|
It appears that a new worm (for now we're calling it msblast after its executable, msblast.exe) has surfaced today. It attacks port 135/tcp (that's Netbios), creates lots of RPC noise - some users report random machine shutdowns and reboots - and once it takes up residence in your computer, it proceeds to scan a random IP range and propagate itself to unprotected machines. Since this worm is brand, spanking new it may not be detected by (even recently updated) anti-virus software.. so get that firewall up and secured!
_http://msn.com.com/4520-6600_16-5062407.html _http://isc.sans.org/diary.html?date=2003-08-11 _http://news.com/2100-1002_3-5062364.html?tag=fd_top _http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html _http://vil.nai.com/vil/content/v_100547.htm |
:( I got it. It's REALLY annoying. I strongly think that this should be moved to the front page news, to warn everybody. It got to a point, that it would restart every 2 minutes or so. It was hard enough downloading the patch, on a 56k, with the damn thing restarting every minute.
|
Yes, I have been affected as well.* Currently, I am only using the build-in Windows XP firewall, but my system still gets the RPC error and shuts down.* Guess I'll have to put a better firewall in action.
Does anyone know if any permanent damage is caused by this worm? MNKid |
|
PC SHUTDOWN PROBLEMS - RPC EXPLOIT/REMOTELY RESTARTING
IDENTIFIED AS THE W32.Blaster.Worm VIRUS W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, msblast.exe ------------------------------------------------------------------------------------------------ TO CANCEL THE SHUTDOWN GO TO START -> RUN -> TYPE CMD TO ACCESS CMD PROMPT AND TYPE (SHUTDOWN -A) TO CANCEL IT. DO CTRL+ALT+DELETE AND KILL MSBLAST.EXE FROM THE PROCESSES LIST GO TO C:\WINDOWS\SYSTEM32 AND FIND MSBLAST.EXE AND RENAME IT TO BLASTMS.BAK (DON'T DELETE IT SINCE I DON'T KNOW IF IT IS AN IMPORTANT FILE, IF ITS A VIRUS IT WILL NOT BE ABLE TO START IF U RENAME IT, RENDERING IT USELESS.) NOW GO TO C:\WINDOWS\PREFETCH AND DELETE THE FILE THAT HAS MSBLAST.EXE IN ITS NAME. (IT STARTS WITH MSBLAST.EXE IN ITS FILENAME) THE VIRUS ADDS A REGISTRY VALUE TO AUTO LOAD WHEN WINDOWS STARTS UP, YOU MUST DELETE THE REGISTRY KEY. 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit 3. Then click OK. (The Registry Editor opens.) 4. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run 5. In the right pane, delete the value: "windows auto update"="msblast.exe" 6. Exit the Registry Editor. INSTALL THE PATCH FOR YOUR SYSTEM FROM THE LINKS BELOW NON SP1 USERS = .http://microsoft.com/downloads/detai...displaylang=en SP1 USERS = .http://securityresponse.symantec.com...tent/8205.html thx to fAlCoNNiAn from WINBETA :) |
Quote: Billybob3, it is on the front page. |
A friend just got it yesterday. As soon as he gets on the Internet, he get's a "two minute warning" that "NT AUTHORITY/SYSTEM" is shutting down the PC. The tip to cancel the shutdown will help a lot, thanx for that one. He's got a E-Machine with NO anti virus software! Users!
P.E.B.K.A.C. = Problem Exists Between Keyboard And Chair |
lol- there are a lot of users like that out there, i get enough phoning me and asking why they can't see a picture on their screen after the computer has been idle for 20 mins. "Move mouse- picture come back, leave for 20 mins picture goes away"
|
Yes I have luck and get it and i have to tell that is very noisy if you look bad Boys 2 and computer restarts every 10 min
But Norton is quick and already have remov. tool best regards, |
disinfectant here:
_http://download.nai.com/products/mcafee-avert/stinger.exe :) |
| All times are GMT +1. The time now is 03:26 PM. |
Powered by vBulletin® Version 3.6.5
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.