• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

'The' Worm ~Fix

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

KiwiRack

Member
Joined
Apr 3, 2003
Location
USA
Administrative Tools then Computer management then sub under adminstrative tools click local users and groups in the left hand side on the right hand side it will show a list of diffrent logins to your computer any you did not make delete the 2 that it will not allow deletion ones Administrator the other a guest account password protect them then goto c:\winnt\system32 look for msblast.exe delete it then goto registry delete the reg key for it there then go back to the system32 directorie and look for any folders with out of place nameslike (inetserv comserv saved uploads dloads) you should also check for files and folders in the c:\winnt\system32\drivers\etc folder

OR/And

Worm will exploit the DCOM RPC vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.

At times like these, when millions can't access the NET; even some companies grinding to a complete halt, It's good to have a TOP Router, with onboard NAT & Anti-Viral. I like paying more for my ISP, because this problem is simply a 'Ghost' for me...

Resolution if you have Norton and the subscription is current.
1. Disable system Restore.
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Select “Turn off system restore” or “Turn off system restore on all drives”
e. Click Apply
f. A system restore box will come up, “Do you want to turn off system restore?” Click YES
g. Click OK
2. Update virus definitions. Run LiveUpdate. NOTE: If you are unable to download the update follow step 2 in the resolution below “Resolution if you don’t have a current Norton subscription.” then attempt it again.
3. Scanning for and deleting the infected files.
a. Run a full system scan.
b. If any files are detected as infected with W32.Blaster.Worm, click Delete.
4. Deleting the registry value.
a. Delete the registry value.
b. Click Start, and then click Run
c. Type regedit
d. Click OK
e. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
f. Delete the value “windows auto update” “msblast.exe” in the right panel.
g. Exit the registry editor.
5. Enable system Restore
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Clear the “Turn off System Restore” or “Turn off system restore on all drives.
e. Click Apply and then OK.
6. Do a Windows update and download all critical updates.

No Norton?
1. Disable system Restore.
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Select “Turn off system restore” or “Turn off system restore on all drives”
e. Click Apply
f. A system restore box will come up, “Do you want to turn off system restore?” Click YES
g. Click OK
2. Enable the Microsoft Firewall. (This should allow you to download without losing the connection.)
a. Click Start, settings control panel
b. Windows XP classic control panel double click network connections or in Windows XP category view click Network and Internet connections, then click Network connections.
c. Right click on the local area connection and select properties.
d. Click on the advanced Tab.
e. Click Protect my computer.
f. Click OK
g. Close the control panel.
3. Download update.
Download and install the MS03-026 patch
MICROSOFT PATCH: www.microsoft.com – go to [resources] in left-frame and downloads. Under [Most Popular Downloads]: Windows XP Security Patch: Buffer Overrun In RPC Interface Could Allow Code Execution
4. Deleting the registry value, and files.
Delete the registry value.
a. Click Start, and then click Run
b. Type regedit
c. Click OK
d. Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e. Delete the value “windows auto update” “msblast.exe” in the right panel.
f. Exit the registry editor.

End task on msblast.exe
g. Hit
h. Select Task Manager
i. Choose the Processes tab.
j. Select msblast.exe then click the end process button.

Delete msblast.exe.
k. Click start then Search
l. Select all files and folders.
m. In all or part of the file name type msblast
n. Verify, look in your local hard drives.
o. Click search.
p. After it searches delete the files msblast.exe
q. Empty the recycle bin.
5. Enable system Restore
a. Click Start, settings control panel
b. Windows XP classic control panel double click system or in Windows XP category view click Performance and Maintenance, then click system.
c. Click the System Restore tab in the system properties box.
d. Clear the “Turn off System Restore” or “Turn off system restore on all drives.
e. Click Apply and then OK.
 
Nasty stuff that.
I got it last night and I figured that that must be the virus everyone had warned about for weeks.
I was so tired so I just shut my machines down and went to sleep.
Reason I didn't have the patch was because I had been reinstalling stuff.
The best way to solve the problem for everyone would be to build an identical worm that downloads the patch and installs it to all unpatched computers and then removes itself.
 
