Blaster worm Question

[Nick]

I had all the symtops of this worm. My PC would shut down claiming
NT/athority, then the RPC message and shutdown/retstart in 60 seconds. Well
I downloaded the patch from Microsoft and set my firewall the ICF in Win XP
to be enabled. Then I downloaded the latest scan engine AND DAT file form
MacFee and the Virus checker found NOTHING!

Did the worm just try and get in and since I had Virus-scan running while it
was it was doing the RPC thing that Blaster DIDN'T get through?

I just wonder if the darn thing is still here waiting to give me trouble
again!

 

[Nick]

Oh yeah I looked in the Registry and NO message as was mentioned was there
either.

 

[lucy]

I had the exact same question yesterday, and I still have
not received an answer. Had all the symptoms, turned on
firewall, was able to stay on line, ran symantec removal
tool and nothing was found, did the registry-nothing,
nothing in task manager, full system scan with Norton-
nothing. If you find out, let me know too, will you.

-----Original Message-----
Oh yeah I looked in the Registry and NO message as was mentioned was there
either.

shutdown/retstart in 60 seconds.

 

[Curtis Koenig [MSFT]]

Hi Nick,
You could still have issues, I am posting the procedure that we are
currently using for worm removal below for your convenience.

You can use these steps yourself if you are comfortable working in your
registry:

1. Remove the infected computer from the network and reboot into Safe Mode.

2. Locate the files below, plus the Value "windows auto update" under the
Run registry key and deleted them all:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

MSBLAST.EXE under the "C:\Windows\system32" folder

MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch" folder

2a. If you are running Windows XP (any version) it is also recommended that
the Internet Connection Firewall be enabled to prevent re-infection when
connecting to the internet.

3.Contact your Antivirus provider for assistance in using any removal tools
they are providing or you can use one that Symantec is providing.
Symantec's Removal tool
<http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.re
moval.tool.html>.

4. If the OS continues to shut down when trying to connect to
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp, with the
dialog box stating the OS will be shutting down in 30 seconds.

Set the RPC Service to "Take No Action" and reboot, this should allow you
to download the patch and install it.

Disclaimer:
While this may remove the worm in the short term it is advisable to backup
any data and then format and reinstall the computer. Once infected by a
virus, worm or other malicious program it is not possible to verify that
another program that could compromise the system has not been left by the
original infection.

Third party products mentioned in this posting are the sole responsobility
of the vendor providing them and in no way should this be considered an
endoresement by Microsoft.

--
Curtis Koenig
Support Professional
Microsoft Clustering Technologies Support
MCSA, MCSAS,MCSE, MCSES

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
--------------------

 

[Nick]

I looked in the Registry too. I found no sun entry. I can get to the
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run" entry but at point do I see any "blaster.exe" or the typical
messages mentioned to date in the news.

 

[Nick]

Hey Lucy,

You may NOT have had MSblast.exe anyway but you are still subjected to the attacks and symtoms of the worm read the excerpt I found on MacFee's website at:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Lucy read here:

"
Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.

However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.

Other symptoms may include:

a.. inability to cut/paste
b.. inability to move icons
c.. Add/Remove Programs list empty
d.. dll errors in most Microsoft Office programs
e.. generally slow, or unresponsive system performance
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pickup msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all."

So maybe we are OK Lucy? All I know is the symptoms are gone I am updated.

 

[Curtis Koenig [MSFT]]

Hi Nick,
The worm creates a Key under the run key called "windows auto update" not
blaster.exe. You will see the msblast.exe or blast.exe as running processes
in the task manager though.

--
Curtis Koenig
Support Professional
Microsoft Clustering Technologies Support

Microsoft Certified Systems Engineer
Microsoft Certified Systems Engineer - Security

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
--------------------