**** WARNING: Blaster worm ****
#31
Scooby Regular
Thread Starter
Join Date: Apr 2002
Location: Birmingham
Posts: 9,196
Likes: 0
Received 0 Likes
on
0 Posts
![Post](images/icons/icon1.gif)
Have a read of that word doc i put up earlier. It has how to stop the pc restarting, so u can get the patch on and remove using symantec's removal tool!
Andy
Andy
#34
Scooby Senior
![Post](images/icons/icon1.gif)
Here are some good instructions on how to keep your PC online.
From Freeserve.com
To prevent your PC rebooting as soon as you connect to the Internet please follow these simple instructions. This will let you connect successfully to download the appropriate Microsoft security updates and update your existing antivirus software.
Before you go online:
Click on Start
Click Run then type: services.msc
When the Services window opens up, scroll down the list to the first Remote Procedure Call (RPC)
Right-click on this and select Properties
Click on the Recovery tab
You will see the drop-down menus labelled First failure, Second failure and Subsequent failures. These will be set to 'Restart' as default.
Change each drop-down menu to 'Take No Action' then click Apply and OK.
Close the Services window
Now connect to the Internet to download the relevant security patch for your version of Windows
[Edited by JackClark - 8/13/2003 12:48:32 PM]
From Freeserve.com
To prevent your PC rebooting as soon as you connect to the Internet please follow these simple instructions. This will let you connect successfully to download the appropriate Microsoft security updates and update your existing antivirus software.
Before you go online:
Click on Start
Click Run then type: services.msc
When the Services window opens up, scroll down the list to the first Remote Procedure Call (RPC)
Right-click on this and select Properties
Click on the Recovery tab
You will see the drop-down menus labelled First failure, Second failure and Subsequent failures. These will be set to 'Restart' as default.
Change each drop-down menu to 'Take No Action' then click Apply and OK.
Close the Services window
Now connect to the Internet to download the relevant security patch for your version of Windows
[Edited by JackClark - 8/13/2003 12:48:32 PM]
#35
![Angry](images/icons/icon8.gif)
Had this on our network yesterday...
Simptoms I saw were...
1. svchost.exe caused errors and was closed
2. copy/past function did not work
3. could not open the search option in win2k start menu
sorted now, but still a few devices out on our network that need cleaning.
Simptoms I saw were...
1. svchost.exe caused errors and was closed
2. copy/past function did not work
3. could not open the search option in win2k start menu
sorted now, but still a few devices out on our network that need cleaning.
#36
Scooby Regular
Join Date: Nov 2002
Location: Talk to the hand....
Posts: 13,331
Likes: 0
Received 0 Likes
on
0 Posts
![Thumbs down](images/icons/icon13.gif)
Getting quite serious now ![Frown](images/smilies/frown.gif)
As an experiment security firm F-Secure put an unprotected PC on the net to see how quickly it would be infected.
Early on Tuesday it took about five minutes 30 seconds before the machine was found and infected. But by 3pm the same PC was being found and infected in 27 seconds.
According to statistics from Symantec the US and UK have the highest number of infected PCs.
Be careful out there. If your machine is not yet protected, get it sorted quick![EEK!](images/smilies/eek.gif)
UB
![Frown](images/smilies/frown.gif)
As an experiment security firm F-Secure put an unprotected PC on the net to see how quickly it would be infected.
Early on Tuesday it took about five minutes 30 seconds before the machine was found and infected. But by 3pm the same PC was being found and infected in 27 seconds.
According to statistics from Symantec the US and UK have the highest number of infected PCs.
Be careful out there. If your machine is not yet protected, get it sorted quick
![EEK!](images/smilies/eek.gif)
UB
#37
![Post](images/icons/icon1.gif)
We've identified the source (or maybe one possible) on our net. Actually, I found it with the help of a Personal Firewall when it reported the following (removed the full IP to protect the guilty
)...
