W32.Blaster.Worm, Who Got it?

Dempsey

Who got infected by this horrible virus. I was lucky that i had the vunrability patched up. I know several people that have/had it. Heard real nightmare stories about it. Hard to get it off, couldnt access net to get patches, virus definitions, etc.


If your looking for info on it or trying to remove it, ill be nice
W32.Blaster.Worm
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
W32.Blaster.Worm Removal Tool

DiscoStu

judging by my firewall logs everyone on eircom.net seems to have it.

Gerry

I didn't get it myself, but a housemates laptop ( xp home ) got it fairly fierce 2 days ago. I think its fixed now, but never turned off the system restore.

Dempsey

Originally posted by Gerry
I didn't get it myself, but a housemates laptop ( xp home ) got it fairly fierce 2 days ago. I think its fixed now, but never turned off the system restore.

That could be a bad idea if the the patch wasnt installed, if the person has to do a restore, the virus could creep back in, ya know yourself.

tman

i was jammy, my pc restarted a couple of times & then i thought "hmmm, think i'll post this problem on boards..."
i spotted the thread in after hours, downloaded the fix (praise jah for download managers) and hey presto, problem solved.

i would've been well & truely fubar if it wasn't for you helpful folks at boards:)

sionnach

i was uber lucky, i have boards set as me homepage and i saw the problem under most recent posts after the thing happened only twice so i got the patch b4 it happened the third time

MrPinK

Installed the fix last week, but the firewall would have caught it anyway. Not using a firewall is just asking for trouble, even the built in XP one should have stopped it if it was turned on.

eth0_

UTV blocked port 135 on their routers this morning to protect customers, wonder if any other Irish ISP's did this!

BTW did you know the worm had a payload, a ddos against the windows update site on the 16th of August, so everyone infected would have been hammering the windows update site!

billy the squid

My windows update is set up to download these patches as they come out so i guess i have it a couple of weeks now.

didnt know about the utv thing shouldnt they have been blocking ports 139 and 69 and 4444 as well no?

Doodah7

Got it too, but with help from a few people on these boards and elsewhere, nuked the little b%st&rd last night.

The main culprit seems to be a file msblast.exe and by deleting it from current processes, the hard drive and its entry in the registry, my machine is humming along once more.

Carnate

I noticed the threads when i logged on to the boards on monday.

i have my virus checker on autoupdate so i missed the event :P

Why do people nowadays not have their Viruschecker Definitions

up to date?


Its PC suicide not to.


2 Cents worth!

Frank Grimes

My OS at home is patched (probably since the patch was actually released). Had to clear it off my friend's PC yesterday though.

tomED

I got it at home - office was fine because I manually get the updates from microsoft.

My machine at home is on autoupdate - but for some reason didnt get this critical update, still haven't figured that one out!

People have suggested it is because I must have a warez copy of win xp - but the OS came with the system (brand new).

I have now realised i can't update to the latest service pack, because it tells me I have a dodgy license key!

Anyone know anymore about this???

Frank Grimes

Originally posted by tomED
Anyone know anymore about this???

The SP has a list of dodgy licence codes in it, if you're using one it won't install.
Get onto whoever sold you the pc.

maxheadroom

I got it about 2 minutes after I did a clean reinstall. Had to download the patch, while the mahine kept reboting, save it to a different partition, then do the format and reinstall again with the network cable disconnected... (wasn't taking any chances, its not called a "clean" reinstall for nothing )

elexes

a lot of ppl have come into me in work with the nasty lil bugger i got it in work ( dono how the machine wasnt online ) and got at home . for some reason my win 2k installation wont update microsoft

Nitrox

Funny, both my server and my flatmates 2000 Professional showed all the sign of the virus, but last nigth when i knew what it was i was not able to find anything left by the vitus and internet was working fine again, have done all the patches now, so not going to take any chances with this bugger any more, thta is, did not patch my flat mates laptop yet, but that is his problem
ANyone know why there is no trace of the virus now? did everything as described on symantec, not a trace left!!

LegacyUser

Originally posted by Carnate
Why do people nowadays not have their Viruschecker Definitions

up to date?

personally i think the virus scanners are a big waste of time, the definitions are only updated after a virus has been released and is rampant, about the only thing they are any good for is removing them after you have been infected if you were silly enough to get infected in the first place, there are rare exceptions like msblast were no user intervention is required to infect but most infections are caused by people opening files like this_is_so_cool.ppt.vbs

tomED

Originally posted by Frank_Grimes
The SP has a list of dodgy licence codes in it, if you're using one it won't install.
Get onto whoever sold you the pc.

