PDA

View Full Version : just encountered msblast.exe (worm)



Sunshine
08-12-2003, 06:46 PM
not picked up by version of AVG prior to most recent update....

spent most of today reinstalling windows to get the darn puter actually moving (instead of crashing), then followed these instructions (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html)

although I then updated AVG, and ran it to find the virus location.

after I'd done all of that, I found it was best to re-run AVG to clean out the system restores, and then re-booted because IE was playing up.

now got a clean system again :D , but have lost all the cookies somehow :rolleyes:

ah well.... here's hoping you've all updated your AVG / anti-virus programs! :thumb:

Mr. C
08-12-2003, 07:07 PM
Better yet, get the patch to close the vulnerability;Microsoft Security Bulletin MS03-026 (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp)

This vulnerability will likely be exploited again. Best to close the hole, then AVG won't have to be put into use at all for this type of system introduction of malware.

This exploit is found in the following unpatched OS's;
Windows NT 4.0
Windows XP - Home & Pro
Windows 2000
Windows Server 2003

kane2g
08-12-2003, 07:24 PM
My day.
2PM Got up and saw a big netsend message on my screen. After closing it I got my first reboot.
Shortly after that, I came back online and found out that amd_man is having same issues.
4Pm Decided to reinstall windows.
4.30PM Saw that all my farm systems had the damn thing.
Decided to put W2K on some instead of XP.
Around 7 or so amd_man gave me the link on how to get rid of the virus.
Its like 5am now and I just finished reinstalling all the software.
BTW backing up my XP SP1 on a cd was a good idea. But for W2K I had to download about 30MB of updates followed by another 30MB for XP that SP1 didnt cover.
ALL ON DIALUP. Took a while but I got it.
Sure was fun day! Thankfully I had some beer in the fridge to keep me company!!!! :cheers:

Lucky Win98 runnin *******s got lucky!!!!!!!!!!

Sunshine
08-12-2003, 08:18 PM
:cantfocus oops, yes, forgot to mention that one MrC - I did the patch as well - thing is, after the big move across the world, I only just got back online after 8 weeks, so despite being a regular patch updater, I slipped this one time.... that'll teach me....

Osiris
08-12-2003, 08:36 PM
Oh, this one is a ***** :mad:!

After I first got it, I tracked it down through Task Manager and the Run part of the Registry... thought I'd killed it but it's obviously sneakier than that... so I ended up re-installing XP (box needed it anyways).

Needless to say, first thing I have done now is patched it :).

Wiggo's-sister
08-12-2003, 08:47 PM
ZDNet (http://downloads-zdnet.com.com/3150-2092-0.html?qt=msblastcoll&tag=sptlt)

Maybe running ME wasn't such a bad idea after all. :?:

Beefy
08-12-2003, 09:29 PM
Ahhh, the benefits of a decent hardware firewall. :)

amd_man2005
08-12-2003, 11:18 PM
Ah yesterday was bloody hell. :( I found nearly everyone i talk to oon IMS was also having this dproblem, so of course ya know what i was sitting here doing :( Shows damn M$ needs to watch out mroe "carefully" for the vulnerabilities like this. :rolleyes2

<center>:cheers:</center>

DigitalDD
08-13-2003, 12:29 AM
One warning about the MS patch it still leaves you vulnerable to a DOS attack so its really only half of a patch. they can't take control of your machine just crash it..

Last night one of my friends' machine crashed while we were playing a nice friendly game of UT2k3. his machine was patched but still crashed during the game with some message about RPC or DCOM..

asklepios
08-13-2003, 04:24 AM
DigitalDD
since you experienced it your self, i can't say anything but after applying those patches DoS attacks can just cause your net connection to crash while keeping your PC safe and running. thus i would recommend that you consider re-checking the updates and if possible install a firewall.

minibubba
08-13-2003, 08:03 AM
wow, looks like I got lucky... been offline for the last 4(?) days, so I got to miss all the 'fun'...

Sunshine
08-13-2003, 01:39 PM
Ahhh, the benefits of a decent hardware firewall. :)

:o yes, "normally" have one of those as well via a router, but as MrSunshine's pc got smashed up in the move I didnt think (doh) to install the router as well and just plugged straight in....

