RPC/Blast worm virus
Thread Starter
Join Date: Sep 1999
Location: here to eternity
Posts: 577
Likes: 0
Received 0 Likes
on
0 Posts
RPC/Blast worm virus
There is a weakness in later versions of Windows (2000, XP etc) that people have just discovered and are using it to take control of computers and load the W32.Blast.Worm virus.
Fix for the virus is here:-
http://securityresponse.symantec.com...oval.tool.html
The MS patch Fix to close the RPC loophole is at:-
http://www.microsoft.com/technet/tre...n/MS03-026.asp
More info at:-
http://www.thetechguy.co.uk/comments...atid=1&id=1321
FWIW, my version of Norton Internet Security (as updated) catches the virus, but can't close the lophole.
Fix for the virus is here:-
http://securityresponse.symantec.com...oval.tool.html
The MS patch Fix to close the RPC loophole is at:-
http://www.microsoft.com/technet/tre...n/MS03-026.asp
More info at:-
http://www.thetechguy.co.uk/comments...atid=1&id=1321
FWIW, my version of Norton Internet Security (as updated) catches the virus, but can't close the lophole.
Join Date: Feb 2000
Location: Dublin
Posts: 70
Likes: 0
Received 0 Likes
on
0 Posts
This is causing havoc in my workplace, thankfully I applied the MS patch to my 3 Win2K machines a couple of weeks back & I've not been afftected yet...
If you're not sure whether or not your system is OK go into control panel/add-remove programs & if 'Windows 2000 Hotfix - KB823980' is listed then the patch is installed.
If you're not sure whether or not your system is OK go into control panel/add-remove programs & if 'Windows 2000 Hotfix - KB823980' is listed then the patch is installed.
Join Date: Dec 2001
Location: Oop north
Posts: 169
Likes: 0
Received 0 Likes
on
0 Posts
This one caught me, managed to get rid of it using the latest update of VirusScan but it caused me a bit of hassle first! It's made the BBC news website as well.
A friend of mine without protection has it but cant delete the msblast.exe file in the system32 directory, anyone know how to get rid of it? He say's its not 'Read only' but won't delete?
If you haven't already I suggest everyone downloads the MS patch given in HugMonster's Post
A friend of mine without protection has it but cant delete the msblast.exe file in the system32 directory, anyone know how to get rid of it? He say's its not 'Read only' but won't delete?
If you haven't already I suggest everyone downloads the MS patch given in HugMonster's Post
Join Date: Jun 2000
Location: Geriatrica, UK
Posts: 1,003
Likes: 0
Received 0 Likes
on
0 Posts
Capt BK, two suggestions for your friend.
1. Start in "safe mode" and see if Windows Explorer will allow the deletion.
2. If no joy, open a Command Window, navigate to the file using keystrokes, make sure it isn't Hidden, System or Read-only and then delete it.
1. Start in "safe mode" and see if Windows Explorer will allow the deletion.
2. If no joy, open a Command Window, navigate to the file using keystrokes, make sure it isn't Hidden, System or Read-only and then delete it.
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
The funny thing about this virus, all the comps I have had to go service this evening all had two things in common:
1) All on Dialup
2) All with WinXP SP1
Reason all the affected machines were dialup internet connections is because most Dialup accounts do not have Routers/Firewalls. This worm comes though the TCP135 port, Routers/Firewalls block this port. Once in your computer the worm opens port 4444 and then it loads itself and takes over the infected computer. The code picks random IP addresses and checks those IPs for access, it tries several ways to break in. If it gets in, it infects as above, if it does not get in, it makes more random IPs and starts the process again.
Nasty little piece of work this worm. The only good thing is it does not do permanent damage to the infected computer.
Take Care,
Richard
1) All on Dialup
2) All with WinXP SP1
Reason all the affected machines were dialup internet connections is because most Dialup accounts do not have Routers/Firewalls. This worm comes though the TCP135 port, Routers/Firewalls block this port. Once in your computer the worm opens port 4444 and then it loads itself and takes over the infected computer. The code picks random IP addresses and checks those IPs for access, it tries several ways to break in. If it gets in, it infects as above, if it does not get in, it makes more random IPs and starts the process again.
Nasty little piece of work this worm. The only good thing is it does not do permanent damage to the infected computer.
