Blaster Virus [Archive] - PPRuNe Forums

View Full Version : Blaster Virus

Torres

13th Aug 2003, 09:07

The new internet "Blaster" virus has hit hard in the last 24 hours or so. Details are available at anti virus sites and the Microsoft site.

If your computer has been affected, it will continually restart and you will be unable to access the Microsoft update site.

The virus is relatively easy to get rid of, but if you do not have firewall protection, chances are you will be reinfected within minutes.

For those running Windows XP it is simple to check whether you are infected. Go to "Task Manager" (Control, Alt, Delete), then "Processes" and see if a program named "MSBlast.exe" is running. If it is, you are infected.

It's probably simple for you to get local advice on removal, however if you can't get local advice email or message me and I'll send you my contact details.

Incidentally, I can assist with Win XP, not sure how to proceed with other versions of Windows.

Desert Flower

13th Aug 2003, 10:24

I believe this virus only affects computers running Windows XP (VERY susceptible) & Windows 2000 (slows system down). I am still in the dark ages, running Windows 98 - do you know if it affects that as well?

Ang737

13th Aug 2003, 11:24

This is an official word from the guys at Nortons Antivirus. Looks like Win 98 is safe for now....

W32.Blaster.Worm
Discovered on: August 11, 2003
Last Updated on: August 13, 2003 10:36:50 AM

Based on the number of submissions received from customers and based on information from the Symantec's DeepSight Threat Management System, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat.

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.

Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Click here for more information on the vulnerability that this worm exploits, and to find out which Symantec products can help mitigate risks from this vulnerability.

NOTE: This threat will be detected by virus definitions having:
Defs Version: 50811s
Sequence Number: 24254
Extended Version: 8/11/2003, rev. 19

Symantec Security Response has developed a removal tool to clean infections of W32.Blaster.Worm.

Also Known As: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]

Type: Worm
Infection Length: 6,176 bytes

Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
CVE References: CAN-2003-0352

Ang

;)