New computer worm found !

[beatz]

Hi,

apparently since 2 days there is a new worm circulating which basically causes your computer to shut down a few minutes after you have connected to the internet by manipulating the RPC.

More info on the worm here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Removal tool that kills the sucker can be found here:

http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Note: Read the instructions for the tool *very* carefully, especially the part about temporarily switching off the System restore option, otherwise the tool wont work.

After having removed the worm you should immediately install the Micrsosoft security patch to avoid especially that worm:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Make sure you download the correct version for your specific system/OS.

I'm really not a friend of MS updates but in this case i downloaded it immediately as this worm caused to shut down my system every other 4 minutes since 2 days.

After you have done everything as mentioned, check if this registry entry is still there (it shouldn't) :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe

If it's still there, just manually delete it.

Btw, as you can see the sucker is called "msblast.exe" which hides in WINDOWS\system32; but i really recommend to only manually delete it in case the above instructions and the removal tool should for some reason not have worked.


Now everything should be fine again

 

[Sharpy]

Thanks

 

[Steen]

How od i get worms?

 

[Prosperous]

by eating too much.... half-cooked chicken! :laugh:

 

[GT Web]

:-D

I thought about relating that post to chicken as well

 

[.biz]

Just got a phone call from a friend today about her computer shutting down every few minutes and I suspected that it's virus.

Thanks for the info, just in time.

 

[Keith]

Direct link to Microsoft patches:

NT: http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d29e1a/Q823980i.EXE

2000: http://download.microsoft.com/downl...b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

XP: http://download.microsoft.com/downl...e-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

Server 2003: http://download.microsoft.com/downl...9390b9/WindowsServer2003-KB823980-x86-ENU.exe

 

[beatz]

The patches alone won't kill the worm.
You have to use the mentioned tool or at least delete the files manually in addition to the MS patch.

 

[mikess]

I guess this patch is not needed for windows 98 right?

 

[.com.net.org]

easy steps.

1. terminate running msblast.exe process.
2. Go to Windows/system32 or winnt/system32 and find msblast.exe, delete it. Empty your recycle bin too.

 

[dotNetKing]

Ouch! It got me. Back up and running after almost two days with my computer expert trying to work out what the problem was.

In the easy steps above, don't forget that it is also necessary to apply the Microsoft patch, other wise, I assume, your computer can easily be infected again.

 

[.com.net.org]

better quick if you guys still need to access windowsupdate.microsoft.com.

The worm will DDOS that site on 15 Aug.

 

[beatz]

It's NOT enough to delete the msblast.exe
You also have to delete the above mentioned registry entry as well as a third file that i believe ends in .pf or something like that.
That's why the best to do is to use that removal tool plus the patch of course.

And yes, a DOS attack on the update server is expected for the 15./16.

 

[Steen]

Someone is going to hack Microsoft?


What do i do?

Why do people hack?

This is dumb.

I dont understand :-(


******Consused********

 

[.com.net.org]

I just got a news that microsoft sites are infected. (don't confirm it)

Therefore it's not wise to download patch from the server if the news is true.