The Magic Café
Username:
Password:
[ Lost Password ]
  [ Forgot Username ]
The Magic Cafe Forum Index » » Not very magical, still... » » Nasty Worm Virus (0 Likes) Printer Friendly Version

wayman
View Profile
Special user
England - Sunderland
587 Posts

Profile of wayman
I have just repaired 3 (including mine!!) and heard of localy another 6 systems that have been infected with this worm Virus.

ISPs everywhere are blocking all port 135 traffic in an attempt to slow the worm's growth and damage.

W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability using TCP port 135. It will attempt to download and run a file, "msblast.exe".

Infected machines will begin a concerted distributed denial of service attack (DDoS) on the domain "windowsupdate.com" this coming Saturday the 16th.


The virus adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs when you start Windows.


Symantec has a simple tool to detect and delete this automatically Here

and Microsoft has a patch to close the loophole Here

Press CTRL ALT DEL now and look for a running process called MSBLAST.EXE and disable it before it crashes your system.

Install you firewalls!!!

Any one else been bothered by this ****py miserable little virus???
jarrod
View Profile
New user
35 Posts

Profile of jarrod
Nothing here, and I haven't even patched until just now. Guess I'm just lucky =)
ChrisZampese
View Profile
Veteran user
Hamilton, NZ
341 Posts

Profile of ChrisZampese
Thanks Wayman,

We have had a couple of instances on our network. Be aware of this one. It's not very nice!
The most beautiful experience we can have is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. Whoever does not know it and can no longer wonder, no longer marvel, is as good as dead, and his eyes are
Payne
View Profile
Inner circle
Seattle
4572 Posts

Profile of Payne
Quote:
On 2003-08-13 20:38, ChrisZampese wrote:
Thanks Wayman,

We have had a couple of instances on our network, be aware of this one, its not very nice!


This one is incredibly nice as it really doesn't do anything, unless you're the Microsoft Update site.
The ones you're going to have to watch out for are the next generations of this worm which will be ever so much more destructive and pervasive.
"America's Foremost Satirical Magician" -- Jeff McBride.
Reis O'Brien
View Profile
Inner circle
Seattle, WA
2467 Posts

Profile of Reis O'Brien
My Dad's PC has been getting chewed a new one by this little bugger and now my computer at work caught it this afternoon. NOT a fun bug. Heads up, fellow computer nerds!

Smile
Homo vult decipi; decipiatur

http://www.myspace.com/liar_4_hire
RiffClown
View Profile
Inner circle
Yorktown, Virginia (Previously Germany)
1579 Posts

Profile of RiffClown
I saw where it hit my firewall but Ive had my systems patched since Mid-Jul. I had no impact either here or at work except the Internet was a bit sluggish at home because of all the extra traffic.
Smile
Rob "Riff, the Magical Clown" Eubank aka RiffClown
<BR>http://www.riffclown.com
<BR>Magic is not the method, but the presentation.
PyroDevil
View Profile
Regular user
Canada
156 Posts

Profile of PyroDevil
I hope everyone has their Firewalls installed. This virus sounds serious!!!
ChrisZampese
View Profile
Veteran user
Hamilton, NZ
341 Posts

Profile of ChrisZampese
For those that have it (especially on networks) it could (reportedly) cause some serious issues in a few hours. don't know the exact scheduled time, but it will attempt to create a DNS (Denial of Service) attack on Microsoft by using the email client on infected machines to send bulk emails to a microsoft email address. This could be very serious for Exchange servers and the like.

If you have it, and you are on a network, make sure your network administrator knows about it asap
The most beautiful experience we can have is the mysterious. It is the fundamental emotion which stands at the cradle of true art and true science. Whoever does not know it and can no longer wonder, no longer marvel, is as good as dead, and his eyes are
MacGyver
View Profile
Inner circle
St. Louis, MO
1419 Posts

Profile of MacGyver
the date for the DOS attack is the 15th(today)


Here is what you do, first off Ctrl-alt-del and shutdown the process msblast.exe, then do a search for msblast.exe and delete it, very simple.

Be sure your patched so you don't get it again right away.
MacGyver
View Profile
Inner circle
St. Louis, MO
1419 Posts

Profile of MacGyver
Oh, I should also add that windowsupdate.com has already been DOS'd so you better find a different place to patch from =).

Its an instresting approach, taking out the patching software and all.

Since the bug allows the hacker to execute arbitrary code, once he disables the patching system, he could put a new version of the worm out that could REALLY mess up some computers like deleteing files and editing windows.
wayman
View Profile
Special user
England - Sunderland
587 Posts

Profile of wayman
I found a variant tonight on a friends PC

It was the W32.Blaster.C.Worm

It adds the value:

"Microsoft Inet Xp.."="teekids.exe"

to the registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

so that the worm runs when you start Windows.


Apparently the local "Leading" PC store is charging about £30 a time to disinfect your machine!!

THEN they will push an Antivirus software onto you at an extra cost.


Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for teekids.exe. (or other listed below)
If you find the file, click it, and then click End Process.
Exit the Task Manager.

index.exe
root32.exe
teekids.exe
p.e.n.i.s.32.exe (without the dots)
msblast.exe
The Magic Cafe Forum Index » » Not very magical, still... » » Nasty Worm Virus (0 Likes)
[ Top of Page ]
All content & postings Copyright © 2001-2021 Steve Brooks. All Rights Reserved.
This page was created in 0.12 seconds requiring 5 database queries.
The views and comments expressed on The Magic Café
are not necessarily those of The Magic Café, Steve Brooks, or Steve Brooks Magic.
> Privacy Statement <

ROTFL Billions and billions served! ROTFL