PC SHUTDOWN PROBLEMS - RPC EXPLOIT/REMOTELY RESTARTING
IDENTIFIED AS THE W32.Blaster.Worm VIRUS
W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, msblast.exe
------------------------------------------------------------------------------------------------
TO CANCEL THE SHUTDOWN GO TO START -> RUN -> TYPE CMD TO ACCESS CMD PROMPT AND
TYPE (SHUTDOWN -A) TO CANCEL IT.
DO CTRL+ALT+DELETE AND KILL MSBLAST.EXE FROM THE PROCESSES LIST
GO TO C:\WINDOWS\SYSTEM32 AND FIND MSBLAST.EXE AND RENAME IT TO BLASTMS.BAK (DON'T DELETE IT SINCE I DON'T KNOW IF IT IS AN IMPORTANT FILE, IF ITS A VIRUS IT WILL NOT
BE ABLE TO START IF U RENAME IT, RENDERING IT USELESS.)
NOW GO TO C:\WINDOWS\PREFETCH AND DELETE THE FILE THAT HAS MSBLAST.EXE IN ITS NAME.
(IT STARTS WITH MSBLAST.EXE IN ITS FILENAME)
THE VIRUS ADDS A REGISTRY VALUE TO AUTO LOAD WHEN WINDOWS STARTS UP, YOU MUST DELETE THE REGISTRY KEY.
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
3. Then click OK. (The Registry Editor opens.)
4. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
5. In the right pane, delete the value:
"windows auto update"="msblast.exe"
6. Exit the Registry Editor.
INSTALL THE PATCH FOR YOUR SYSTEM FROM THE LINKS BELOW
NON SP1 USERS =
.
http://microsoft.com/downloads/detai...displaylang=en
SP1 USERS = .
http://securityresponse.symantec.com...tent/8205.html
thx to fAlCoNNiAn from WINBETA
