W32.Blaster.Worm, Who Got it?

Dempsey

Who got infected by this horrible virus. I was lucky that i had the vunrability patched up. I know several people that have/had it. Heard real nightmare stories about it. Hard to get it off, couldnt access net to get patches, virus definitions, etc.


If your looking for info on it or trying to remove it, ill be nice
W32.Blaster.Worm
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
W32.Blaster.Worm Removal Tool

DiscoStu

judging by my firewall logs everyone on eircom.net seems to have it.

Gerry

I didn't get it myself, but a housemates laptop ( xp home ) got it fairly fierce 2 days ago. I think its fixed now, but never turned off the system restore.

Dempsey

Originally posted by Gerry
I didn't get it myself, but a housemates laptop ( xp home ) got it fairly fierce 2 days ago. I think its fixed now, but never turned off the system restore.

That could be a bad idea if the the patch wasnt installed, if the person has to do a restore, the virus could creep back in, ya know yourself.

tman

i was jammy, my pc restarted a couple of times & then i thought "hmmm, think i'll post this problem on boards..."
i spotted the thread in after hours, downloaded the fix (praise jah for download managers) and hey presto, problem solved.

i would've been well & truely fubar if it wasn't for you helpful folks at boards:)

sionnach

i was uber lucky, i have boards set as me homepage and i saw the problem under most recent posts after the thing happened only twice so i got the patch b4 it happened the third time

MrPinK

Installed the fix last week, but the firewall would have caught it anyway. Not using a firewall is just asking for trouble, even the built in XP one should have stopped it if it was turned on.

eth0_

UTV blocked port 135 on their routers this morning to protect customers, wonder if any other Irish ISP's did this!

BTW did you know the worm had a payload, a ddos against the windows update site on the 16th of August, so everyone infected would have been hammering the windows update site!

billy the squid

My windows update is set up to download these patches as they come out so i guess i have it a couple of weeks now.

didnt know about the utv thing shouldnt they have been blocking ports 139 and 69 and 4444 as well no?

Doodah7

Got it too, but with help from a few people on these boards and elsewhere, nuked the little b%st&rd last night.

The main culprit seems to be a file msblast.exe and by deleting it from current processes, the hard drive and its entry in the registry, my machine is humming along once more.

Carnate

I noticed the threads when i logged on to the boards on monday.

i have my virus checker on autoupdate so i missed the event :P

Why do people nowadays not have their Viruschecker Definitions

up to date?


Its PC suicide not to.


2 Cents worth!

Frank Grimes

My OS at home is patched (probably since the patch was actually released). Had to clear it off my friend's PC yesterday though.

tomED

I got it at home - office was fine because I manually get the updates from microsoft.

My machine at home is on autoupdate - but for some reason didnt get this critical update, still haven't figured that one out!

People have suggested it is because I must have a warez copy of win xp - but the OS came with the system (brand new).

I have now realised i can't update to the latest service pack, because it tells me I have a dodgy license key!

Anyone know anymore about this???

Frank Grimes

Originally posted by tomED
Anyone know anymore about this???

The SP has a list of dodgy licence codes in it, if you're using one it won't install.
Get onto whoever sold you the pc.

maxheadroom

I got it about 2 minutes after I did a clean reinstall. Had to download the patch, while the mahine kept reboting, save it to a different partition, then do the format and reinstall again with the network cable disconnected... (wasn't taking any chances, its not called a "clean" reinstall for nothing )

elexes

a lot of ppl have come into me in work with the nasty lil bugger i got it in work ( dono how the machine wasnt online ) and got at home . for some reason my win 2k installation wont update microsoft

Nitrox

Funny, both my server and my flatmates 2000 Professional showed all the sign of the virus, but last nigth when i knew what it was i was not able to find anything left by the vitus and internet was working fine again, have done all the patches now, so not going to take any chances with this bugger any more, thta is, did not patch my flat mates laptop yet, but that is his problem
ANyone know why there is no trace of the virus now? did everything as described on symantec, not a trace left!!

LegacyUser

Originally posted by Carnate
Why do people nowadays not have their Viruschecker Definitions

up to date?

personally i think the virus scanners are a big waste of time, the definitions are only updated after a virus has been released and is rampant, about the only thing they are any good for is removing them after you have been infected if you were silly enough to get infected in the first place, there are rare exceptions like msblast were no user intervention is required to infect but most infections are caused by people opening files like this_is_so_cool.ppt.vbs

tomED

Originally posted by Frank_Grimes
The SP has a list of dodgy licence codes in it, if you're using one it won't install.
Get onto whoever sold you the pc.

