HugMonster

There is a weakness in later versions of Windows (2000, XP etc) that people have just discovered and are using it to take control of computers and load the W32.Blast.Worm virus.

Fix for the virus is here:-

http://securityresponse.symantec.com...oval.tool.html

The MS patch Fix to close the RPC loophole is at:-

http://www.microsoft.com/technet/tre...n/MS03-026.asp

More info at:-

http://www.thetechguy.co.uk/comments...atid=1&id=1321

FWIW, my version of Norton Internet Security (as updated) catches the virus, but can't close the lophole.

kopbhoy2

This is causing havoc in my workplace, thankfully I applied the MS patch to my 3 Win2K machines a couple of weeks back & I've not been afftected yet...

If you're not sure whether or not your system is OK go into control panel/add-remove programs & if 'Windows 2000 Hotfix - KB823980' is listed then the patch is installed.

Capt BK

This one caught me, managed to get rid of it using the latest update of VirusScan but it caused me a bit of hassle first! It's made the BBC news website as well.

A friend of mine without protection has it but cant delete the msblast.exe file in the system32 directory, anyone know how to get rid of it? He say's its not 'Read only' but won't delete?

If you haven't already I suggest everyone downloads the MS patch given in HugMonster's Post

Naples Air Center, Inc.

HugMonster,

I have been getting calls for computer repairs on this one for the last two days. It is keeping my evenings busy.

Take Care,

Richard

fobotcso

Capt BK, two suggestions for your friend.

1. Start in "safe mode" and see if Windows Explorer will allow the deletion.

2. If no joy, open a Command Window, navigate to the file using keystrokes, make sure it isn't Hidden, System or Read-only and then delete it.

Naples Air Center, Inc.

The funny thing about this virus, all the comps I have had to go service this evening all had two things in common:

1) All on Dialup

2) All with WinXP SP1

Reason all the affected machines were dialup internet connections is because most Dialup accounts do not have Routers/Firewalls. This worm comes though the TCP135 port, Routers/Firewalls block this port. Once in your computer the worm opens port 4444 and then it loads itself and takes over the infected computer. The code picks random IP addresses and checks those IPs for access, it tries several ways to break in. If it gets in, it infects as above, if it does not get in, it makes more random IPs and starts the process again.

Nasty little piece of work this worm. The only good thing is it does not do permanent damage to the infected computer.

Take Care,

Richard

Golden Rivet

Had a look at the Microsoft technet page - there is two options for the patch for XP, a 32 bit version and a 64 bit version. How do I know which I have installed ? ( currently running XP home edition )

GR

4PON4PIN

Many thanks for the info on this Hugs. Discovered last night that I had the blasted thing and my Norton couldn't delete either.
Have followed the links and downloaded hardcopy info & programs onto floppy to take home this evening.

Steps to take:
a) Switch off "system restore"
b) install patch
c) install fix.
d) reboot
e) switch "system restore facility" back on.

Think I've got the above in right order but will study hardcopy later. Not being too up-to-speed on the techy side of pc's I would have been totally lost without yr links. Real Catch-22 when you need to go on-line to get the fixes but the worm keeps closing down the pc. Hence need for floppys to repair off-line.

Thanks again

fobotcso

Golden Rivet: assume 32-bit. If it was 64-bit you would know.

Funny thing is that Microsoft specifically exclude WinME. They do not mention Win98SE at all, even though there are lots still out there.

Excellent Thread. Thanks to all.

amanoffewwords

That's probably because they ceased support on Win 98 end June (I imagine that's for all flavours of Win 98).

I'm just back from setting up a laptop for a customer - 2 mins into showing her how to dial up the Internet - bang got the 60 second warning of reboot. Problem is if do not have the patch with you it prevents you getting back on the net to download it - and it disabled NAV (Norton Anti-Virus) and DUN (dial-up) properties so I couldn't set the firewall.

Managed to get round it by disabling all RPCs services, then downloading the patch from M$, disabling messenger services, activating the firewall, updating NAV and then checking my customer's blood pressure though by then she had had enough of her first experience with computers, switched it off, signed the sheet and sent me on my way.

When they catch the guy/girl who started this he/she's a getting an invoice for my time...with the appropriate supplements...

amofw

fobotcso

amofw

This is probably what you are referring to. But why no fix for Win ME?

malaysian eaglet

If Norton Antivirus (Professionnal) is updated it stops the virus which seems quite active and frequently met but I was obliged to restart the computer because some files were neutralized. After downloading the last security package of Windows 2K, no problem my computer is definitively out of reach.

fobotcso

TCS, thanks. But in your link Microsoft do say that they tested the fix on Windows ME.

Who cares. Life's too short and ME went back into its box 6 months ago anyway.

Timothy

JAAMOI, is ME considered to be the same as 98SE? In other words, does the end of 98 support also mean the end of ME support?

W

fobotcso

According to Microsoft in the link in my post above, ME support will cease at the end of this year (2003).

Capt BK

fobotcso,

Thanks for the reply. He rang me to say he'd fixed the problem, he just went out and bought Norton!

Why didn't I think of that

Naples Air Center, Inc.

I have been getting a lot of time with MSBlast lately. Something that helps, if you have to download the patch, is to go in to your Task Manager and disable the Process MSBlast.exe. That will stop the Shutdown Countdown the worm gives you. Then you have all the time you need to download the patch.

Take Care,

Richard

Wing Commander Fowler

Hi Guys,

caught this ****** meself and had some trouble getting my head around it!

I never had the MSblast.exe program anywhere nor had the appropriate string in the registry and yet it was doing the business with my RPC. Most peculiar.

Now I still cannot download any updates from Windows Update. Have seen many posts regarding this problem on a microsoft forum but no answers.

Any Ideas anyone?

Fuji-san

I believe that MS have temporarily disabled the Update site in order to avoid being hit by the virus which was due to flood the site yesterday.

Fuji.

Mac the Knife

WC Fowler - there are variants where msblast.exe is replaced by TEEKIDS.EXE or PENIS32.EXE

Don't know about variant registry changes tho'