SiDHEaD

Have a read of that word doc i put up earlier. It has how to stop the pc restarting, so u can get the patch on and remove using symantec's removal tool!

Andy

ianmiller999

It must be getting quite a serious problem now because even blueyonder sent me an email telling me to get this patch and do this etc etc.

PG

thanks for the help Andy

Paul

JackClark

Here are some good instructions on how to keep your PC online.

From Freeserve.com

To prevent your PC rebooting as soon as you connect to the Internet please follow these simple instructions. This will let you connect successfully to download the appropriate Microsoft security updates and update your existing antivirus software.

Before you go online:

Click on Start
Click Run then type: services.msc
When the Services window opens up, scroll down the list to the first Remote Procedure Call (RPC)
Right-click on this and select Properties
Click on the Recovery tab
You will see the drop-down menus labelled First failure, Second failure and Subsequent failures. These will be set to 'Restart' as default.
Change each drop-down menu to 'Take No Action' then click Apply and OK.
Close the Services window
Now connect to the Internet to download the relevant security patch for your version of Windows

[Edited by JackClark - 8/13/2003 12:48:32 PM]

Nimbus

Had this on our network yesterday...

Simptoms I saw were...

1. svchost.exe caused errors and was closed
2. copy/past function did not work
3. could not open the search option in win2k start menu


sorted now, but still a few devices out on our network that need cleaning.

unclebuck

Getting quite serious now

As an experiment security firm F-Secure put an unprotected PC on the net to see how quickly it would be infected.

Early on Tuesday it took about five minutes 30 seconds before the machine was found and infected. But by 3pm the same PC was being found and infected in 27 seconds.

According to statistics from Symantec the US and UK have the highest number of infected PCs.

Be careful out there. If your machine is not yet protected, get it sorted quick

UB

Nimbus

We've identified the source (or maybe one possible) on our net. Actually, I found it with the help of a Personal Firewall when it reported the following (removed the full IP to protect the guilty )...


File Version : 5.00.2134.1
File Description : Generic Host Process for Win32 Services
File Path : C:\WINNT\SYSTEM32\SVCHOST.EXE
Process ID : 178 (Heximal) 376 (Decimal)

Connection origin : remote initiated
Protocol : TCP
Local Address : 192.***.***.***
Local Port : 135 (EPMAP - Location service - Dynamically assign ports for RPC)
Remote Name :
Remote Address : 192.***.***.***
Remote Port : 1785

Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: ***
Source: ***
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 124
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x48e7 (Correct)
Source: 192.***.***.***
Destination: 192.***.***.***
Transmission Control Protocol (TCP)
Source port: 1785
Destination port: 135
Sequence number: 965599004
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x59 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 10 A4 E1 F7 3E 00 D0 : 58 BF 4E 20 08 00 45 00 | .....>..X.N ..E.
0010: 00 30 4D 8A 40 00 7C 06 : E7 48 C0 A8 9B 62 C0 A8 | .0M.@.|..H...b..
0020: AD 41 06 F9 00 87 39 8D : DF 1C 00 00 00 00 70 02 | .A....9.......p.
0030: 40 00 59 00 00 00 02 04 : 05 B4 01 01 04 02 | @.Y...........


[Edited by Nimbus - 8/13/2003 1:22:08 PM]

Miles

So in comparison to other bugs how big a threat is this, love bug scale-more less?
This isn't a destructive worm, thankfully, however it will lead to loss of service on compromised systems. However, the vulnerability within the OS that it exploits could be used to spread a worm that could be destructive and then that would be when things get nasty.

Is there a patch for Windows 98
Win9x systems do not have this vulnerability and hence are not at risk from this worm. Which is good news.

Edit for formating

[Edited by Miles - 8/13/2003 1:19:23 PM]

Hos

iTrader: (1)

AH! this has been driving me nuts for 3 days now and i didn't know what it was.

Just updated my virus definitions and the blaster worm is showing up now.

Thanks for the info Andy on how to remove it. Alot of help!

ianmiller999

I thought the worm was trying to get all the infected PCs to attack the microsoft automatic update page on August 16th

Badger Stuffer

I had this ****** on all our machines this morning.

All sorted now but took us all down for a while.

