RPC/Blast worm virus
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
It did not take long:
There is a new variant of the Worm that is destructive.
The new variant also copies the file TFTPD.EXE to the %System%\Wins folder as SVCHOST.EXE and then creates a service for it with the display name "Network Connections Sharing".
TFTPD.EXE or SVCHOST.EXE is a TFTP (Trivial File Transfer Protocol) server that is used by this worm to set the affected system as a download site for its copy. This worm is then able to propagate by instructing remote systems into downloading it using TFTP.
Looks like this one will be around for a long while,
Richard
There is a new variant of the Worm that is destructive.
The new variant also copies the file TFTPD.EXE to the %System%\Wins folder as SVCHOST.EXE and then creates a service for it with the display name "Network Connections Sharing".
TFTPD.EXE or SVCHOST.EXE is a TFTP (Trivial File Transfer Protocol) server that is used by this worm to set the affected system as a download site for its copy. This worm is then able to propagate by instructing remote systems into downloading it using TFTP.
Looks like this one will be around for a long while,
Richard
Join Date: May 2002
Location: West Sussex, UK
Posts: 220
Likes: 0
Received 0 Likes
on
0 Posts
That might explain alot...
SVCHOST.EXE
I enclose an image of my task manager..seems to be more than one SVCHOST.EXE running,one of them pretty phat too?.I got rid of the blaster,using Sophos with all the upto date definitions...yet my computer continually crashes out,cannot use flight sim,paint shop pro, etc as they will not load up or crash when loading...EXCEPT..on my mums login..and thats pretty unstable too!
Is this a knackered hard drive or likley to be the worm?
Thanks,
ETOPS773
SVCHOST.EXE
I enclose an image of my task manager..seems to be more than one SVCHOST.EXE running,one of them pretty phat too?.I got rid of the blaster,using Sophos with all the upto date definitions...yet my computer continually crashes out,cannot use flight sim,paint shop pro, etc as they will not load up or crash when loading...EXCEPT..on my mums login..and thats pretty unstable too!
Is this a knackered hard drive or likley to be the worm?
Thanks,
ETOPS773
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
ETOPS773,
I cannot access the page you linked so I cannot see your Task Manager. It is normal t have two svchost.exe's. You will see one for Local Service and the second for Network Service.
If you can link your picture again, I will give it another shot at opening it.
Which Operating System are you running and do you know the specs on your hardware? (It would help if you could list it.)
Take Care,
Richard
I cannot access the page you linked so I cannot see your Task Manager. It is normal t have two svchost.exe's. You will see one for Local Service and the second for Network Service.
If you can link your picture again, I will give it another shot at opening it.
Which Operating System are you running and do you know the specs on your hardware? (It would help if you could list it.)
Take Care,
Richard
Join Date: May 2002
Location: West Sussex, UK
Posts: 220
Likes: 0
Received 0 Likes
on
0 Posts
hmm..try
http://uk.f1.pg.briefcase.yahoo.com/...?.dir=/Friends
then goto the only pic there..should work
K,using windows XP home (all updated etc) ,2.4 ghz P4,60GB HDD,512MB RAM, 512KPS ADSL connection.
What alarmed me is that I had 4 SVCHOST.EXEs running..2 listed as system,1 under network service,and 1 under local service.With only me logged on...
Cheers.
http://uk.f1.pg.briefcase.yahoo.com/...?.dir=/Friends
then goto the only pic there..should work
K,using windows XP home (all updated etc) ,2.4 ghz P4,60GB HDD,512MB RAM, 512KPS ADSL connection.
What alarmed me is that I had 4 SVCHOST.EXEs running..2 listed as system,1 under network service,and 1 under local service.With only me logged on...
Cheers.