File Version : 5.00.2134.1
File Description : Generic Host Process for Win32 Services
File Path : C:\WINNT\SYSTEM32\SVCHOST.EXE
Process ID : 178 (Heximal) 376 (Decimal)
Connection origin : remote initiated
Protocol : TCP
Local Address : 192.***.***.***
Local Port : 135 (EPMAP - Location service - Dynamically assign ports for RPC)
Remote Name :
Remote Address : 192.***.***.***
Remote Port : 1785
Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: ***
Source: ***
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 124
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x48e7 (Correct)
Source: 192.***.***.***
Destination: 192.***.***.***
Transmission Control Protocol (TCP)
Source port: 1785
Destination port: 135
Sequence number: 965599004
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x59 (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 00 10 A4 E1 F7 3E 00 D0 : 58 BF 4E 20 08 00 45 00 | .....>..X.N ..E.
0010: 00 30 4D 8A 40 00 7C 06 : E7 48 C0 A8 9B 62 C0 A8 | .0M.@.|..H...b..
0020: AD 41 06 F9 00 87 39 8D : DF 1C 00 00 00 00 70 02 | .A....9.......p.
0030: 40 00 59 00 00 00 02 04 : 05 B4 01 01 04 02 | @.Y...........
[Edited by Nimbus - 8/13/2003 1:22:08 PM]
![Wink](images/smilies/wink.gif)
File Version : 5.00.2134.1
File Description : Generic Host Process for Win32 Services
File Path : C:\WINNT\SYSTEM32\SVCHOST.EXE
Process ID : 178 (Heximal) 376 (Decimal)
Connection origin : remote initiated
Protocol : TCP
Local Address : 192.***.***.***
Local Port : 135 (EPMAP - Location service - Dynamically assign ports for RPC)
Remote Name :
Remote Address : 192.***.***.***
Remote Port : 1785
Ethernet packet details:
Ethernet II (Packet Length: 62)
Destination: ***
Source: ***
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 124
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x48e7 (Correct)
Source: 192.***.***.***
Destination: 192.***.***.***
Transmission Control Protocol (TCP)
Source port: 1785
Destination port: 135
Sequence number: 965599004
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x59 (Correct)
Data (0 Bytes)
Binary dump of the packet:
0000: 00 10 A4 E1 F7 3E 00 D0 : 58 BF 4E 20 08 00 45 00 | .....>..X.N ..E.
0010: 00 30 4D 8A 40 00 7C 06 : E7 48 C0 A8 9B 62 C0 A8 | .0M.@.|..H...b..
0020: AD 41 06 F9 00 87 39 8D : DF 1C 00 00 00 00 70 02 | .A....9.......p.
0030: 40 00 59 00 00 00 02 04 : 05 B4 01 01 04 02 | @.Y...........
[Edited by Nimbus - 8/13/2003 1:22:08 PM]
#38
Scooby Regular
![Post](images/icons/icon1.gif)
So in comparison to other bugs how big a threat is this, love bug scale-more less?
This isn't a destructive worm, thankfully, however it will lead to loss of service on compromised systems. However, the vulnerability within the OS that it exploits could be used to spread a worm that could be destructive and then that would be when things get nasty.
Is there a patch for Windows 98
Win9x systems do not have this vulnerability and hence are not at risk from this worm. Which is good news.
Edit for formating![Wink](images/smilies/wink.gif)
[Edited by Miles - 8/13/2003 1:19:23 PM]
This isn't a destructive worm, thankfully, however it will lead to loss of service on compromised systems. However, the vulnerability within the OS that it exploits could be used to spread a worm that could be destructive and then that would be when things get nasty.
Is there a patch for Windows 98
Win9x systems do not have this vulnerability and hence are not at risk from this worm. Which is good news.
Edit for formating
![Wink](images/smilies/wink.gif)
[Edited by Miles - 8/13/2003 1:19:23 PM]
#39
Scooby Regular
iTrader: (1)
Join Date: Jul 1999
Location: Dundee
Posts: 978
Likes: 0
Received 0 Likes
on
0 Posts
![Post](images/icons/icon1.gif)
AH! this has been driving me nuts for 3 days now and i didn't know what it was.
Just updated my virus definitions and the blaster worm is showing up now.
Thanks for the info Andy on how to remove it. Alot of help!
