MSLAUGH.EXE worm NOW!!!

W. Hughes · Dec 22, 2003

I'm posting this here hoping that the so called techs at
Microsoft read this stuff on a regular basis., and after
trawling thru the MicroSoft website, there seems no easy
way to report this anywhere else.

Today I have performed a re-format of my drive and clean
installed WIN XP Home. The next thing (after resetting up
my IE conn. was to use the "Auto-Update" in XP. it duly
connected, scanned and reported the 22 or so recommended
updates,, and then,,, the old grey window popped up
telling me i have 60 seconds to save my work before the
system gets shut down by "NTAuthority/blah blah".. Yes,
the old Msblast., in a new coat called MSLAUGH.exe
sittng in there in the update site with it's feet up on
Bill Gate's coffee table !!
Luckily I still had my MSblast patch disc, and it cleaned
out this variant without problem.... but my question is...

Does anyone at microsoft bother to do a simple virus
check on the site ???

Matt Coy · Dec 22, 2003

Can you tell us which file was infected?

Jason Tsang · Dec 22, 2003

The virus was not part of the patches that you downloaded.
The virus got in through one of the vulnerabilities that the patches would
have fixed once it was installed.

Because you did not have a firewall enabled, your computer was open to the
vulnerability that allows msblast and its variants to enter your computer.

The very act of being on the Internet with an unpatched and unfirewalled
machine was what got you infected; it wasn't the updates that did it.

JAX · Dec 22, 2003

See this,
http://www.liutilities.com/products/wintaskspro/processlibrary/mslaugh/

LOL, JAX

Mike Stewart · Dec 22, 2003

You will probably find it was not the microsoft site that actually infected
you ( i can't believe i am standing up for MS over MS Blast). If you are not
running a firewall or a patched computer, the time it takes to infect a
computer on a broadband connection is about 60 second, yep thats right.
Thats because there are so many infected machines connected to the internet
as people don't patch them. It would be nice if microsoft made a nice exe
patch that u could download and run after u reinstall to avoid this problem.

Ron Rector · Dec 22, 2003

Mr. Hughes,

Welcome to the wonderful world of NT. To protect yourself
from further infection follow these steps which are
plastered pretty much on any Microsoft website (Even
Windows Update). Here is the link:
http://www.microsoft.com/security/protect/

Michael Stevens · Dec 22, 2003

W. Hughes said:
I'm posting this here hoping that the so called techs at
Microsoft read this stuff on a regular basis., and after
trawling thru the MicroSoft website, there seems no easy
way to report this anywhere else.

Today I have performed a re-format of my drive and clean
installed WIN XP Home. The next thing (after resetting up
my IE conn. was to use the "Auto-Update" in XP. it duly
connected, scanned and reported the 22 or so recommended
updates,, and then,,, the old grey window popped up
telling me i have 60 seconds to save my work before the
system gets shut down by "NTAuthority/blah blah".. Yes,
the old Msblast., in a new coat called MSLAUGH.exe
sittng in there in the update site with it's feet up on
Bill Gate's coffee table !!
Luckily I still had my MSblast patch disc, and it cleaned
out this variant without problem.... but my question is...

Does anyone at microsoft bother to do a simple virus
check on the site ???

No problem with a virus at MS, you just need to enable the XP firewall
before connecting to the internet. You an thendownload the necessary
critical updatreds to protect you from the NT authourity shutdown [aka,
Blaster worm]
What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

Remove W32.MSBlast.Worm
http://www.kellys-korner-xp.com/xp_qr.htm#rpc

Blaster Worm: Critical Security Patch for Windows XP (32-bit version)
http://microsoft.com/downloads/deta...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

If your computer is constantly attempting to shutdown
or reboot, quickly go to:

Start > Run and type: CMD , and hit enter.
This opens the Command Prompt window.

Then type: shutdown -a , and hit enter.

This should halt the rebooting problem.

Then immediately turn-on Windows XP's built-in Firewall:

How do I turn on the Firewall?
http://www.andyrathbone.com/tips/firewall.html

**** IMPORTANT ****

Visit this web site if you experience difficulty installing
Windows XP Security Patch 823980:

How To Fix The Cryptographic Service Error
http://www.updatexp.com/cryptographic-service.html

--

Michael Stevens MS-MVP XP
(e-mail address removed)
http://michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://michaelstevenstech.com/outlookexpressnewreader.htm

Epona · Dec 22, 2003

W. Hughes said:
I'm posting this here hoping that the so called techs at
Microsoft read this stuff on a regular basis., and after
trawling thru the MicroSoft website, there seems no easy
way to report this anywhere else.

Today I have performed a re-format of my drive and clean
installed WIN XP Home. The next thing (after resetting up
my IE conn. was to use the "Auto-Update" in XP. it duly
connected, scanned and reported the 22 or so recommended
updates,, and then,,, the old grey window popped up
telling me i have 60 seconds to save my work before the
system gets shut down by "NTAuthority/blah blah".. Yes,
the old Msblast., in a new coat called MSLAUGH.exe
sittng in there in the update site with it's feet up on
Bill Gate's coffee table !!
Luckily I still had my MSblast patch disc, and it cleaned
out this variant without problem.... but my question is...

Does anyone at microsoft bother to do a simple virus
check on the site ???

Do *you* ever bother engaging brain before opening gob? Wherever it came
from - it wasn't from MS. Yes, there are many things I hate about MS - but
WU is secure.

One other thing - this isn't MS tech support and they do not read - or
respond - here.

Bruce Chambers · Dec 23, 2003

Greetings --

If you connected the PC to the Internet without having first
installed the KB824146 Hotfix, without having first installed an
antivirus application with current virus definition files, and before
enabling a firewall, you're very likely to get infected from any of
the thousands of PCs on the Internet that are constantly broadcasting
the Blaster and/or Welchia worms. It only takes a few seconds of
exposure.

To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.

Microsoft Security Bulletin MS03-39
http://support.microsoft.com/?kbid=824146

What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp

W32.Blaster.Worm a.k.a. W32/Lovesan.Worm
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

W32.Blaster.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

W32.Welchia.Worm a.k.a. W32/Nachi.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html

W32.Welchia.Worm Removal Tool
http://www.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

McAfee AVERT Stinger
http://us.mcafee.com/virusInfo/default.asp?id=stinger

Bruce Chambers

--
Help us help you:

You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

MSLAUGH.EXE worm NOW!!!

W. Hughes

Matt Coy

Jason Tsang

JAX

Mike Stewart

Ron Rector

Michael Stevens

Epona

Bruce Chambers