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
ETOPS773,
Here are a couple of things you can check for:
Known variants create the following entries under the described registry key:
”windows auto update" = MSBLAST.EXE (variant A)
”windows auto update" = PENIS32.EXE (variant B)
”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
In C:\Windows\System32, known variants use the the following file names for their copy:
MSBLAST.EXE (variant A)
PENIS32.EXE (variant B)
TEEKIDS.EXE (variant C)
Take Care,
Richard
Here are a couple of things you can check for:
Known variants create the following entries under the described registry key:
”windows auto update" = MSBLAST.EXE (variant A)
”windows auto update" = PENIS32.EXE (variant B)
”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
In C:\Windows\System32, known variants use the the following file names for their copy:
MSBLAST.EXE (variant A)
PENIS32.EXE (variant B)
TEEKIDS.EXE (variant C)
Take Care,
Richard
Join Date: May 2000
Location: South East
Posts: 184
Likes: 0
Received 0 Likes
on
0 Posts
Hi Naples, I was infected with the new variant (nachi), within about 60 secs of logging on the internet with a new computer (it has somewhat soured the experience ) anyway...
I've spent all day putting things right, downloaded patch, symantec fix etc. and all now seems to be in order. However the task manager still shows four SVCHOST running.
Local service 3,316k
Network service 1,928k
both of which I assume are ok, it also has
System 17,872k
System 3,004k
What I'd like to know is should I delete these via windows\system32\wins file, or are they best left alone?
Any help much appreciated.
I've spent all day putting things right, downloaded patch, symantec fix etc. and all now seems to be in order. However the task manager still shows four SVCHOST running.
Local service 3,316k
Network service 1,928k
both of which I assume are ok, it also has
System 17,872k
System 3,004k
What I'd like to know is should I delete these via windows\system32\wins file, or are they best left alone?
Any help much appreciated.
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
Super Stall,
If you removed the virus with the patches while running your affected Operating System, you are fine. (If you had pulled the hard drive out of the computer and used it as a slave on another computer, it would not have removed the virus properly.)
I am currently running 4 instances svchost.exe, two system, one local service, and one network service. The size of the memory usage will change. That is normal.
If you see any other problems with your computer, please report back. Otherwise, just monitor it.
Take Care,
Richard
If you removed the virus with the patches while running your affected Operating System, you are fine. (If you had pulled the hard drive out of the computer and used it as a slave on another computer, it would not have removed the virus properly.)
I am currently running 4 instances svchost.exe, two system, one local service, and one network service. The size of the memory usage will change. That is normal.
If you see any other problems with your computer, please report back. Otherwise, just monitor it.
Take Care,
Richard
'nough said
Join Date: Sep 2002
Location: Raynes Park
Age: 58
Posts: 1,025
Likes: 0
Received 0 Likes
on
0 Posts
The BBC reports that the FBI has identified one of the people who developed a variant of MSBlast.
You can't dig yourself a much bigger hole than he has for himself. me thinks.
You can't dig yourself a much bigger hole than he has for himself. me thinks.
Join Date: Jul 2003
Location: Scotland
Posts: 151
Likes: 0
Received 0 Likes
on
0 Posts
This may be a little late for most but if you go here and download the Stinger it will check your machines for various viruses and trojans including the ones mentioned in this thread. I am still getting machines with blaster/lovsan and this tool has cleaned it off the systems.
However YMMV.
However YMMV.
Last edited by Front_Seat_Dreamer; 30th Aug 2003 at 17:08.
Registered User
Join Date: Oct 2002
Location: Croydon (but really from Barnsley)
Age: 64
Posts: 262
Likes: 0
Received 0 Likes
on
0 Posts
amanoffewwords: Just read that BBC article, complete with mugshot of person involved.
Hey look! It's a big fat b'stard!!! Who'd have thought!!!
I bet he has no real friends, too...
Hey look! It's a big fat b'stard!!! Who'd have thought!!!
I bet he has no real friends, too...
'nough said
Join Date: Sep 2002
Location: Raynes Park
Age: 58
Posts: 1,025
Likes: 0
Received 0 Likes
on
0 Posts
LOL dop!
Anyway, I was thinking it's about time they brought back medieval stoning practices for these guys, one stone for each person that was affected by the virus. Then we can bury the crums. That should put them off.
amofw
Anyway, I was thinking it's about time they brought back medieval stoning practices for these guys, one stone for each person that was affected by the virus. Then we can bury the crums. That should put them off.
amofw
