ICSA homepage. A good anti-virus scanner should be implemented; however this will be of limited value if it also is not regularly updated with the latest virus definitions, as new viruses are surfacing all the time. "


hmmmm did i update my virus definitions?...........no
did i keep up to date with news alerts? .............no
did i install the lates patches for windows?..........no

did i get the blaster worm?........................yep!!

hmm nothing like praticing what you preach eh !! /i/smilies/16x16_smiley-happy.gif

<center><img src=http://mysite.freeserve.com/Angel_one_five/flukelogo.jpg>


Message Edited on 08/13/0312:41PM by fluke39

fluke39
08-13-2003, 02:12 PM
BUMPITY BUMP

lest those who need this info should miss it /i/smilies/16x16_smiley-wink.gif

<center><img src=http://mysite.freeserve.com/Angel_one_five/flukelogo.jpg>

XyZspineZyX
08-13-2003, 02:17 PM
If you use XP and update regularly, you will already be protected against this worm.
If you don't, here is a helpful link too.

http://www.sophos.com/support/disinfection/blastera.html

michapma
08-14-2003, 10:18 AM
Here's my solution:

http://www.microsoft.com/security/

Click on the link about Blaster worm and read, or follow this direct link:

http://www.microsoft.com/security/incident/blast.asp

They've actually changed the page somewhat since last night. I looked into it because my wife had heard about it on national radio, so after reading there I quickly discovered that we weren't infected. I thank ZoneAlarm for that. I updated ZoneAlarm anyway, then spent an hour bungling my way through the MS instructions. All you actually have to do is download the version of the patch for your type of Windows, then turn off the Internet connection (I did this with ZoneAlarm) and install the patch. Simple, but it took me a while.

Bump,
Mike

<table width="100%" border="0" cellspacing="0" cellpadding="10"><tr valign="middle" bgcolor="#3e463b"><td height="40" colspan="3" align="center">The ongoing IL-2 User's Guide project (http://people.ee.ethz.ch/~chapman/il2guide/)</a></td></tr><tr bgcolor="#515e2f"><td width="40%">FB engine management:
Manifold Pressure sucks (http://www.avweb.com/news/columns/182081-1.html)
Those Marvelous Props (http://www.avweb.com/news/columns/182082-1.html)
Mixture Magic (http://www.avweb.com/news/columns/182084-1.html)
Putting It All Together (http://www.avweb.com/news/columns/182085-1.html)
Those Fire-Breathing Turbos (Part 1 of 6) (http://www.avweb.com/news/columns/182102-1.html)</td><td align="center">

‚ =69.GIAP=Chap‚

69.GIAP (http://www.baseclass.modulweb.dk/giap/)</p></td><td width="40%" align="right" valign="top">Hardware:
Flight Simulation Performance Analyzed (http://www.simhq.com/_air/air_062a.html)
Building a home-made throttle quadrant step by step (http://forums.ubi.com/messages/message_view-topic.asp?name=us_il2sturmovik_gd&id=zkavv)
Sound Can Be Hazardous for Games (http://www6.tomshardware.com/game/20030405/index.html)</td></tr></table>

XyZspineZyX
08-16-2003, 04:06 PM
I was hit on Tuesday sometime but I found no MSBLAST.exe or any other odd background apps running. I had all the symptoms though...(no copy/paste, constant mysterious restarts, bluescreen errors, denial of windows update, media player going haywire and flickering grey, certain interent links denied...etc, etc...)

Eventually I had to format because none of the removal tools found the little beast. A friend of mine has the exact same symptoms and I was wondering if these are signs of a variant b or c worm. I'd already formatted so I came up clean when I ran the variant remover tools. Can anybody confirm? The main difference being that there is no msblast.exe detected.

<center>
http://mywebpage.netscape.com/ColFlanders/Col_AV.gif

XyZspineZyX
08-16-2003, 04:35 PM
http://www.microsoft.com/security/incident/blast.asp

http://www.endlager.net/fis/pix/banners/fis_banner_01.jpg