*******.

supertouring

Been having problems on my laptop (then my PC) over the last couple of days. Thanks to this thread I was able to spot that I had the same symptoms so cleaned it out and applied the W2K patch.
Good old scoobynetters!

gregh

If my XP computer is up to date using Windows Update do I also need to run this MS download mentioned in this thread?

regards,

greg

Stueyb

Just to let you know that some other symptoms i have encountered with users and this worm.

OLE errors, not being able to open documents via OLE from email. Also the control panel in Win2k going funny.

PG

As I said earlier, my mate seems to have this however when going to step 2 :

Step 2 - Remove the Worm application
Load up task manager by right-clicking on a clear section of the start bar.
Click on the processes tab.
Select the process named “msblast.exe”. Click on the “End Process” button. Say yes to confirmation.
Goto Start - Search (find files on Win 2000) and select all files / folders. Put in “msblast.exe” and click search. When the search is complete. Select any “msblast.exe” files and right-click -> delete.

it is nowhere to be seen on the processes window ????
I have also searched for file / folder and nothing showed up ??
little help please.

Chris L

Greg if you are using the Automatic Windows update feature, then you should be OK as this patch was first posted by Microsoft on 17 July. So assuming it has run since then, then you will have the patch. If you are unsure, goto the Windows Update page and check for recent updates.

Chris

JackClark

PG, download and run this rather than do things manualy.

unclebuck

Jeez... so I installed the patch last night and I have a firewall so was assured that it couldn't get through.

But - tonight I start my machine and it can't access the net. I reboot and guess what - firewall reports that MSBlast.exe is trying to access the internet [img]images/smilies/mad.gif[/img][img]images/smilies/mad.gif[/img][img]images/smilies/mad.gif[/img]

Anyway, the FixBlast.exe eventually tracked down the ****** hiding on my E drive Everything seems normal again now.

There must be loads of peeps out there with this virus, wondering why their machines are 'not working right'.

Thanks once again for the advice on this thread.

UB

ianmiller999

I think there is a lot of money to be made out of this virus, imagine the amout of inexperience home users calling out technicians and the £1 a minute phone lines.

Velrybas chick

I've read on the microsoft web page that users of Win98 shoudn't be affected.

Is this true?

Yes I know, I do have Win 98............

Kate

SiDHEaD

Yes Windows 98 is fine (as far is this worm goes anyway )

Andy

J4CKO

iTrader: (1)

Wife rang me during the day so having spoken to somebody about it ten mins before knew what the problem was, downloaded the neccessary and took it home on a floppy, half an hour to scan using the Virus killer and 2 mins to install the Windows patch, phew, a lot easier than detecting that bloody Klez thing !

Dazza01

Got the fecking thing monday night,started my pc up then after about a minute kept coming up "system shutdown in 60 seconds"
got a "fix" from local dealer who revamp my pc few months back.
But glad to say were back up and running again....



[Edited by Dazza01 - 8/15/2003 9:50:05 PM]

Leslie

Thanks for taking the trouble to warn us Andy.

Les

PG

Another prob with this fookin virus !!!

there is a disk handed out in PC world ATM and they also hand across a sheet of paper detailing the removal procedure.

The disk contains the Symatec removal tool & patch. Is this enough just to run the disk and bobs yer uncle or do I need to **** about with disabeling all other sorts of stuff ?



HELP..............again

unclebuck

If you've got msblast.exe on your machine it will find it and remove it. It will also remove an entry in the Registry and create a small text file 'log' to report what it has done.

Probs still a good move to run the Windows patch even though.

UB

PG

Thank you UB

Dazza01

Hello all,
re earlier thread.
the fix i got sorted out my pc, m/blast thingy found it and got rid then the windows thingy sorted the hole from where it came and blocked it.
sorry im not a pc wizard but im back up and running......

Boro

iTrader: (1)

It could have been a whole lot worse

Extract from www.grc.com

We can only speculate what was in the mind of the worm's author(s). But if the 200,000 instances of this worm had chosen to target "windowsupdate.microsoft.com" or even "microsoft.com" with an unthrottled Raw Socket SYN flood, a very different scenario would be playing out today and tomorrow: Microsoft.com would be gone.

But the worm's originator(s) appear to have been more interested in making a point, than in taking Microsoft.com permanently off the Internet — which they could have easily done.

PiNkEyE69

Really???
Is this all PC Worlds? As I have a few friends with the virus and can't remove it because of any internet access shuts the pc down.