Yes I realise that, but I was just wondering if anyone else had this problem? If so does it mean a fresh install once i get a clean license?

Thanks
Tom

MrPinK

If so does it mean a fresh install once i get a clean license?

It can be changed without reinstalling. There are programmes that will do it for you, it's probably just some registry key that is changed.

maxheadroom

Tom - you can trick XP into accepting a new licence code, look in the text files on www.astalavista.com for details. The warez monkeys had to come up with a way of switching keys once SP1 came out.

Konix

its weird. i had logged on the net 3 times and it restared 3 times bu the 4th time it didnt and i was able to ask about it on boards irc and download the patch. does this mean its on my computer?
I should really get some firewalls! pronto!
whoever Mark on irc wsa....thanks

zAbbo

start > run > "oobe/msoobe /a"

Activate by phone, change key, bingo

If the machine attempts to shutdown ( 60seconds warning)

start > run > "shutdown -a"

Giblet

WinME eh, phew!
Useful for once.

Paddyo

Hi All

Of the people that were infected, who were the service providers.

I think that the service providers became infected.

People I have spoken to have become infected quite quickly after connecting to the net.

Each time you login you are usually assigned a dynamic IP address. Unless you are logged in for a long time using this address it be less likely that you would be scanned. But if the Providers were infected then your dynamic IP address might be scanned more quickly.

Am I talking rubbish or do I have a point?

Paddyo

Carnate

Originally posted by bananayoghurt
personally i think the virus scanners are a big waste of time, the definitions are only updated after a virus has been released and is rampant, about the only thing they are any good for is removing them after you have been infected if you were silly enough to get infected in the first place, there are rare exceptions like msblast were no user intervention is required to infect but most infections are caused by people opening files like this_is_so_cool.ppt.vbs

Almost a Good point!

But if you have a "PAID FOR" antivirus program you dont have these problems.

As to the comment that files like "Mblast have no user intervention" is sadly untrue, all viruses "need" user intervention of some form for then to spread and not all users are Technically minded, believe me after years of supporting them, i can say this with confidence. But that said every new virus/trojan/worm gets more and more harder to detect. easy rule of thumb is have a good virus checker running and have it using heuristics. and always have a fire wall what ever your connection speed.

Webmonkey

Got this myself..happened all my pcs at once. Damn intellegent worm.

As for anti virus, - Virus's will always be one step ahead but still worth having anti virus installed

Amazing --

http://www.google.ie/search?hl=en&ie=UTF-8&oe=UTF-8&q=msblast.exe&meta=

2 days ago - 0 results
Today - 1430 results

Ryo Hazuki

I noticed the key, and deleted it, then deleted the program (msblast.exe)

I have downloaded a fix that someone posted in another thread (not the RCP patch) but for this Worm.

You must apply it in safemode though, will do it later just to be sure.

yuper

first virus i got in 3 years without a firewall but it was fairly easy to get rid of once you know where to look some scanner don,t work i scan it with 4 programs 1 pick up part of it 1 none of 2 all of it

this patch your all on about way is it so important would it be easyer to block the port 135 i hate download form micosoft site everything you down load is like giving up part of your computer freedom to billy gates

Chowley

Little bastard spread like wildfire didnt it.

It was on 2 pc's in my place theyre not even on a network FFS.A CS buddy of mine got it too, I will definately find out about more i presume.:mad:

Gerry

Originally posted by Paddyo
Hi All

Of the people that were infected, who were the service providers.

I think that the service providers became infected.

People I have spoken to have become infected quite quickly after connecting to the net.

Each time you login you are usually assigned a dynamic IP address. Unless you are logged in for a long time using this address it be less likely that you would be scanned. But if the Providers were infected then your dynamic IP address might be scanned more quickly.

Am I talking rubbish or do I have a point?

Paddyo

Talking rubbish pretty much. What matters is how much you are connected to the net, infected machines are scanning pretty much all ip ranges I suppose. The service providers, even if they were running an os which could be infected, make up a small proportion of the machines on their network, compared to the 1000's of potentially infected customer machines.
They can help out by blocking port 135, to stop machines outside of their network attacking, I'd reckon a few of them have done this by now.

yankinlk

Originally posted by Carnate
Almost a Good point!

But if you have a "PAID FOR" antivirus program you dont have these problems.

Not one of my customers was infected by this virii - all of them are on a paid for version of norton set to update automatically. (Except the one eejit who didnt have it on his home pc - he got it- and now he does have av paid for)

LegacyUser

Originally posted by Carnate
Almost a Good point!

But if you have a "PAID FOR" antivirus program you dont have these problems.

