Blaster, Welchia, and Spybot worms all attack.... HELP!

[Corinn]

Upon reconnecting my computer to the net after 6 months
of no Internet access, I was infected with the Blaster
and Welchia worms. Once I got rid of those-- at least, I
think they're gone, I DID use Symantec's removal tools
and updated my comp with Windows Update-- I was infected
with W32.Spybot.Worm. I found the directions for its
removal
(http://securityresponse.symantec.com/avcenter/venc/data/w
32.spybot.worm.html), and they seem easy enough... but
when I get to the part about backing up the Registry, I
hit a brick wall. The instructions claim there is an
application in Start>All Programs>Accessories>System
Tools called Backup. This is not present on my menu. I
don't know if it's because of other things-- like how the
worm is evidently making my Norton's Auto-Protect NOT
boot up when the machine starts-- or if I'm just looking
in the wrong place. I did a full system restore before I
got rid of the first two worms, so I don't understand
this at all. I NEED my computer for schoolwork, as I am
studying design and need access to certain programs.
What do I do? I'm not much of a techie type... sooo
confused... Any help would be appreciated. Respond here
or in email. Thank you!

 

[Haus]

Hello Corinn
Well to start with you need to get your virus scan software update to
protect you from these infections, virus scan comes with new computers but
are usually free for a short period of time then you have to purchase them
whether it is in the store or online but non the less have to be purchased
and then it will update for a year.
You can download a virus scan from this site and scan and delete any viruses
http://housecall.trendmicro.com/

you can download spy sweeper software here and sweep for any unwanted junk
http://www.lavasoftusa.com/software/adaware/

You can download free virus scan software here
http://www.grisoft.com/us/us_dwnl7.php

 

[Corinn]

Thanks, Haus. More questions?

Thing is, my antivirus IS and WAS up-to-date. Norton
will find the W32.Spybot.Worm and try to delete it, but I
always get a "delete failed" message. What do I do?

 

[Rehan]

It would have been helpful if you provided some more details about ur
system, particularly if it is XP Pro or Home ?

I guess it is XP Home machine on which backup did not come preinstalled...
If you have the installation CD with you then u can try installing the
backup program yourself from the CD in directory \VALUEADD\MSFT\NTBACKUP

Otherwise if you do not have the CD, consider third party backup utilities
like Norton Ghost.

Nevertheless, you may be ok to take the risk and skip the backup step and
continue with the original procedure of removing virsus. backup is
preferable but not essential.

Rehan

 

[cquirke (MVP Win9x)]

Thing is, my antivirus IS and WAS up-to-date. Norton
will find the W32.Spybot.Worm and try to delete it, but I
always get a "delete failed" message. What do I do?

You misunderstand one of the core things about RPC infectors.

Much of the impact of these is *pre*-infection, i.e. the DoS
consequence of attempts to enter the system - and av (antivirus) can
do NOTHING to help you there. Lovesan works in two stages:

1) Penetrate the system via RPC attack packet

First defence: Repair the broken RPC code!
Also effective: Turn on the firewall!
Mitigators: Set RPC service to "Restart the SERVICE" on failures

2) Pull up the worm's body are write this as a file, etc.

This is where antivirus can help - but this isn't what crashes your
system. What crashes your RPC service (and thus, by duhfault,
restarts the PC) are RPC attack packets crafted for a different
version of Windows. These packets overrun the unchecked buffer, but
the exploit code doesn't line up properly; so instead of the exploit
loading the malware body, it crashes the service.

You really DO have to patch the RPC service, using not the original
July 2003 patch, but the revised one from September 2003 or so.

--------------- ----- ---- --- -- - - -

Tech Support: The guys who follow the
'Parade of New Products' with a shovel.