XP and Blaster.Worm

[Tony Brown]

My daughter's computer was recently infected with the
W£2.Blaster.Worm. I have scanned it with Norton Anti-virus 9
up-to-date now) and believe that I have removed the offending files
(MSBlast.exe) according to Norton's instructions. Further repeated
scans have indicated that there is no infection. BUT ---- when the
computer goes on-line trouble begins after a short period of time (
this can vary between 5 and 20 minutes.) Then a message appears
saying that Norton has detected the Blaster worm in a file. The name
of this file varies subtly each time. The latest name is
C:\windows\system32\TFTP1808. In other variants the final numbers
are usually different e.g.TFTP740 etc. I have tried to search
for these files using the "find" facility, but they do not appear to
exist. ( I am unsure if "hidden" files are being checked )
When this message is suppressed the machine works normally for a few
minutes until the following message appears:

NT AUTHORITY SYSTEM
Message
Windows must shut down because the Remote Prodedure
Call (RPC) service terminated unexpectedly

The machine then reboots after one minute, cutting off the
internet connection.
The computer is a Hewlett Packard pre-loaded with Windows XP
and uses a 56k modem to connect to the net. Any help or advice on
how to redtify these problems would be deeply appreciated. Sadly,
although I try my best I am not a technical person really, so
simplicity of responce would help.
With thanks
Tony Brown

 

[Psycho]

For some strange reason XP won't search the Windows directory when you
right click the C: drive from my computer and choose search. Instead
you must first navigate directly to the windows directory and choose
search from the toolbar. Then you can find what your looking for. As
for recurrence of the virus here is some info from Eset makers of
Nod32

The infected files are still restoring themselves. What to do?
You are most probably using one of the latter operating system -
Windows ME or Windows XP on your machine. These systems are by default
using the option for restoring the system files, which system
automatically backups to the directory "_restore" on the system
disk(normally to the directory "C:\_restore"). This way it is possible
that the infected files join the backed-up files and become
"undeletable".

Solution

The process depends on the operating system:

Windows ME

Right click on the "My Computer" icon on the Windows desktop and click
"Properties"
Click on "Performance">"File system"
Click "Troubleshooting"
Check "Disable system restore"
Click on OK, Close and restart the system
Note: It is recommended to return to the standard behaviour of the
system after the removal of the infected files - by unchecking the
"Disable system restore"

Windows XP

Right click on the "My Computer" icon on the Windows desktop and click
"Properties"
Click on the "System Restore"
Check "Turn off System Restore on all Drives"
Click OK, Close and restart the system

Note: It is recommended to return to the standard behaviour of the
system after removal of the infected files - by unchecking the
"Disable system restore"

 

[FromTheRafters]

[snip]

Your AV seems to be stopping the infection, but until your
system is patched against the exploit you won't be able to
prevent the download.

Worse things than a lame worm could be downloaded
and executed via this vulnerability and your AV would
be powerless to interfere.

Get the patch. See MS03-026