As to the comment that files like "Mblast have no user intervention" is sadly untrue, all viruses "need" user intervention of some form for then to spread and not all users are Technically minded, believe me after years of supporting them, i can say this with confidence. But that said every new virus/trojan/worm gets more and more harder to detect. easy rule of thumb is have a good virus checker running and have it using heuristics. and always have a fire wall what ever your connection speed.

Msblast needs no user intervention, its totally automated, unless turning on your computer counts as user intervention. As for running a virus scanner, you need a decent pc to run it in real time, scan on access can have a big performance hit on older machines so its not always possible, specially in a work environment where for alot of companies a p1 is still good for another two years cause it'll run word 97

zAbbo

Originally posted by Webmonkey

As for anti virus, - Virus's will always be one step ahead but still worth having anti virus installed

Hmm not so, worms and other virii have certain Characteristics that alert up to date AV software.

Just turn on heuristics on!

Carnate

Originally posted by bananayoghurt
Msblast needs no user intervention, its totally automated, unless turning on your computer counts as user intervention. As for running a virus scanner, you need a decent pc to run it in real time, scan on access can have a big performance hit on older machines so its not always possible, specially in a work environment where for alot of companies a p1 is still good for another two years cause it'll run word 97

Whatever, my meger experience is tiny compared to yours so i bow to the Vastness of your Knowledge.(sic)

Also as i stated b4 a "PAID FOR" Antivirus program WILL protect you as long as the definitions are ALL up to date and u have Heuristics running as well.

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Also Bananay read above. And please before you put foot in mouth THINK pls. I would love to know what companies are using Pentium 1 pc's. ROFL.. Also as to your comment that you need a high end spec Machine to run a "good AntiVirus program" is utter ****e!

Simple Advice, If yah dont Know Dont type!

zAbbo

Originally posted by Carnate

I would love to know what companies are using Pentium 1 pc's. ROFL.. Also as to your comment that you need a high end spec Machine to run a "good AntiVirus program" is utter ****e!

Simple Advice, If yah dont Know Dont type!

hmm we have around 4-5 machines here running 75mhz p1`s, stable machines, the trick is to have decent av/recovery system on ur server/proxy coupled with a decent firewall(hardware).

LegacyUser

Originally posted by Carnate


http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Also Bananay read above. And please before you put foot in mouth THINK pls. I would love to know what companies are using Pentium 1 pc's. ROFL.. Also as to your comment that you need a high end spec Machine to run a "good AntiVirus program" is utter ****e!

Simple Advice, If yah dont Know Dont type!

Read above for what exactly ?
There are about 6000 machines where I'm working and at least 300 are p1's
I've personally gone out to users where the machine has been painfully slow, 2 minutes to open adobe reader for god sake, and the reason was virus scanners scanning all files on access, it totally crippled them !!, I didn't say you need a high end spec machine to run a virus scanner, i said you need a decent one if you are going to be running real time scanning on all file access and I stand by that, decent being at least a p3 500.

elexes

dell , ibm , hp , intel use a lot of p1 systems - reason it works the software works why bother spending to barly improve somthing that works perfectly .

easons use p1's up to last year most of the national lotto machines were old 486's afaik . there now replaced with some cyrix chips i think r maby its k6's .

dunnes use p1's in there store for there older registers . hmmm a lot of accountants and loyers use p1 systems .

o nasa use 486's in there shuttles . hmmm know theres other companies that use them just cant think of who atm .

old p1 systems tho slow are still alive and well and doing a dam good job with win 95/3.1 on them . rember bing in collage and the win 3.1 systems on the network never gave bother but the win nt computer were **** to use

also this virus was Discovered on: August 11, 2003 and a anti virus live update released later that day but wasnt it infecting ppl on the 10th ?

Lenny

Hearing a lot about this virus on lots of forums,
haben't noticed anything on my pc, and connected to the net 24/7, but have norton firewall running though.

GuanYin

I noticed scvhost.exe crashing two days ago yesterday and took the appropriate measures when I figured out what was going on.

I contacted the computer services dept here and informed them what was happening, mailed the details on how to sort it and pointed out that you needed service packs up to date etc etc.

the next day they had told everyone that it was "a virus infecting there computer" (it isn't) then corrected it to being infected with a worm (for the most part, people aren't infected, its the attack on svchost thats causing them problems).

As a result I'm spending most of the day with people telling me that the computer services fix isn't working (as they have the fix for those infected, not those experiencing svchost issues which is more common). As a result I'm inclinded to believe that the IDIOTS in CS here got their qualifications in christmas crackers or something.

</rant>

elexes

Originally posted by sykeirl
I noticed scvhost.exe crashing two days ago yesterday and took the appropriate measures when I figured out what was going on......

