( search forums )
W32.Blaster.Worm
Soldat Forums - Soldat Talk - Need Help? Report Bugs!
NightCabbage
August 12, 2003, 11:18 am
Well, there is a new evil virus on the block folks (no this one's not a joke).

Just today alone, I have had well over 10 phone calls with the problem... (compy techy)

By the end of the day I was just picking up the phone and say "Hi, got the Blaster virus hey?" - and was almost certain to recieve "Oh, so I'm not the only one then!"



DETAILS:

Name: W32.Blaster.Worm
Also Known As: W32/Lovsan.worm [McAfee]
Type: Worm
Infection Length: 6,176 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0352


Even if you do not have this virus yet, you could still get it.


HOW TO REMOVE IT:

win2K/XP - End the process "msblast.exe"
win9x/ME - Restart in safe mode

Remove the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"

Disable System restore (winME and winXP)

Update virus definitions and scan away ;)



Download the Windows patch here:Microsoft Security Bulletin MS03-026


Symantec have developed a removal tool, which can be located here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

3rd_account
August 12, 2003, 12:58 pm
So are Windows 98 SE users affected or not affected?

SuperKill
August 12, 2003, 1:13 pm
i solved the shutting down problem in a diffrent way.
now i'm getting Generic Host Process for win32 error.
it doesnt bother me at all, besides that it popps me out of soldat ;\

GF
August 12, 2003, 9:54 pm
yea i had this worm too

NightCabbage
August 13, 2003, 1:26 am
Yes this virus affects all windows systems (well, not all (eg. 3.1 hahaha)lol)

It is set to activate on the 16th of August and end when this year does ;)

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update - to prevent you from downloading teh fix lol

BManx2000
August 13, 2003, 1:30 am
Well, it SAYS Windows ME is unaffected, and there's not a patch for it, so I guess I'm either lucky, or screwed if it is affected.

JayBDey
August 13, 2003, 3:11 am
Which is why M$ is working on file mirrors.

TheKnightoftheMare
August 13, 2003, 5:07 am
thats what happens when people dont patch their comps.

N1nj@
August 14, 2003, 2:40 am
knew this virus long time ago. no biggie.

To find out whether you're infected, press Ctrl+Alt+Del and verify if the process 'MsBlast.exe' is running. If it is, kill the process MsBlast.exe from the task manager.

and btw, after you unregistry it. Delete "windows auto update"="msblast.exe" from the right pane. and delete msblast.exe from either the Windows System and/or System32 folders.

This worm will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applicaitons listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

NightCabbage
August 15, 2003, 12:40 am
lol thank you for those symantec quotes =) roflmao

It's funny - the virus has been all over the news and stuff hahahahaha funny.....

Teh0wn
August 17, 2003, 4:09 am
hmm, would there have been a patch in windows update to block it? if so i lucked out, hehe, its 16th here

NightCabbage
August 19, 2003, 12:17 am
Yup, windowsupdate had a fix, which is why the worm tried to stop everyone from using it lol

All in all it didn't really cause much damage... yet they will still say it caused 'millions of dollars worth of damage'

lol

b00stA
August 19, 2003, 6:43 pm
It doesn't cause damage in the normal way.
Someone works 10 hours a day with his computer. But UH his computer has a worm. He spends 1 hour informing himself, downloading the fix, applying it, updating his firewall (or even installing one), removing the worm and of course several restarts of the system.
Now, apply this scenario to thousands of other users. Not very experienced computer users. Even I spent some time on that, but now I know where to find it, remove and prevent it etc.

Wasted time. You were not able to work for your company during that time, so you LOST money that you normally would have earned.

Ok?

NightCabbage
August 20, 2003, 1:52 pm
yes b00sty, I know this (lol ^^), but it took me less than 5 minutes to fix up 3 computers simultaneously.

But then many are not set up as well as they should be (espec considering that they rely upon their compys as much as they do, etc.)

=)