MSBlaster Worm

[EVE]

Some time last year I dealt with a computer infected with
the MSBlast Worm. The symptom was that the "NT Authority"
would shut down the system after a short countdown. I was
able to fix the problem by running the FixBlast.Exe I
downloaded from Symantec and by removing all instances of
MSBLAST from the computer (from the Windows, System32,
Prefetch folders and registry).
I have come across another computer that has the same
symptom but I find no mention of MSBLAST anyhere on the
system or in the registry. I ran the FixBlast.Exe and it
came up saying that the MSBLAST program was not found. My
Norton AntiVirus software will not run at all.
Please, any help would be greatly appreciated.
Thank you!

 

[David H. Lipman]

When you get the shutdown message...

Go to; Start --> Run
enter; shutdown -a

This will halt the shutdown and give you a chance to Download the McAfee worm removal tool,
Stinger: http://vil.nai.com/vil/stinger/ or the Microsoft Lovsan/Blaster and Nachi/Welchia
Removal Tool
http://www.microsoft.com/downloads/...8B-FE98-493F-AD76-BF673A38B4CF&displaylang=en
and install the following patch for the RPC/RPCSS and DCOM Vulnerabilities that are
addressed by Microsoft Security Bulletin MS04-012 - KB828741
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741 and finally
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

Please read: http://www.microsoft.com/security/incident/blast.asp

You also need a FireWall. If you don't patch the PC and not use a FireWall then you will
just be re-infected.

I also suggest the installation of *ALL* MS Critical Updates ASAP.

Dave





| Some time last year I dealt with a computer infected with
| the MSBlast Worm. The symptom was that the "NT Authority"
| would shut down the system after a short countdown. I was
| able to fix the problem by running the FixBlast.Exe I
| downloaded from Symantec and by removing all instances of
| MSBLAST from the computer (from the Windows, System32,
| Prefetch folders and registry).
| I have come across another computer that has the same
| symptom but I find no mention of MSBLAST anyhere on the
| system or in the registry. I ran the FixBlast.Exe and it
| came up saying that the MSBLAST program was not found. My
| Norton AntiVirus software will not run at all.
| Please, any help would be greatly appreciated.
| Thank you!

 

[Angel]

Install the following MS patches

823980, 824146 and then install the Blaster removal tool
833330. You can get the links for them from google

 

[David H. Lipman]

Angel:

Please note....
KB823980 was SUPERCEDED by the patch for the RPC/RPCSS Buffer Overflow Vulnerability that is
addressed by Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146 - KB824146

KB824146 has very recently been superceded by KB828741
http://support.microsoft.com/default.aspx?scid=kb;en-us;828741
http://www.microsoft.com/technet/security/bulletin/ms04-012.mspx

So for Nachi/Welchia and Lovsan/Blaster worms, KB828741 is NOW needed to fix *ALL* RPC/RPCSS
DCOM Vulnerabilities.

So your statement to install both 823980 & 824146 is incorrect because KB824146 included
what KB823980 covered.
But now KB828741 covers *all* the known vulnerabilities that KB823980, KB824146 and KB824146
covered.

Dave




| Install the following MS patches
|
| 823980, 824146 and then install the Blaster removal tool
| 833330. You can get the links for them from google

 

[Joan]

that is the solution...?

It is already infected. If it installs the patch, it is
going to give to him equal. It follows infected. If it
passes a antivirus or it eliminates the virus by hand (it
is thing of children)... it has done well....

NO.

Please, before giving an advice, a little is due to study.

http://www.vsantivirus.com/faq-lovsan.htm#11
http://www.multingles.net/docs/rpc.htm
http://www.multingles.net/docs/razones.htm

Courtesy of
Jose Manuel Tella Llop
MVP - Windows
(e-mail address removed)
http://www.multingles.net/jmt.htm

-----Original Message-----
Angel:

Please note....
KB823980 was SUPERCEDED by the patch for the RPC/RPCSS

Buffer Overflow Vulnerability that is

addressed by Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146 - KB824146

KB824146 has very recently been superceded by KB828741
http://support.microsoft.com/default.aspx?scid=kb;en-us; 828741
com/technet/security/bulletin/ms04-012.mspx

So for Nachi/Welchia and Lovsan/Blaster worms, KB828741 is

NOW needed to fix *ALL* RPC/RPCSS

DCOM Vulnerabilities.

So your statement to install both 823980 & 824146 is

incorrect because KB824146 included

what KB823980 covered.
But now KB828741 covers *all* the known vulnerabilities

that KB823980, KB824146 and KB824146

 

[Steve N.]

Dave was addressing the fact that there is an updated patch, not
offering removal instructions, he'd already done that for the OP in his
first reply in this thread. You took what he wrote out of context.

Steve