Just updated my virus definitions and the blaster worm is showing up now.
Thanks for the info Andy on how to remove it. Alot of help!
#42
Scooby Regular
![Post](images/icons/icon1.gif)
Been having problems on my laptop (then my PC) over the last couple of days. Thanks to this thread I was able to spot that I had the same symptoms so cleaned it out and applied the W2K patch.
Good old scoobynetters!
Good old scoobynetters!
#44
![Post](images/icons/icon1.gif)
Just to let you know that some other symptoms i have encountered with users and this worm.
OLE errors, not being able to open documents via OLE from email. Also the control panel in Win2k going funny.
OLE errors, not being able to open documents via OLE from email. Also the control panel in Win2k going funny.
#45
Scooby Regular
Join Date: Jul 2001
Location: Perthshire
Posts: 6,396
Likes: 0
Received 0 Likes
on
0 Posts
![Post](images/icons/icon1.gif)
As I said earlier, my mate seems to have this however when going to step 2 :
Step 2 - Remove the Worm application
Load up task manager by right-clicking on a clear section of the start bar.
Click on the processes tab.
Select the process named “msblast.exe”. Click on the “End Process” button. Say yes to confirmation.
Goto Start - Search (find files on Win 2000) and select all files / folders. Put in “msblast.exe” and click search. When the search is complete. Select any “msblast.exe” files and right-click -> delete.
it is nowhere to be seen on the processes window ????![Confused](images/smilies/confused.gif)
I have also searched for file / folder and nothing showed up ??
little help please.
Step 2 - Remove the Worm application
Load up task manager by right-clicking on a clear section of the start bar.
Click on the processes tab.
Select the process named “msblast.exe”. Click on the “End Process” button. Say yes to confirmation.
Goto Start - Search (find files on Win 2000) and select all files / folders. Put in “msblast.exe” and click search. When the search is complete. Select any “msblast.exe” files and right-click -> delete.
it is nowhere to be seen on the processes window ????
![Confused](images/smilies/confused.gif)
I have also searched for file / folder and nothing showed up ??
little help please.
#46
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
![Arrow](images/icons/icon2.gif)
Greg if you are using the Automatic Windows update feature, then you should be OK as this patch was first posted by Microsoft on 17 July. So assuming it has run since then, then you will have the patch. If you are unsure, goto the Windows Update page and check for recent updates.
Chris
Chris
#48
Scooby Regular
Join Date: Nov 2002
Location: Talk to the hand....
Posts: 13,331
Likes: 0
Received 0 Likes
on
0 Posts
![Angry](images/icons/icon8.gif)
Jeez... so I installed the patch last night and I have a firewall so was assured that it couldn't get through.
But - tonight I start my machine and it can't access the net. I reboot and guess what - firewall reports that MSBlast.exe is trying to access the internet [img]images/smilies/mad.gif[/img][img]images/smilies/mad.gif[/img][img]images/smilies/mad.gif[/img]
Anyway, the FixBlast.exe eventually tracked down the ****** hiding on my E drive
Everything seems normal again now.
There must be loads of peeps out there with this virus, wondering why their machines are 'not working right'.
Thanks once again for the advice on this thread.
UB
But - tonight I start my machine and it can't access the net. I reboot and guess what - firewall reports that MSBlast.exe is trying to access the internet [img]images/smilies/mad.gif[/img][img]images/smilies/mad.gif[/img][img]images/smilies/mad.gif[/img]
Anyway, the FixBlast.exe eventually tracked down the ****** hiding on my E drive
![Roll Eyes (Sarcastic)](images/smilies/rolleyes.gif)
There must be loads of peeps out there with this virus, wondering why their machines are 'not working right'.
Thanks once again for the advice on this thread.
UB
![Wink](images/smilies/wink.gif)
#52
![Post](images/icons/icon1.gif)
Wife rang me during the day so having spoken to somebody about it ten mins before knew what the problem was, downloaded the neccessary and took it home on a floppy, half an hour to scan using the Virus killer and 2 mins to install the Windows patch, phew, a lot easier than detecting that bloody Klez thing !