Yea man, I got it to. I set myself up though, I put ZoneAlarm in "learning mode" and sure enough, it let msblast blast it's way to restarting the main computer alot.
 
See my post HERE and trust me when I tell you this...

No firewall you download, nor hardware firewall right out is going to protect you from this. Not atleast without a major firmware upgrade.

Like I said there. If a $400,000 switch/DHCP server can be gone throguh in nanoseconds, a $50 Linksys is going to do nothing, no matter how much, or what you block. The way the worm moves, simply by-passes everything in existing routers, switches and hubs...

While at work we could actually get +8 to +15 min updates on how far it was spreading on backbones.

Wildfire... Simply wildfire... You're only two forms of protection are:

1) Luck
2) Patch

Get the patch, because by tomorrow evening, there will be some massive problems.

I read on the Inquire "tens of millions" might be affected.

At the time I read that, It was problably above 5 million then.

*********

Being tech support, I really feel for the microsoft people today. Their ques must be atleast two to six hours long. God only knows how long those poor people will be locked in cubicle land.

Hell... buisness is money, I wouldn't let them leave either!
 
I work in a computer shop part time,tommorow should be fun :)

Can someone tell me what kind of damage this virus does ? Should I care? LOL
 
Some people were caught out!

On the re boot~re boot scenerio, Yer, I feel for those plle redoing a system & getting caught in the middle. The key & solution was having the critical updates installed; the guy was making a point on how easy it is to mess with MS.

This animal was a little different comprising of a Trojan, worm & virus activity, very nasty bug. Networked systems were 'Ghosted' over and patched, for those responsible for managing Networks; I would assume they are in for a tail whipping for not keeping critical updates current & Anti-Viral up-to-date. Home users, well that's a whole other story~

If you got into the reboot scenerio and didn't get the patch (Norton provides the Tool), the cheapest way I can think of is to slave the drive, onto a patched Primary & delete those files ~assuming the continues reboot takes hold. You can't boot to a bootable floopy or a CD AND if anyone knows what the heck I'm talking about ~Does require a degree of understanding, but if you have access to a printer on an unaffected system, guess you could print off, how-to-do-it-yourself, from here :)

It searches for IP ranges from 1-255 (Everyone) and progates it's load, via a vulnerable PC, the long & short is it then multiplx IP ranges & heads off for more targets.

Locally, from what I have heard on the grape vine at least 6,000 systems were affected (& that's just the knowns, local) Interesting that Norton reports approx 1000 affected....get a grip! There are billions of MS systems out there and on the checky side, I would say only around 70% people who use win2k+,ME & XP even know what a critical update even is, that would leave 40% of HUmmmm.....Lol

Anti-Viral~Norton & KAV are the two most up-to-date & I have no time for McAfee, that's another story, with a history (Company). Remember though, this was more a Trojan than anything, so with critical updates, there was no need for Anti-Viral.

Adaware is cool (Update, prior to running it) backed up with Spybot & I use Norton & KAV ~At least while this is still going on, in spit of a cool router -BlackICE as well. Overkill? I'll take ICE off when things cool down; But be aware this MSblast is good through the end of the year!

Think of the spin-offs from this beastie, stay tuned for affect on the 'new' strains coming our way soon. I agree with Toysnomore and probably in excess of 30 million would be my guess, if pined for a #.
{Edit}:Now, I see your post ~Mine was moved & that's ok, I was sorta busy and should have paid more attention.

Cheers
 
Last edited:
Whenever I try to run the patch from microsoft.com, I get the error: "Setup could not verify the integrity of the file Update.inf. Make sure the Cryptographic service is running on this computer."

What in the heck is Cryptographic service, and how do I make sure it's running.

In case I downloaded the wrong file, the name of the file I downloaded was WindowsXP-KB823980-x86-ENU. Is this the right patch for my windows xp home?
 
Back