Take Care,
Richard
Join Date: Feb 2001
Location: UK
Posts: 462
Likes: 0
Received 0 Likes
on
0 Posts
Had a look at the Microsoft technet page - there is two options for the patch for XP, a 32 bit version and a 64 bit version. How do I know which I have installed ? ( currently running XP home edition )
GR
GR
Join Date: Nov 2000
Location: UK
Posts: 168
Likes: 0
Received 0 Likes
on
0 Posts
Many thanks for the info on this Hugs. Discovered last night that I had the blasted thing and my Norton couldn't delete either.
Have followed the links and downloaded hardcopy info & programs onto floppy to take home this evening.
Steps to take:
a) Switch off "system restore"
b) install patch
c) install fix.
d) reboot
e) switch "system restore facility" back on.
Think I've got the above in right order but will study hardcopy later. Not being too up-to-speed on the techy side of pc's I would have been totally lost without yr links. Real Catch-22 when you need to go on-line to get the fixes but the worm keeps closing down the pc. Hence need for floppys to repair off-line.
Thanks again
Have followed the links and downloaded hardcopy info & programs onto floppy to take home this evening.
Steps to take:
a) Switch off "system restore"
b) install patch
c) install fix.
d) reboot
e) switch "system restore facility" back on.
Think I've got the above in right order but will study hardcopy later. Not being too up-to-speed on the techy side of pc's I would have been totally lost without yr links. Real Catch-22 when you need to go on-line to get the fixes but the worm keeps closing down the pc. Hence need for floppys to repair off-line.
Thanks again
Join Date: Jun 2000
Location: Geriatrica, UK
Posts: 1,003
Likes: 0
Received 0 Likes
on
0 Posts
Golden Rivet: assume 32-bit. If it was 64-bit you would know.
Funny thing is that Microsoft specifically exclude WinME. They do not mention Win98SE at all, even though there are lots still out there.
Excellent Thread. Thanks to all.
Funny thing is that Microsoft specifically exclude WinME. They do not mention Win98SE at all, even though there are lots still out there.
Excellent Thread. Thanks to all.
'nough said
Join Date: Sep 2002
Location: Raynes Park
Age: 58
Posts: 1,025
Likes: 0
Received 0 Likes
on
0 Posts
Funny thing is that Microsoft specifically exclude WinME. They do not mention Win98SE at all, even though there are lots still out there.
I'm just back from setting up a laptop for a customer - 2 mins into showing her how to dial up the Internet - bang got the 60 second warning of reboot. Problem is if do not have the patch with you it prevents you getting back on the net to download it - and it disabled NAV (Norton Anti-Virus) and DUN (dial-up) properties so I couldn't set the firewall.
Managed to get round it by disabling all RPCs services, then downloading the patch from M$, disabling messenger services, activating the firewall, updating NAV and then checking my customer's blood pressure though by then she had had enough of her first experience with computers, switched it off, signed the sheet and sent me on my way.
When they catch the guy/girl who started this he/she's a getting an invoice for my time...with the appropriate supplements...
amofw
Join Date: Jun 2002
Location: Malaysia
Posts: 130
Likes: 0
Received 0 Likes
on
0 Posts
BLASTER VIRUS
If Norton Antivirus (Professionnal) is updated it stops the virus which seems quite active and frequently met but I was obliged to restart the computer because some files were neutralized. After downloading the last security package of Windows 2K, no problem my computer is definitively out of reach.
The Oracle
Join Date: Aug 2001
Location: Naples, Florida U.S.A.
Posts: 2,902
Likes: 0
Received 0 Likes
on
0 Posts
I have been getting a lot of time with MSBlast lately. Something that helps, if you have to download the patch, is to go in to your Task Manager and disable the Process MSBlast.exe. That will stop the Shutdown Countdown the worm gives you. Then you have all the time you need to download the patch.
Take Care,
Richard
Take Care,
Richard
Join Date: Jul 2000
Location: Earth (just)
Posts: 722
Likes: 0
Received 0 Likes
on
0 Posts
Hi Guys,
caught this ****** meself and had some trouble getting my head around it!
I never had the MSblast.exe program anywhere nor had the appropriate string in the registry and yet it was doing the business with my RPC. Most peculiar.
Now I still cannot download any updates from Windows Update. Have seen many posts regarding this problem on a microsoft forum but no answers.
Any Ideas anyone?
caught this ****** meself and had some trouble getting my head around it!
I never had the MSblast.exe program anywhere nor had the appropriate string in the registry and yet it was doing the business with my RPC. Most peculiar.
Now I still cannot download any updates from Windows Update. Have seen many posts regarding this problem on a microsoft forum but no answers.
Any Ideas anyone?