(as they have the fix for those infected, not those experiencing svchost issues which is more common).
</rant>

just wondering . im experiencing some probloms with a till system im working on thats running win 2k without any service packs and scvhost.exe keeps crashing when certian programs are run.

ive looked for this worm or a sign of it but cant find it . what have you been doing to fix the problom as it may be the same as the problom im experiencing

GuanYin

Download the service pack (you need at least service pack 2 to run the patches) and the the security updates from windowsupdate.microsoft.com

That will stop the svhost crashes.

Check then that you don't have a file called msblast.exe running (ctrl+alt+del and then look at processes).

If you don't you're ok and not infected.

If you do then go to the symantec website and get the blaster remove tool.

Kevok

Is this the first worm/virus that could propagate itself across the internet without the use of an SMTP engine? If so, does that not leave microsoft in massive trouble for allowing such a massive security flaw go unnanounced. A fix was made available yes, but thats about it, no press release, no media bulletins. It was just a matter of time.

In the last hour i've been hit on port 135 67 times. I can't be infected because of my setup but with an exposed computer I'd be hard pressed to keep it out.

GuanYin

Its a piece of genius.

Its as close to a biological parasite in terms of spread as can be achieved in the wild.

That said, it seems its been poorly coded and that with several modifications could have been a whole lot worse.

Gerry

Originally posted by Carnate

I would love to know what companies are using Pentium 1 pc's. ROFL.. Also as to your comment that you need a high end spec Machine to run a "good AntiVirus program" is utter ****e!

Simple Advice, If yah dont Know Dont type!

Might want to take some of your own advice there. Plenty of smaller companies would use p1's, I've seen plenty of stock control systems running on 486's and p1's. If it works...
A 486 33 with 16mb ram runs the firewall for our networking society in college, mind you it's not running windows. Still though, windows 95/98 is happy enough with 32 - 64mb ram, you can run nt4 if you want also. Main thing on old p1 machines is the really slow hard drives, if you replace it with a newer, faster model you get a good speed boost.

Carnate

Originally posted by Gerry
Might want to take some of your own advice there. Plenty of smaller companies would use p1's, I've seen plenty of stock control systems running on 486's and p1's. If it works...
A 486 33 with 16mb ram runs the firewall for our networking society in college, mind you it's not running windows. Still though, windows 95/98 is happy enough with 32 - 64mb ram, you can run nt4 if you want also. Main thing on old p1 machines is the really slow hard drives, if you replace it with a newer, faster model you get a good speed boost.

Sry Gerry but ever seen a stock control pc with a virus? and a 486 firewall get infected?

and also this worm only infects Win me and NT based Operating systems. :P

Also i fail to see what a new hard drive has to do with the MBlast.exe worm.

Dempsey

Originally posted by Kevok
Is this the first worm/virus that could propagate itself across the internet without the use of an SMTP engine? If so, does that not leave microsoft in massive trouble for allowing such a massive security flaw go unnanounced. A fix was made available yes, but thats about it, no press release, no media bulletins. It was just a matter of time.

I heard about the flaw on 2fm about a month ago. I got that patch on the 25th of JULY. The virus was discovered on the 11th of August. Microsoft gave it "Maximum Severity Rating: Critical ". Dunno about press releases but there were media bulletins(only heard it on radio though, havent read any newpapers in two months). But it was put strongly by Gareth O'Callaghan that was a severe flaw in the mircosoft operating systems (be it only 2000 and Xp).

Also i fail to see what a new hard drive has to do with the MBlast.exe worm.

It doesnt have anything to do with it. He was just pointing out that a P1 system still has a bit of speed in it for some applications and a newer hard disk would give a better system performance.

LegacyUser

Originally posted by Carnate
Sry Gerry but ever seen a stock control pc with a virus? and a 486 firewall get infected?

and also this worm only infects Win me and NT based Operating systems. :P

Also i fail to see what a new hard drive has to do with the MBlast.exe worm.

"this Worm" what about all the rest, think you were originally rolling around the floor laughing about how no companies use p1 systems, they do, end of story, ignorance is bliss

Carnate

Dude try and keep up with your posts pls..

And ure right u being ignorant is blissful to me!

Webmonkey

Originally posted by bazH
Hmm not so, worms and other virii have certain Characteristics that alert up to date AV software.

Just turn on heuristics on!

I know this but virus's will always have the step ahead, they can come up with new Characteristics to make them unknown the the AV software

Carnate

A reminder the "Worm" only infects NT based OS's, and i know that a pent 1 no matter how powerful , wont run a NT based OS.

Correct me if im wrong..

This does not include u Bananay!

As i have known Gerry a long time, i respect his views!