No "Sobig" and "Lovsan" but my PC reboots.

[Adriano]

Hi,
I think I have taken a virus, in fact every 10 minutes of navigation
in Internet, my PC automatically reboots.
My antivirus found a virus but it has not succeeded in putting it in
quarantine. I have manually deleted it in "Attach" of Eudora.
I have run the tools to eliminate "Sobig" and "Lovsan" viruses but
they have not found anything. I have run again the antivirus but
nothing of nothing.
Which virus could I have taken?
Thanks.

bye Adriano

 

[Ninja]

Hi,
I think I have taken a virus, in fact every 10 minutes of navigation
in Internet, my PC automatically reboots.
My antivirus found a virus but it has not succeeded in putting it in
quarantine. I have manually deleted it in "Attach" of Eudora.
I have run the tools to eliminate "Sobig" and "Lovsan" viruses but
they have not found anything. I have run again the antivirus but
nothing of nothing.
Which virus could I have taken?
Thanks.

bye Adriano

Hi.

I also got infected with blaster. I tried a special blastertool from
F-secure but it didn't work, (neither did their AV btw). I got the advise to
run an online scan at Pandasoftware. It cleaned blaster and a few other
viruses I didn't even know I had.

http://www.pandasoftware.com/activescan/default_com.asp

~Ninja~

 

[Lothar Kimmeringer]

I think I have taken a virus, in fact every 10 minutes of navigation
in Internet, my PC automatically reboots.

So it can't be the Blasterworm, because with this, your PC
would reboot while booting.

My antivirus found a virus but it has not succeeded in putting it in
quarantine. I have manually deleted it in "Attach" of Eudora.

So have you executed the attachment or not? What was the
text of the email, what was the filename of the attachment?

I have run the tools to eliminate "Sobig" and "Lovsan" viruses but
they have not found anything. I have run again the antivirus but
nothing of nothing.

As already said, it doesn't sound like Sobig or Lovesan anyway.

Which virus could I have taken?

Maybe it's a "normal" problem. Is your computer rebooting
when you're not online as well? Is there any traffic
coming in from the net before your system reboots?
Maybe it's a new exploit for the still open RPC-interface
on port 135, maybe it's a new ping of death, maybe it's
something completely different. Without more (and more concrete
information) nothing can't be said for sure.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[Ninja]

So it can't be the Blasterworm, because with this, your PC
would reboot while booting.

Well. MSblast doesn't always reboot while booting with Win 2000.

 

[War_Pig5]

Well. MSblast doesn't always reboot while booting with Win 2000.

another MSblast variant reboots only once. in theory msblast variants could
cause reboots at any interval, or not at all (waiting for you to reboot
manually). so it certainly sounds like an msblast variant, perhaps not a
known one. download the newest signiatures for an antivirus program and scan
with it. repeat until the problem stops, or you find a non-virus-related
solution to the problem, which is also possible. also keep up-to-date on
windows updates of course.

 

[FromTheRafters]

another MSblast variant reboots only once. in theory msblast variants could
cause reboots at any interval, or not at all (waiting for you to reboot
manually).

Huh? I thought that the rebooting was caused by exploit code
not correctly crafted for the OS in question. The rebooting is
a side effect of blaster because the worm tries different exploit
codes according to a ratio hardcoded within it. The rebooting
is in no way needed in order for the worm to function.

The OP may have the machine set up to reboot on error, which
can be changed so as to not reboot on error in the configuration
options.

 

[War_Pig5]

Huh? I thought that the rebooting was caused by exploit code
not correctly crafted for the OS in question. The rebooting is
a side effect of blaster because the worm tries different exploit
codes according to a ratio hardcoded within it. The rebooting
is in no way needed in order for the worm to function.

this is how the variant i encountered works: first the virus installs itself
into the registry, then a reboot is then required before all the components
now installed can run.

so, yes, the reboots may have *originally* been a bug, but it was only a
matter of time until that bug itself was exploited.

virus copycats abound after every virus epidemic; expect evolution of the
virus to continue until every pc on the internet is 100% secure (which will
be never).

so, like i said, these viri don't *need* autoreboots to work; they could
either wait for manual reboots to load their additional components, or they
could be designed so as to not require any additional components.

either way, the message is clear: reboots are a tip-off that an ms blast
variant may be present, but system that don't reboot automatically may also
be infected with an ms blast variant.

The OP may have the machine set up to reboot on error, which
can be changed so as to not reboot on error in the configuration
options.

true! spontaneous reboots can be caused almost anything running on the
computer. but it is still worthwhile for the Original Poster to scan with a
software designed to detect *all* blaster variants, not just the 2 variants
that person reports having scanned for.

only after that scan has been performed will it make sense to figure out
what could be happening in the other 10% of cases.

 

[Ninja]

true! spontaneous reboots can be caused almost anything running on the
computer. but it is still worthwhile for the Original Poster to scan with a
software designed to detect *all* blaster variants, not just the 2 variants
that person reports having scanned for.

only after that scan has been performed will it make sense to figure out
what could be happening in the other 10% of cases.

My first signal was that my computer rebooted each time I used my FTP
program.

~Ninja~

 

[FromTheRafters]

this is how the variant i encountered works: first the virus installs itself
into the registry, then a reboot is then required before all the components
now installed can run.

This must be from the variant that that kid got in trouble for.
Some kind of backdoor or something? Blaster itself would
already be running and wouldn't need to reboot ~ but would
probably want to survive a reboot to be somewhat persistant.

so, yes, the reboots may have *originally* been a bug, but it was only a
matter of time until that bug itself was exploited.

I see.

virus copycats abound after every virus epidemic; expect evolution of the
virus to continue until every pc on the internet is 100% secure (which will
be never).

so, like i said, these viri don't *need* autoreboots to work; they could
either wait for manual reboots to load their additional components, or they
could be designed so as to not require any additional components.

either way, the message is clear: reboots are a tip-off that an ms blast
variant may be present, but system that don't reboot automatically may also
be infected with an ms blast variant.

....so rebooting may be an indication that msblast is present, but
not rebooting does not necessarily indicate that msblast is not
present...

[snip]

[...].....spontaneous reboots can be caused almost anything running on the
computer.

....and rebooting can also happen if msblast is *not* present.
Thanks for clearing that up. ;o)

but it is still worthwhile for the Original Poster to scan with a
software designed to detect *all* blaster variants, not just the 2 variants
that person reports having scanned for.

Yes, scanners are the best tool for that (if they are kept up-to-date)

only after that scan has been performed will it make sense to figure out
what could be happening in the other 10% of cases.

Yes, the process of elimination makes troubleshooting a lot easier.

...and thanks for at least almost mentioning that the OP may
need the patch in order to stop the rebooting problem.