#53
Scooby Regular
Join Date: May 2003
Location: Nott'm Home of the Reds
Posts: 6,431
Likes: 0
Received 0 Likes
on
0 Posts
![Cool](images/icons/icon6.gif)
Got the fecking thing monday night,started my pc up then after about a minute kept coming up "system shutdown in 60 seconds"
got a "fix" from local dealer who revamp my pc few months back.
But glad to say were back up and running again....
[Edited by Dazza01 - 8/15/2003 9:50:05 PM]
got a "fix" from local dealer who revamp my pc few months back.
But glad to say were back up and running again....
[Edited by Dazza01 - 8/15/2003 9:50:05 PM]
#55
Scooby Regular
Join Date: Jul 2001
Location: Perthshire
Posts: 6,396
Likes: 0
Received 0 Likes
on
0 Posts
![Post](images/icons/icon1.gif)
Another prob with this fookin virus !!!
there is a disk handed out in PC world ATM and they also hand across a sheet of paper detailing the removal procedure.
The disk contains the Symatec removal tool & patch. Is this enough just to run the disk and bobs yer uncle or do I need to **** about with disabeling all other sorts of stuff ?
![Confused](images/smilies/confused.gif)
HELP..............again
there is a disk handed out in PC world ATM and they also hand across a sheet of paper detailing the removal procedure.
The disk contains the Symatec removal tool & patch. Is this enough just to run the disk and bobs yer uncle or do I need to **** about with disabeling all other sorts of stuff ?
![Confused](images/smilies/confused.gif)
HELP..............again
![Frown](images/smilies/frown.gif)
#56
Scooby Regular
Join Date: Nov 2002
Location: Talk to the hand....
Posts: 13,331
Likes: 0
Received 0 Likes
on
0 Posts
![Post](images/icons/icon1.gif)
If you've got msblast.exe on your machine it will find it and remove it. It will also remove an entry in the Registry and create a small text file 'log' to report what it has done.
Probs still a good move to run the Windows patch even though.
UB
Probs still a good move to run the Windows patch even though.
UB
![Big Grin](images/smilies/biggrin.gif)
#58
Scooby Regular
Join Date: May 2003
Location: Nott'm Home of the Reds
Posts: 6,431
Likes: 0
Received 0 Likes
on
0 Posts
![Thumbs up](images/icons/icon14.gif)
Hello all,
re earlier thread.
the fix i got sorted out my pc, m/blast thingy found it and got rid then the windows thingy sorted the hole from where it came and blocked it.
sorry im not a pc wizard but im back up and running......
re earlier thread.
the fix i got sorted out my pc, m/blast thingy found it and got rid then the windows thingy sorted the hole from where it came and blocked it.
sorry im not a pc wizard but im back up and running......
#59
Scooby Regular
iTrader: (1)
![Post](images/icons/icon1.gif)
It could have been a whole lot worse ![EEK!](images/smilies/eek.gif)
Extract from www.grc.com
We can only speculate what was in the mind of the worm's author(s). But if the 200,000 instances of this worm had chosen to target "windowsupdate.microsoft.com" or even "microsoft.com" with an unthrottled Raw Socket SYN flood, a very different scenario would be playing out today and tomorrow: Microsoft.com would be gone.
But the worm's originator(s) appear to have been more interested in making a point, than in taking Microsoft.com permanently off the Internet — which they could have easily done.
![EEK!](images/smilies/eek.gif)
Extract from www.grc.com
We can only speculate what was in the mind of the worm's author(s). But if the 200,000 instances of this worm had chosen to target "windowsupdate.microsoft.com" or even "microsoft.com" with an unthrottled Raw Socket SYN flood, a very different scenario would be playing out today and tomorrow: Microsoft.com would be gone.
But the worm's originator(s) appear to have been more interested in making a point, than in taking Microsoft.com permanently off the Internet — which they could have easily done.
#60
![Thumbs up](images/icons/icon14.gif)
there is a disk handed out in PC world ATM and they also hand across a sheet of paper detailing the removal procedure.
Is this all PC Worlds? As I have a few friends with the virus and can't remove it because of any internet access shuts the pc down.