Windows XP W32.Blaster.Worm


Joined
Aug 12, 2003
Messages
4
Reaction score
0
w.32.blaster.worm TAKE NOTE THIS IS HUGE

The worm is here
W32.Blaster.Worm - The worm, dubbed LoveSan, Blaster, or MSBlaster, exploits a vulnerability in the Distributed Component Object service as Opaserve does. Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself. Then, it scans the Internet for other vulnerable machines and attacks them. In some cases, the worm crashes the victim machine, but does not infect it. The worm also appears to instruct the computer to launch a distributed denial of service (DDOS) attack on August 16 against a Microsoft Web site, he added. In a DDOS attack, a Web site is temporarily paralyzed after receiving requests from numerous multiple computers. The worm contains code that includes a phrase: 'Billy Gates why do you make this possible? Stop making money and fix your software,' according to sources on the Net.:confused:

There is a fix if your unfortunate:p
You can update the windows security from:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.aspand you can use the worm removal tool from:http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
 
Joined
Aug 12, 2003
Messages
4
Reaction score
0
update=TAKE HEED THIS IS A BIG PROBLEM,WORM

DCOM RPC Virus / Worm

Overview

A new Virus / Worm / exploit has been discovered, the “virus” exploits a vulnerability in Windows NT based Operating systems causing the computer to shut down, subsequent attempts to restart the computer will result in the same.

The virus, W32.Blaster (also known as W32.Lovsan) was discovered on the 8th August 2003, because the worm spreads quietly, and does not arrive as an e-mail attachment, users might not immediately realize that they have been infected.

The virus works by exploiting vulnerability in Windows XP, NT and 2000, the worm is able to execute without requiring any action on part of the user. When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 444, and then pass a TFTP command to download the worm to the %WinDir%\system32 directory and executes it. (The target system is issued a TFTP command to download the worm from the infected host system [TFTP UDP port 69].

Once run, the worm creates the registry key (may be either of the following):
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms
 Presence of unusual TFTP* files
 Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
 Error messages about the RPC service failing (causes system to reboot)
 The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
Method Of Infection
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com.

Removal
The first part in the removal process is to stop the PC from continually rebooting, this will enable the customer to update virus definitions and download the patch issued by Microsoft.
1. Disable [System Restore] (Windows XP)
Right Click [My Computer]
Left Click [Properties]
Left Click the [System Restore] Tab
Put a tick in [Turn off System Restore]
Click [Apply],
A warning will appear, click [Yes]
Click [OK]

The next 2 steps may need to be performed in reverse order if the PC keeps shutting down

2. Stop “MSBLAST.EXE” from running
Press “Ctrl+Alt+Del” on the keyboard
Highlight “MSBLAST.EXE”
Click [End Task]
Close [Task Manager]

3. To Stop the PC from rebooting (Windows XP & 2000):
Click [Start], [Run]
Type “services.msc”
Scroll down until you see “Remote Procedure Call (RPC)”
Double Left Click “Remote Procedure Call (RPC)”
Left Click the [Recovery] Tab
Alter the [First failure:], [Second failure:] and [Subsequent failures:] to read “Take No Action”
Click [Apply], [OK]
Close the “Services” Window

4. Connect to the Internet and download the vulnerability patch available from: http://www.microsoft.com/security/security_bulletins/ms03-026.asp (this patch does not remove the virus, it only blocks the vulnerable ports).

5. Download the latest virus definitions for your respective software and perform a full system scan.

6. If no virus scanner is installed on the PC, removal tools are available from:

 McAfee http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
 Symantec http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
 Sophos http://www.sophos.com/support/news/#blaster
 
Ad

Advertisements

Ian

Administrator
Joined
Feb 23, 2002
Messages
18,975
Reaction score
1,011
Cheers for letting us know about it!

I've edited the title and moved it to the correct forum :)
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
18,975
Reaction score
1,011
Oops, you're right Eric! :crazy:
 
Ad

Advertisements

Ian

Administrator
Joined
Feb 23, 2002
Messages
18,975
Reaction score
1,011
I wonder what will happen in the coming years when viruses will become more and more harmful. It is relatively easy to code a virus, and some extremely malicious things can be done :angry:
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows XP Another worm W32.Welchia.Worm 0

Top