Birdkiller
08-13-2003, 02:19 PM
Shows damn M$ needs to watch out mroe "carefully" for the vulnerabilities like this. :rolleyes2

<center>:cheers:</center>

they have, the patch has been out since 16th of july.

Sunshine
08-13-2003, 07:57 PM
indeed - I've been offline since June12th and look what happens on my first day back.... ah, well, lesson to us all to regularly check the patches and updates, eh??!:beer:

Blueyes
08-13-2003, 08:24 PM
so DCOM is also part of this worm eh? I got that on my work pc trying to get through my firewall but I squashed it lol....knowing the people that work in this university though I'll be any amount of money they accepted it.

Thoric
08-13-2003, 09:43 PM
Ahhh, the benefits of a decent hardware firewall. :)

yeah arent they great? telstra actually supplied me with something that isnt that bad to work with.

i leave my computer on 24/7 and havent got it, but i installed the patch anyway.

nearly everyone i know runs winXP and everyones got it. nasty bugger.

DigitalDD
08-13-2003, 10:01 PM
DigitalDD
since you experienced it your self, i can't say anything but after applying those patches DoS attacks can just cause your net connection to crash while keeping your PC safe and running. thus i would recommend that you consider re-checking the updates and if possible install a firewall.

it really was a friend not a "friend" : peace2: I have myself a nice Coyote Linux based firewall here running off an old slimline Compaq 386..

Mr. C
08-14-2003, 12:45 AM
Yeah, good ol' Windows 98.
It's got it's fair share of problems, but at least we did escape this one.

Friend of mine fell victim to Blaster, disinfected, used System Restore - proceeded to lose 11 files between the infection and the restore point.

Gave him this ever-ready linkage;
http://www.theabsolute.net/sware/dskinv.html

Yep, Disk Investigator, you've heard me mention it before and thought some of you might be able to make use of it now.

All 11 files recovered in perfect condition:thumb:

So, if you do find yourself in the same boat he did, there's maybe a hope for you.
Good Luck

minibubba
08-14-2003, 06:58 AM
Looks like there is a mad dash to windows update :laugh: I just thought I'd head over to Win. Update and their servers are the slowest I've ever seen. At first I thought it was just on my end, but after checking around it seems pretty common. Just seems kinda funny that it takes something like this to send everyone running for the latest updates.

From what I've read, it was pretty lousy programing too. Probably some kid who picked up a 'How to...for Dummies' book. I just hate to think what will happen when real programmer get a hold of this and decides to have some real 'fun'...

Blueyes
08-14-2003, 09:06 AM
Actually Mr.C. I got that DCOM fault on a Win98 machine at work so it's not limiting the versions but M$ is limiting its patches to what versions they want.

Mr. C
08-14-2003, 10:02 AM
Actually Mr.C. I got that DCOM fault on a Win98 machine at work so it's not limiting the versions but M$ is limiting its patches to what versions they want.

I'd be quite interested to learn the exact method of infection:?:

Thoric
08-14-2003, 03:15 PM
im hearing all sorts of things that this virus does:

from internet connections that disconnect every 60secs, from shutdowns in 60secs, to the worm attacks windowsupdate.com from a infected computer.

looks like the 60sec shutdown is the prominent symtom.

:cantfocus

:shoot3: :shoot:

Sunshine
08-14-2003, 07:44 PM
yup 60sec shut-down - hence the need to reinstall to start-up.
I got infected via the service provider as everyone is being hit - one mate even pulled out his phone when he caught it trying to download itself onto his puter!:eek:

G Smith
08-14-2003, 10:34 PM
One of my clients had the 60 sec shut down but I was able to stop that by disconnecting their DSL line. It was like a DoS attack on port 135. Once I did that I was able to install and run a virus removal tool, patch their windows and update their Norton.

Full scan cleaned up the rest of the junk and they are good to go now.

Although much more aware of the need to keep their computer updated!!! :hammer:

The 60 second restart seems to be from internet traffic scanning port 135. If you disconnect from the internet you should be able to boot up but the computer runs VERY slowly until you get rid of the virus.

gh0stsurf
08-21-2003, 06:18 AM
Lucky Win98 runnin *******s got lucky!!!!!!!!!! [/B][/QUOTE]

That be me:flames: :flames: :flames: :rofl: :shh: