Sign in to follow this  
Guest Panman

Info on MSBLAST - Important Virus Information

Recommended Posts

If I may add a little thing to IF you catch it and are using Windows XP.Since the worm will start a countdown and shut down computer shortly after when using internet, some people might have difficulty downloading the patch above.The solution (if using WinXP)The worm will be disabled from using the above named ports (or working at all) if you enable the Internet Connection Firewall (under the properties of you're dial-up/broadband connection). Of course any other regular 3rd party firewall will allow for this as well :)You are then able to use the internet without the worm shutting everything down and you can download the patch/removal tool from the link above.

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

How do you access and block these ports? I have never done this and have a cable connection, norton internet security and antivirus.please help.NP

Share this post


Link to post
Share on other sites

Hi Ken,I absolutely second, what you said!!Our (my wife's and mine) McAffee dedected this trojan "Exploit-DcomRpc" on 10th Aug, but was not able to delete it but just to isloate it and put it into "quarantine". Everytime, when we entered the internet again or when we received emails the virus was detected again in the tftp.exe and was isoleted again. The anoying thing was, that after very isolation Win XP shut automatically down.Then I downloaded the MS03-026 patch from the MS-site to fix the Windows-RPC-Bug. Since then the virus was not detected any more.Also I can only recommend to everybody to download the MS03-026 patch immediately and to install it.RegardsWolfgang

Share this post


Link to post
Share on other sites

Hi there,this is a bit embarrassing but I found two WinXP updates, one for 32 and the other one for 64bit, and evidently I'm to stupid to figure out which one I have ;-)I'm using WinXP home, would that be the 32bit version?Also, shouldn't the windows update automatically detect and suggest the installation of the new fix? I've tried updating but I don't get any critical updates listet?!Any help would be greatly appreciated.Cheers,Petehttp://members.aol.com/pzsoulman/myhomepage/logo.gifAthlonXP2000,AbitKX7-333(latest4in1),512MB/2700SDRAM,WinXP,DirectX8.1,Geforce3TI200(128MB)(Det.30.82),SBlive(WDM5.1.2601.0)

Share this post


Link to post
Share on other sites

Hi,It's a bit confusing, but you need the one for Win XP Home, which turnes out to be 32, go figure. If you don't see it, go to the MS download center and go to Win XP.Bob

Share this post


Link to post
Share on other sites

Pete, just try, which one fits. The system will tell you upon installation, if you try to install the wrong one (you can't do any harm).I'm running XP Pro and I also was not sure if I have the 32 bit or the 64 bit version. Like you I guessed XP Home is 32 bit and XP Pro must be 64 bit. So I downloaded the 64 bit version. Immediately after starting the installation, a window popped up, telling that this 64 bit file does not match my system. So I downloaded the 32 bit version and everything went fine.I think 32 bit is more common, so I would try this one first.Wolfgang

Share this post


Link to post
Share on other sites

I don't seem having this thing, but I think from what I have seen, in case you experience the shutdown countdown timer box (applies to WinXP I think), you might try the following before you reach "zero": hit Win+R, type cmd, hit enter, change to your WINDOWSSYSTEM32 directory and call shutdown -a that should disable the countdown. But maybe that worm overrides this, I don't know... Good luck all, I doubt I will get it, I'll go on vacation tomorrow so my PC is off anyway... ;)

Share this post


Link to post
Share on other sites

Just to clear up any confusion, all system based on Intel Pentium or AMD Athlon are running the 32bit version of XP, whether Home or Pro. The 64bit version is strictly for the Intel IA64 (or Itanium) processor which is not on any desktop system and only a few high end servers.

Share this post


Link to post
Share on other sites

For systems that have the worm and are rebooting, I recall seeing a procedure that said to start the PC in safe mode then use regedit to remove the msblaster executable under the software tab. After rebooting in normal mode the patch can then be installed.

Share this post


Link to post
Share on other sites

Wonderful case of jargon overcoming common sense by Microsoft: ie: "Download fix for Windows 64 bit or 32 bit". Very helpful (not!) Translation: Windows XP = 32 bit.Quick way to disable the virus while you download the fix from your virus agent or MS: Go to your Control Panel/Administrative Tools/Services and Find "Remote Procedure Call" and double click on it. Then click on "Recovery" and choose "Take No Action". This will ensure that the virus doesn't close down Windows before you had a chance to download the fix.Best Regards,Rob Young

Share this post


Link to post
Share on other sites

Put otherwise: unless you know you're running it you almost certainly aren't :(Of course the biggest eyeopener for alert people will be that the hotfix has been available from Microsoft for almost a month now yet noone seems to have bothered keeping their computers up to date (which would have prevented infection) :-aol Up to date virus scanners and firewalling software would almost certainly have blocked it as well, see above for reasons for getting infected anyway :-violinMy firewall prevented well over 300 intrusion attempts yesterday, over 90% of them at ports used by this worm.That's an 80% increase from tuesday!

Share this post


Link to post
Share on other sites

I'll remember that next time I see the computer trade magazine that I read advertise Windows XP Pro 32 Bit Edition and Windows XP Pro 64 Bit Edition.

Share this post


Link to post
Share on other sites

>I'll remember that next time I see the computer trade>magazine that I read advertise Windows XP Pro 32 Bit Edition>and Windows XP Pro 64 Bit Edition.Yep, on the MS-download-site they ask you if you are running Win Xp 32 bit or Win Xp 64. So there are 2 versions of Win XP (well actuall 4 :-) ).BTW, I do not think it is the virus itself, which closes the system. As I understand it Win XP closes for security reasons, after the virus scanner has dedected the virus and has isolated the infected file. Or it closes, because the system cannot run safely without the isoletd file. At least it was this way in my case.The virus which got into my system though this "scurity whole" was theExploitDcom-Rpc. A trojan which is used by someone to retreive data from your computer etc. So the producer of this virus has no interest that the system will shut down.BTW At the moment there is not just ONE worm/virus around, who takes advantage of this particular Windows security bug. The MS patch will prevent from all of them.Wolfgang

Share this post


Link to post
Share on other sites

In case you haven't heard, there is a virus spreading around that takes advantage of a security hole in Microsoft OS (note you can catch this virus even if you virus scanner is up to date. It does NOT travel through email, but attempts to connect to your computer via the ports described below):W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download and run the Msblast.exe file.Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP"The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.For more information, please see the following links:http://securityresponse.symantec.com/avcen...aster.worm.htmlPatch from Microsoft is at http://www.microsoft.com/technet/treeview/...in/MS03-026.aspI STRONGLY ADVISE everyone to patch their OS and block these ports if you haven't already.http://saltydogfly2.avsim.net/images/avsim_sig.jpg"We are the music makers, and we are the dreamers of dreams."

Share this post


Link to post
Share on other sites

I owe the Avsim community a big THANK YOU for alerting me to this blaster worm! :) I run Win98, but the office I work in runs Win 2000 ... they didn't even bother to check for a windows update in the past month :-roll ...... it's really incompetant when you realise that the company is HUGE! :( All of the computers in my office got the worm, and it caused chaos ... nobody realised that it was a worm!! On Tuesday night I was looking on these forums, and one thread made me realise that the computers had the MSblast worm! I told the computer "techies" the following morning .... they were astounded that one of their temporary workers had discovered the bug, whilst their highly-paid "experts" had overlooked it! :-lolThanks again, everyone :-lol

Share this post


Link to post
Share on other sites

There is no 64bit desktop chip available yet so there is no 64bit OS for a desktop computer. Both are coming. Everything now is 32bit.For the worm, you can hit ctl,alt,del. and in msconfig go to processes and disble msblast.exe. to stop it on your pc. Do a search for msblast.exe and delete it. Then go to MS website and download patch. This is from memory but I am pretty sure this is another path that works. I read that there is a text message in this new worm that reads "Billy Gates, why don't you stop making money and instead make your products work right so they cannot be attacked by a virus like this!" (Paraphrasing)Indeed. Why doesn't MS hire 20 of these virus writers to plug the security holes in their OS before they sell it!? Why? Because a monopoly doesn't have to do anything it doesn't want to do. It simply puts out a product, waits for the numerous complaints, and then gets around to fixing it. Anyone who wonders why monopolies are bad for the market and competition is good need look no further.Miller

Share this post


Link to post
Share on other sites

Does MSBlast not effect 98? That's what I'm running too but I haven't seen any coments except the one above about it.

Share this post


Link to post
Share on other sites

That's right :) The Worm creator went for the current and most popular OS available, to maximise destruction! :( I'm glad I've got Win98 :)

Share this post


Link to post
Share on other sites

My game computer runs Win98SE and is fine. But my work computer uses WinXP and got bit. After fixing it up (thanks again, Ken for the info), I downloaded and installed the security updates for both XP and Win98 -- I figured it couldn't hurt. -Lindy :-wave

Share this post


Link to post
Share on other sites

startruncmdnet stop crytpsvcRD /S /Q %SystemRoot%System32Catroot2net start cryptsvcexit

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this