Unknown msblast variant?

[Eds]

I have posted a few times about this, but it seems to be a new variant (or I
just don't understand how msblast works, which is way possible)

Although it doesn't show up on any virus scans, my computer was doing the
60sec shutdown thing pretty soon after going online, as well as blocking the
MS patch and windows update Can't find any of the 4 variants I have heard
of (or anything else) in the startup registry key or task manager, or indeed
anywhere on my computer. I did install the patch finally, by opening the exe
in winrar, so I don't get the shutdown message anymore. In fact everything
appears normal, except I know I haven't killed it so what will happen
tomorrow (attack MS day) is anyone's guess...

Ian H suggested I may have an exe blocking trojan, but this didn't check out
and I'm not having problems with any other exe files.

I am running XP Pro SP1 with AVG and Outpost, although it was disabled for a
few minutes the day I got infected :-(

I kept getting the shutdown message, and eventually twigged on about the
worm, but none of the fixes worked. As i said, I found a way to install the
MS patch and now apparently no more problems, but I assume that the worm,
whetever my
version is called, is still on my machine, but unable to do its thing
because of the patch.

Have I understood the sitch?

Because an alternative reading of all the info I've seen is that I don't
actually have the worm on my machine, and that the shudown messages were my
system's response to attempts by outside PCs to infect me. This would be
supported by the total absence of any known variant on my machine. Doesn't
explain why the patch wouldn't run, though.

Still in puzzlement...

Eds

 

[Ned]

Because an alternative reading of all the info I've seen is that I don't

actually have the worm on my machine, and that the shudown messages were my
system's response to attempts by outside PCs to infect me. This would be
supported by the total absence of any known variant on my machine. Doesn't
explain why the patch wouldn't run, though.

Still in puzzlement...

Eds

Just because virus checker didnt spot it doesnt mean its been discovered yet
(if you actually DO have a problem)
Have you checked
1) Task manager for iffy applications running in background
2) Check regedit hklm\software\microsoft\windows\current version\run and
also hkcu\software...... (same path) for possible iffy auto running programs
3) Startup menu
4) open msconfig from "run" menu, check startup tab in there
5) opened a command window and checked netstat -an for all open ports
6) monitored outgoing tcp/udp traffic for increased activity
7) visited one of the antivirus sites for removal tool for msblaster and run
it (just in case)
good luck

 

[FromTheRafters]

I have posted a few times about this, but it seems to be a new variant (or I
just don't understand how msblast works, which is way possible)

Yeah, I think that is it. But don't feel alone, many people
don't understand it.

Although it doesn't show up on any virus scans, my computer was doing the
60sec shutdown thing pretty soon after going online,

Exploit attempts ~ not all attempts are aimed at exactly
the same platform. This doesn't necessarily mean you
were given the worm, although it is possible.

as well as blocking the MS patch and windows update

Blocking? ~ How?

Can't find any of the 4 variants I have heard
of (or anything else) in the startup registry key or task manager, or indeed
anywhere on my computer. I did install the patch finally, by opening the exe
in winrar, so I don't get the shutdown message anymore. In fact everything
appears normal, except I know I haven't killed it so what will happen
tomorrow (attack MS day) is anyone's guess...

Ian H suggested I may have an exe blocking trojan, but this didn't check out
and I'm not having problems with any other exe files.

I am running XP Pro SP1 with AVG and Outpost, although it was disabled for a
few minutes the day I got infected :-(

I kept getting the shutdown message, and eventually twigged on about the
worm, but none of the fixes worked. As i said, I found a way to install the
MS patch and now apparently no more problems, but I assume that the worm,
whetever my
version is called, is still on my machine, but unable to do its thing
because of the patch.

Have I understood the sitch?

The patch only affects the mechamism by which the worm's exploit
code first gains access to your machine. Once the worm is on the
machine, it has no further use for that vulnerability (on that machine),
so the patch should have no effect against the worms activity aside
from not allowing the initial exploit to be used in the future against
that machine.

Because an alternative reading of all the info I've seen is that I don't
actually have the worm on my machine,

That could very well be.

and that the shudown messages were my
system's response to attempts by outside PCs to infect me.

Yes. But if an attack were successful, I think you could
expect to see traffic as the worm probes for further victims.

This would be
supported by the total absence of any known variant on my machine. Doesn't
explain why the patch wouldn't run, though.

No, it doesn't. Plus I see no reason for the worm to care if the
patch is employed post active instance of the worm executable.
At that point, your machine would be serving the worm copies
to requesting machines, and exploit code to its generated IP#s.

Still in puzzlement...

Your firewall should help you to see the traffic if it is there.
I don't have that firewall yet, so I can't help you with that.

Good luck.

 

[Eds]

Just because virus checker didnt spot it doesnt mean its been discovered yet
(if you actually DO have a problem) I know
Have you checked
1) Task manager for iffy applications running in background

5 copies of svchost are running, but I gather that's normal. nothing else
leaps out

2) Check regedit hklm\software\microsoft\windows\current version\run and
also hkcu\software...... (same path) for possible iffy auto running programs
nothing
3) Startup menu nothing
4) open msconfig from "run" menu, check startup tab in there nothing
5) opened a command window and checked netstat -an for all open ports

hmm... listening on local port 135 - isn't that the worm's fave port? what
does that mean? nothing?

6) monitored outgoing tcp/udp traffic for increased activity

I have 2 copies of svchost sending stuff out on local ports 1052 & 1036.
Never looked at this before so I don't know if it's unusual.

7) visited one of the antivirus sites for removal tool for msblaster and run
it (just in case)

Yes of course

Weird situation, not knowing if something nasty is lurking on my computer or
not...

Eds