Jump to content
  • GUESTS

    If you want access to members only forums on HSO, you will gain access only when you Sign-in or Sign-Up .

    This box will disappear once you are signed in as a member. ?

Computer virus alert


B-bear

Recommended Posts

I know this may be a bit off topic but I wanted to let you all know about this new virus that is out. This new virus called msblaster.exe or "Blaster" and is going to be a big pain for home users running almost any kind of Windows. It doesn't really do alot of damage but you can be infected just by surfing the web-- unlike most other versions of worms that you would get in an email. Contact you virus protection software supplier to get info or the current patch.
Many users are going to get it. It does not do alot of damage (so far) to your PC but it will cause you to have to reboot alot rendering your PC almost unusable for the Internet. Watch for this error message, if you see this error you are infected:
"Windows must now restart because the remote procedure call
:RPC service terminated unexpectedly NT Authority System has
:initiated the shutdown since the RPC service terminated unexpectedly."

Just wanted to send out an FYI to my Minnesota Fishing Family.

Link to comment
Share on other sites

This critter got us at work - our help desk is taking 30+ calls an hour.

The affected OS's are Win XP and 2000.

Does not appear to attack 95, 98, or NT.

There is a patch available from Microsoft -

this might be a FM no-no - but heres the
URL to Microsoft and the patch.....

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


Notice that the critter wraps - make sure to copy and paste it all.

Good Luck

UG

Link to comment
Share on other sites

It does affect some NT.
From Microsoft's bulletin:
Affected Software:
Microsoft Windows NT® 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

Link to comment
Share on other sites

Its a windows security hole that hackers use to access your puter. How to get ride of it: start / run / type regedit/edit find / type in "msblast" and search for it.
Delete msblaster.

Now start/search/find files and folders/ type in msblast and have it seach your hard drive(s) delete it again. If its running in the backround you wont be able to delete it. ctrl alt delete and shut it down. Now delete it again.

Update windows now . Give yourself further protection with a firewall.. Zone Alarm is a free Firewall.

[This message has been edited by Surface Tension (edited 08-12-2003).]

Link to comment
Share on other sites

I had it too ... it really stinks. The sad thing is that its too late for the people who do have this to read the warnings. You really need an interent connection to get the patch/update. Once you have the virus, there isn't much you can do from that computer. Make sure if you do have a firewall to block the FTP port 21. Many people leave this open for FTPing, but this is the port I was told the virus is using.

[This message has been edited by Hole in Ice (edited 08-12-2003).]

Link to comment
Share on other sites

B-Bear

Odd - we have NT here as well as XP & 2000, and it (the patch) was only addressed to those of us who use XP & 2000.

Sad thing is - I glossed right over the "NT" item. frown.gif

When I got it - Norton Anti Virus actually caught it and deleted it, but my system kept crashing due to bad RPC calls. It took about 4-5 trys to get NAV thru my entire system. Then I applied the patch, and then
a "fix tool" our help desk got from Symantec. The tool ran the registry/filesystem - I was clean at that point. System has been stable since.

I would also guess that even if you had the virus, you might be able to down load the fix - my system was up and down all day - but during the "up" time, I was able to get on the 'net.

UG

Link to comment
Share on other sites

be sure to go to windows update and patch your machines soon. on the 16th, it will start activity against the windows update site, so most likely that will be very slow. the patch was released july 16th for this flaw.
gte

Link to comment
Share on other sites

Hole,
Yes if you run ST's instructions you can stop the virus-- for the moment. It will find you again and "re-attack"--which seems to be the problem that Hoyter is running into. Once you stop it momentarily you will need the patch to keep it from re-infecting again.
This will find you and infect you through port 135 or 4444. Once infected your PC will:
Install intself on your PC by downloading a copy of itself from the TFTP server (the computer that infected you initially).
Once downloaded your PC effectively becomes another TFTP server and commences a search of IP's on the Internet it can infect on port 135 or 4444 and the cycle begins again.
Twice a month the virus will also launch a DOS attack on Windows Update (funny that's where you can go to get the patch)-- thus trying to limit the number of people who can effectively get the patch.
So to answer Hoyter's question, you and thousands maybe millions of PC's infected ARE the server trying to infect others. But you company's main server probably doesn't have it unless it is running one of the OS's stated in the bulletin.

[This message has been edited by B-bear (edited 08-12-2003).]

Link to comment
Share on other sites

Another set of instructions to elaborate on ST's:
MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
MSBLAST.EXE

Select the malware process, then press either the the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Link to comment
Share on other sites

I am sure glad I'm running on the Windows ME (Millineum Edition) operating system. I had thought about upgrading to the XP, but I am glad I had not.

Good luck to all that had/have the virus, I hope you can get it all cleared up.

------------

Fishn'Lady

Link to comment
Share on other sites

I know there are a few others who have XP, and they probably won't be able to see this if they have the problem, whose PCs are restarting so soon that they can't get any thing started in terms of removing the problem.

Follow these instructions:
During power up, after the power-up test press the F8

This will open a new screen with safe-mode options. You'll need to use the keyboard to select an option.

You'll want to boot into safe-mode.

Once your PC is up, press CTRL+ALT+DEL

This will open your task manager.

Select the Processes Tab

Find msblast.exe, highlight it and click End Process.

Close the task manager.

Click "Start" & Search.

Search all local hard drives for msblast.*

Once located, highlight all the files and delete.

Empty the Recycle Bin.

Reboot the PC normally this time.

Connect to the internet and download the patch for your operating system. XP Home Edition users should download the 32-bit edition.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Just to keep it simple, save the download to disk and save it to your desktop.

Minimize all files and double click on the new file on your desktop.

Follow the instructions to install the patch.

Once complete the install will restart the PC, let it.

Once back up and running update all virus software and install Zone Alarm's free firewall protection.

Link to comment
Share on other sites

There is a tool on Symantecs AKA Norton Anti-Viruses, HSOforum that is small enough to put on a floppy and run on any computer. Just go to www.symantec.com. Once you have got rid of the virus go to the posted site of for the patch and install it and you will be good to go. It broadcasts and attacks on port 135 and the patch closes the hole that was there.

I work in IT and we spent the whole day on Tues. fixing servers and PCs. We had about 120 PCs and servers hit. It only attacks W2k and XP the rest are safe. .

The people who write and send these things out should be treated like terrorists. The cost to economy is mind boggling.

Link to comment
Share on other sites

Good luck to everyone out there that haven't been able to clear out this worm. It took me three days to finally take care of the darn thing. To bad this worm is no good for fishing!

Link to comment
Share on other sites

We got hit bad by the blaster.worm virus. We downloaded the patch but it didn't work. So we brought it into a we know who deals in computers. He got rid of it and updated everything and only charged $40 bucks. It is squeeky clean and runs great now. I think we had a new strain of the virus. We run XP and Norton wouldn't get rid of it, it quarentined it but when we tried to delete it it just came back. I was told that it is sent through Instant Messanger programs (msn, aol, yahoo, ect.) Good fishin'.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.


×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.