• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

RPC DCOM Worm, discuss here

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

gt24

Member
Joined
Aug 10, 2003
Location
Ohio
I don't have the worm because I have a Linux Router firewall protecting me and I am patched up. However, I got around 40 hits on the firewall today on port 135 and I am wondering how many people out there actually have this worm...

Some info for folks...

FSecure's info
Slashdot Story
Security Advisory

From the Slashdot story...

Affected Software:

* Microsoft Windows NT(R) 4.0
* Microsoft Windows NT 4.0 Terminal Services Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server(TM) 2003

Not Affected Software:

* Microsoft Windows Millennium Edition

So how do you fix an infected machine?

1) Delete msblast.exe (usually found at: winnt\system32\msblast.exe)
2) delete the Registry key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur rentVersion\Run\windows auto update" . That key should contain the "msblast.exe" process, and is what starts it up again on reboot.
3) Patch DCOM, or you'll just get this again.

Also, at Slashdot, there are reports of this virus being buggy on XP and 2000, causing restarts on XP and crashing a lot of services on 2000. Also, there was a report of XP denying access to taskman, saying that you need to be Administraitor (even if you are logged in as Administraitor). Anywho, all this info is just FYI. Tell me your experiences with this virus...
 
A friend I have IMed me, they got the virus and was trying to clean it up... So I guess it is going around...

She says that I can mention her name as "dark_underworld" even though she isn't registered here...
 
Back