Yes I realise that, but I was just wondering if anyone else had this problem? If so does it mean a fresh install once i get a clean license?

Thanks
Tom

MrPinK

If so does it mean a fresh install once i get a clean license?

It can be changed without reinstalling. There are programmes that will do it for you, it's probably just some registry key that is changed.

maxheadroom

Tom - you can trick XP into accepting a new licence code, look in the text files on www.astalavista.com for details. The warez monkeys had to come up with a way of switching keys once SP1 came out.

Konix

its weird. i had logged on the net 3 times and it restared 3 times bu the 4th time it didnt and i was able to ask about it on boards irc and download the patch. does this mean its on my computer?
I should really get some firewalls! pronto!
whoever Mark on irc wsa....thanks

zAbbo

start > run > "oobe/msoobe /a"

Activate by phone, change key, bingo

If the machine attempts to shutdown ( 60seconds warning)

start > run > "shutdown -a"

Giblet

WinME eh, phew!
Useful for once.

Paddyo

Hi All

Of the people that were infected, who were the service providers.

I think that the service providers became infected.

People I have spoken to have become infected quite quickly after connecting to the net.

Each time you login you are usually assigned a dynamic IP address. Unless you are logged in for a long time using this address it be less likely that you would be scanned. But if the Providers were infected then your dynamic IP address might be scanned more quickly.

Am I talking rubbish or do I have a point?

Paddyo

Carnate

Originally posted by bananayoghurt
personally i think the virus scanners are a big waste of time, the definitions are only updated after a virus has been released and is rampant, about the only thing they are any good for is removing them after you have been infected if you were silly enough to get infected in the first place, there are rare exceptions like msblast were no user intervention is required to infect but most infections are caused by people opening files like this_is_so_cool.ppt.vbs

Almost a Good point!

But if you have a "PAID FOR" antivirus program you dont have these problems.

As to the comment that files like "Mblast have no user intervention" is sadly untrue, all viruses "need" user intervention of some form for then to spread and not all users are Technically minded, believe me after years of supporting them, i can say this with confidence. But that said every new virus/trojan/worm gets more and more harder to detect. easy rule of thumb is have a good virus checker running and have it using heuristics. and always have a fire wall what ever your connection speed.

Webmonkey

Got this myself..happened all my pcs at once. Damn intellegent worm.

As for anti virus, - Virus's will always be one step ahead but still worth having anti virus installed

Amazing --

http://www.google.ie/search?hl=en&ie=UTF-8&oe=UTF-8&q=msblast.exe&meta=

2 days ago - 0 results
Today - 1430 results

Ryo Hazuki

I noticed the key, and deleted it, then deleted the program (msblast.exe)

I have downloaded a fix that someone posted in another thread (not the RCP patch) but for this Worm.

You must apply it in safemode though, will do it later just to be sure.

yuper

first virus i got in 3 years without a firewall but it was fairly easy to get rid of once you know where to look some scanner don,t work i scan it with 4 programs 1 pick up part of it 1 none of 2 all of it

this patch your all on about way is it so important would it be easyer to block the port 135 i hate download form micosoft site everything you down load is like giving up part of your computer freedom to billy gates

Chowley

Little bastard spread like wildfire didnt it.

It was on 2 pc's in my place theyre not even on a network FFS.A CS buddy of mine got it too, I will definately find out about more i presume.:mad:

Gerry

Originally posted by Paddyo
Hi All

Of the people that were infected, who were the service providers.

I think that the service providers became infected.

People I have spoken to have become infected quite quickly after connecting to the net.

Each time you login you are usually assigned a dynamic IP address. Unless you are logged in for a long time using this address it be less likely that you would be scanned. But if the Providers were infected then your dynamic IP address might be scanned more quickly.

Am I talking rubbish or do I have a point?

Paddyo

Talking rubbish pretty much. What matters is how much you are connected to the net, infected machines are scanning pretty much all ip ranges I suppose. The service providers, even if they were running an os which could be infected, make up a small proportion of the machines on their network, compared to the 1000's of potentially infected customer machines.
They can help out by blocking port 135, to stop machines outside of their network attacking, I'd reckon a few of them have done this by now.