VIRUS WIN32.BLASTER.WORM

Plisss help me with this virus: win32.blaster.worm, this virus reboot the machine all the time, How can i destroy it. OS: Windows XP

 

Hi Vane,

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
MSBLAST.EXE

Select the malware process, then press either the the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

TrendLabs advises all affected users to apply the patch issued by Microsoft at the following page:

Microsoft Security Bulletin MS03-026

TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

 

Hello pls help me to !!
in my winxp onregedit I can;t find "windows auto update"MSBLAST.EXE "
how I DO Pls help me my PC always reset self

==================

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE

 

FYI...A removal tool for the msblast.exe worm is available - see this post:

https://www.wilderssecurity.com/showthread.php?t=11991;start=msg79366#msg79366

 

Panda also has a removal tool:

http://www.pandasoftware.com/download/utilities/

Blaster has already topped the ranking of the viruses most frequently
detected by the free, online antivirus, Panda ActiveScan. For this reason,
Panda Software offers all users its PQREMOVE application, which is
especially designed to detect and eliminate the Blaster worm and repair the
damage that it may have caused in affected computers. This utility is
available for download at http://www.pandasoftware.com/download/utilities/.

 

"The Cleaner" will also remove it !

http://www.moosoft.com/thecleaner/download.php

 

1.You have a virus. Please download the program: http://download.nai.com/products/mcafee-avert/stinger.exe , once the download is complete. You will need to disconnect from the Internet and run the fix on the problem you are experiencing. If you stay on-line while running the fix, you’re susceptible to continuous rebooting of your system.

2. When the virus removal program finishes scanning your drive and it has been located and removed. Click on Start->Run and type in the dialog box “cmd” all one word. You will get a black screen window with a blinking cursor. Type the command “net start SharedAccess” exactly as it is shown but without the quotes and hit Enter on your keyboard. These commands will enable/start your Firewall so your computer won’t be vulnerable to be attacked again.


3. Once your firewall is activated, please download the patch from Microsoft; http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe

 

New variant on same theme (seemingly uglier by the minute):
W32.Blaster.B.Worm
"Discovered on: August 13, 2003
- W32.Blaster.B.Worm is a variant of W32.Blaster.Worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135... Symantec Security Response is currently analysing this threat and will post more information once it becomes available..."
- See the site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html
- Another reference here (always good to have more than one):
http://www.f-prot.com/virusinfo/descriptions/msblastB.html

 

And of course, what's an "A" and "B" without a "C"?

W32.Blaster.C.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html
(Interesting...see "Removal Instructions" detail there);

-or here-
http://www.f-prot.com/virusinfo/descriptions/msblastC.html

 

Remember Hall of Famer Yogi Berra? The guy that said, "It ain't over 'til it's over"? He was a prophet.
(NOTE: In reviewing the past few days, Microsoft sent a few (ahem!) e-mails to their MCP's with advisories on the worm. One of the links mentioned the Symantec site for the original worm, which I dutifully went to, and found -daily- revisions (now at -3-) to the original Symantec referenced webpage.)

Interested parties are invited to re-visit the site:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
"...W32.Blaster.Worm
Discovered on: August 11, 2003
Last Updated on: August 14, 2003 05:05:54 PM...
Revision History:
- August 14, 2003:
Updated DoS payload information.
Added information about the DoS traffic.
- August 13, 2003:
Re-ordered major steps in removal instructions.
Added the download location.
Minor formatting updates.
Removed Windows system restore instructions from removal
- August 12, 2003:
Upgraded to Category 4 from Category 3, based on increased rate of submissions.
Added additional aliases.
Updated the Technical Description section.
Added information to the Removal on changing the settings for RPC..."

EDIT/ADD: One might also want to review the 'B' and 'C' versions:
-B-
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html
-C-
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html

 

FYI...update to W32.Blaster.Worm site from Symantec dtd 4/15/2003:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Last Updated on: August 15, 2003 04:35:37 PM
"- The following recommendations are for use by network administrators. They can be used to mitigate the Denial of Service payload which is set to activate on August 16, 2003:
- Remove the A record on the internal DNS for windowsupdate.com. This also requires that the DNS cache be updated.
- Internal DNS-spoofing of windowsupdate.com to a special ip-address. This will alert you to infected machines if you have a "listening server" catching the syn flood.
- Reroute windowsupdate.com to the IP address of an internal machine with port 80 firewalled will help to avoid ACKs, RSTs, and ICMP unreachable's.
- Reroute windowsupdate.com to 127.0.0.1. This may result in lots of RSTs on your network (Windows may send RSTs from 127.0.0.1 to the spoofed addresses)
- If your DNS server allows, reroute windowsupdate.com to the IP 0.0.0.0.
- Configuration of anti-spoofing-rules on routers if not already implemented. This will prevent a high percentage of packets leaving the network. Using uRPF or egress ACLs will be highly effective...
...Revision History:
August 15, 2003:
- Added additional recommendation pertaining to mitigating the DoS attack.
- Added reference to updates for Symantec NetRecon and Symantec Vulnerability Assessment.
- Added link to Symantec webcast.
- Additional information about Symantec ManHunt updates."

(For complete detail, use the link posted above).

 

And you might like the sad sight on www.dshield.org
and one wonders, there are firewalls, patches, warnings all over, how is this possible?

 

Interesting reading on their website. I particularly enjoyed reading about their "FightBack" group, some quoted here:

FightBack
http://www.dshield.org/fightback_results.php
"...
DShield.org is now helping users to fight back against attackers. We will analyze submitted log reports and pick a number of strong cases to forward them to the ISP from which the attack originated. A copy of the abuse report will be forwarded to the user...
- FightBack Results
----------
Date: Thu, 29 May 2003 01:05:20 -0700 (PDT)
Thank you for the notification. This host was removed from our network around 17:00 PDT 5/28 (00:00 5/29).
----------
Date: Wed, 28 May 2003 13:51:02 -0700
Thank you for bringing this item to our attention...
The offending workstation has been removed from the network...
The human component has also been briefed on safe computing practices...
----------
Date: 16 May 2003 06:05:16 -0400
This user has been shot.
----------
..."