VIRUS WIN32.BLASTER.WORM

Discussion in 'malware problems & news' started by VANE, Aug 12, 2003.

Thread Status:
Not open for further replies.
  1. VANE

    VANE Guest

    Plisss help me with this virus: win32.blaster.worm, this virus reboot the machine all the time, How can i destroy ito_Oo_O. OS: Windows XP
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi Vane,

    MANUAL REMOVAL INSTRUCTIONS

    Terminating the Malware Program

    This procedure terminates the running malware process from memory.

    Open Windows Task Manager press
    CTRL+SHIFT+ESC, and click the Processes tab.
    In the list of running programs*, locate the process:
    MSBLAST.EXE

    Select the malware process, then press either the the End Process button.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    ”windows auto update" = MSBLAST.EXE
    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
    Additional Windows ME/XP Cleaning Instructions

    Running Trend Micro Antivirus

    Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

    Applying Patches

    TrendLabs advises all affected users to apply the patch issued by Microsoft at the following page:

    Microsoft Security Bulletin MS03-026

    TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
     
  3. budi

    budi Guest

    Hello pls help me to !!
    in my winxp onregedit I can;t find "windows auto update"MSBLAST.EXE "
    how I DO Pls help me my PC always reset self

    ==================

    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    ”windows auto update" = MSBLAST.EXE
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Most of the major Anti-Virus products can handle killing this infection for you now. Do an update of your AV product and then a full scan to see what it finds.

    Also, there are two other things worth doing. First, go to Windows Update and get the latest patches to secure your system. Second, a firewall or router will protect you from the scans that cause these infections. It is recommended to install one of these to shield your system.
     
  5. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Panda also has a removal tool:

    http://www.pandasoftware.com/download/utilities/

    Blaster has already topped the ranking of the viruses most frequently
    detected by the free, online antivirus, Panda ActiveScan. For this reason,
    Panda Software offers all users its PQREMOVE application, which is
    especially designed to detect and eliminate the Blaster worm and repair the
    damage that it may have caused in affected computers. This utility is
    available for download at http://www.pandasoftware.com/download/utilities/.
     
  7. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    "The Cleaner" will also remove it !

    http://www.moosoft.com/thecleaner/download.php
     
  8. joel4444

    joel4444 Guest

    1.You have a virus. Please download the program: http://download.nai.com/products/mcafee-avert/stinger.exe , once the download is complete. You will need to disconnect from the Internet and run the fix on the problem you are experiencing. If you stay on-line while running the fix, you’re susceptible to continuous rebooting of your system.

    2. When the virus removal program finishes scanning your drive and it has been located and removed. Click on Start->Run and type in the dialog box “cmd” all one word. You will get a black screen window with a blinking cursor. Type the command “net start SharedAccess” exactly as it is shown but without the quotes and hit Enter on your keyboard. These commands will enable/start your Firewall so your computer won’t be vulnerable to be attacked again.


    3. Once your firewall is activated, please download the patch from Microsoft; http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a983f01/WindowsXP-KB823980-x86-ENU.exe
     
  9. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :eek: New variant on same theme (seemingly uglier by the minute):
    W32.Blaster.B.Worm
    "Discovered on: August 13, 2003
    - W32.Blaster.B.Worm is a variant of W32.Blaster.Worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135... Symantec Security Response is currently analysing this threat and will post more information once it becomes available..."
    - See the site:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html
    - Another reference here (always good to have more than one):
    http://www.f-prot.com/virusinfo/descriptions/msblastB.html
     
  10. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  11. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :eek: Remember Hall of Famer Yogi Berra? The guy that said, "It ain't over 'til it's over"? He was a prophet.
    (NOTE: In reviewing the past few days, Microsoft sent a few (ahem!) e-mails to their MCP's with advisories on the worm. One of the links mentioned the Symantec site for the original worm, which I dutifully went to, and found -daily- revisions (now at -3-) to the original Symantec referenced webpage.)

    Interested parties are invited to re-visit the site:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    "...W32.Blaster.Worm
    Discovered on: August 11, 2003
    Last Updated on: August 14, 2003 05:05:54 PM...
    Revision History:
    - August 14, 2003:
    Updated DoS payload information.
    Added information about the DoS traffic.
    - August 13, 2003:
    Re-ordered major steps in removal instructions.
    Added the download location.
    Minor formatting updates.
    Removed Windows system restore instructions from removal
    - August 12, 2003:
    Upgraded to Category 4 from Category 3, based on increased rate of submissions.
    Added additional aliases.
    Updated the Technical Description section.
    Added information to the Removal on changing the settings for RPC..."

    EDIT/ADD: One might also want to review the 'B' and 'C' versions:
    -B-
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html
    -C-
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.c.worm.html
     
  12. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    :eek: FYI...update to W32.Blaster.Worm site from Symantec dtd 4/15/2003:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    Last Updated on: August 15, 2003 04:35:37 PM
    "- The following recommendations are for use by network administrators. They can be used to mitigate the Denial of Service payload which is set to activate on August 16, 2003:
    - Remove the A record on the internal DNS for windowsupdate.com. This also requires that the DNS cache be updated.
    - Internal DNS-spoofing of windowsupdate.com to a special ip-address. This will alert you to infected machines if you have a "listening server" catching the syn flood.
    - Reroute windowsupdate.com to the IP address of an internal machine with port 80 firewalled will help to avoid ACKs, RSTs, and ICMP unreachable's.
    - Reroute windowsupdate.com to 127.0.0.1. This may result in lots of RSTs on your network (Windows may send RSTs from 127.0.0.1 to the spoofed addresses)
    - If your DNS server allows, reroute windowsupdate.com to the IP 0.0.0.0.
    - Configuration of anti-spoofing-rules on routers if not already implemented. This will prevent a high percentage of packets leaving the network. Using uRPF or egress ACLs will be highly effective...
    ...Revision History:
    August 15, 2003:
    - Added additional recommendation pertaining to mitigating the DoS attack.
    - Added reference to updates for Symantec NetRecon and Symantec Vulnerability Assessment.
    - Added link to Symantec webcast.
    - Additional information about Symantec ManHunt updates."

    (For complete detail, use the link posted above).
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And you might like the sad sight on www.dshield.org
    and one wonders, there are firewalls, patches, warnings all over, how is this possible?
     
  14. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
    ;) Interesting reading on their website. I particularly enjoyed reading about their "FightBack" group, some quoted here:

    FightBack
    http://www.dshield.org/fightback_results.php
    "...
    DShield.org is now helping users to fight back against attackers. We will analyze submitted log reports and pick a number of strong cases to forward them to the ISP from which the attack originated. A copy of the abuse report will be forwarded to the user...
    - FightBack Results
    ----------
    Date: Thu, 29 May 2003 01:05:20 -0700 (PDT)
    Thank you for the notification. This host was removed from our network around 17:00 PDT 5/28 (00:00 5/29).
    ----------
    Date: Wed, 28 May 2003 13:51:02 -0700
    Thank you for bringing this item to our attention...
    The offending workstation has been removed from the network...
    The human component has also been briefed on safe computing practices...
    ----------
    Date: 16 May 2003 06:05:16 -0400
    This user has been shot.
    ----------
    ..."
     
Loading...
Thread Status:
Not open for further replies.