Blaster worm virus warning

[daisylawn]

Just to warn you all if you don't already know, you probably now have the blaster worm virus or are about to get it...
You will need to download a patch from microsoft - check out the news on the web for more details. This has been wreaking havoc where I work (a very large organisation)
What a nightmare!

I would strongly advise installing the patch and cleaning your pc even if you have no symptoms yet!

We got it last night.........DAMM annoying, sort it out quick if you get it ladies, it seriously interupts mumsnet surfing

Does this virus keep shutting down your system?

What are the symptoms. My PC has suddenly started playing up. Its set to update the anti-virus software everyday but found it hasn't updated since the 4th and when I tried it wouldn't download. Also outlook keeps crashing. Haven't been able to find out much about what the virus actually does. Also does anyone know the best way to fix it - I presume I won't be able to download the patch and if already infected probably won't work anyway. Any advice on the danger signs?

I just downloaded a patch from here

hope this helps

I got this from m ISP this morning.

If you use Windows NT4, Windows 2000, Windows XP or Windows 2003 you may be at risk from a new virus known as MSBlaster. This virus exploits a known security issue with Windows operating systems. It can cause your computer to reboot and can also result in slow speeds whilst browsing the Internet.

If you are running one of these operating systems please visit the Symantec website [http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html] where you can find further information, including instructions on how to remove this virus.

You can also visit the Microsoft site [http://www.microsoft.com/security/security_bulletins/ms03-026.asp] to get the latest security updates.

Thanks will have a look although PC will not not open new window either. Grrrr. Just what I need when I'm about to go into labour (hopefully!)

Just a bit paranoid as last time there was a big virus scare I was sure I'd got it as I kept getting bounced messages back saying I was sending it to people. We ended up reinstalling my entire platform and I lost loads of stuff only to discover that the virus used Email aliases anyway so it wasn't me sending the virus out. Just a bit reluctant to embark on a big cleanup unless I'm sure. Also haven't backedup for ages. Tut Tut!

My virus software suddenly decided it would update today so I ran a check and guess what - it found the blaster/lovesan virus straight away. But when I tried to move it to the virus vault it said it couldn't. So now off to try and find alternative ways of fixing it. Don't know how I ended up getting infected. All this blooming stormy weather has meant I've been unplugging the phone line to stop my modem blowing as I've had so much damage in the past. Now it seems that has stopped my software updating each day so now I have a Bl worm! Can't win!

So if like me, you have Windows 98, does that mean that you are immune from this worm? I've had no symptoms, my pc is slow anyway so nothing new in that!

We've just had it but luckily my husband had the patch at work so the computer is fine now - a complete pain as the computer kept terminating itself!

Teletubby - does that mean if I just install the patch it will fix itself. Just run my AVG software again and it picked up the virus and said it was healed but when I've rebooted the machine again I'm still having problems. Not sure if this means I've still got the virus or if its just damage left by the virus.

Tried to download the patch and seemed to work but when it asked about running it then said that I needed service pack 2 or something. Can I just get DH to bring the patch home for me then?

I just had a look on Symantec, apparently I won't be affected. So if you have an old Windows version you're clean!

I was delighted to see that the cr*ppy Windows ME isn't affected either. It must be the only thing it does right!

Katharine, I've found the Symantic instructions for removing viruses pretty good in the past. I printed them off and just followed them. Read them through first to see if there are any other instructions you need (essential for any PC novices out there!)

The service pack you mention should be available from the MS website too.

For your information:

Web worm spreading fast
Tue 12 August, 2003 03:49 BST

By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - An Internet worm that takes advantage of a recently discovered, widespread security hole in Microsoft's Windows software has emerged around the U.S., crashing systems and spreading to vulnerable computers.

The worm contains code that includes a phrase: "Billy Gates why do you make this possible? Stop making money and fix your software!!," according to the SANS Institute.

The worm, dubbed LoveSan, Blaster, or MSBlaster, exploits a vulnerability in the Distributed Component Object service that is hosted by a Remote Procedure Call feature in Windows 2000 and Windows XP that lets computers share files, among other activities.

Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself. Then, it scans the Internet for other vulnerable machines and attacks them, said Johannes Ullrich, chief technology officer at the Internet Storm Centre at the SANS Institute.

In some cases, the worm crashes the victim machine, but does not infect it, he said.

It is spreading rapidly and has infected several thousand machines, Ullrich said.

The worm also appears to instruct the computer to launch a distributed denial of service (DDOS) attack on August 16 against a Microsoft Web site, he added. In a DDOS attack, a Web site is temporarily paralysed after receiving requests from numerous multiple computers.

"It's dangerous from the perspective that it can consume a lot of bandwidth," said Russ Cooper of TruSecure Corp. "Every compromised machine is constantly attacking."

Anti-virus provider Network Associates rated it a medium risk for consumers and corporate computer users, while rival Symantec Corp. rated it a high risk for distribution and a low risk for damage.

Last month, Microsoft warned of the vulnerability, which experts said was one of the worst to hit a software program in a few years because of the number of Windows systems affected.

The U.S. government issued a warning about the security flaw, and then released another advisory warning after thousands of machines began scanning the Internet looking for vulnerable computers. After that, experts said it was only a matter of time before a worm would appear.

In January, a worm dubbed "Slammer" that exploited a hole in Microsoft SQL database software brought automatic teller machines in the United States to a standstill, paralysed corporate networks worldwide and nearly shut down Web access to South Korea.

More info from ZDnet.com site:
Quote:
MSBlast does not spread via e-mail. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.

At this time, antivirus vendors are still analyzing what msblast.exe does.

MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.

Hkeylocalmachine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

And from Symantec.com
Quote:

When W32.Blaster.Worm is executed, it does the following:

Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.

Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

Calculates the IP address, based on the following algorithm, 40% of the time:

Host IP: A.B.C.D

sets D equal to 0.

if C > 20, will subtract a random value less than 20.

Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.

NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.

Calculates the IP address, based on many random numbers, 60% of the time:

A.B.C.D

set D equal to 0.

sets A, B, and C to random values between 0 and 255.

Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:

Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data.

Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.

Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

And from Trend.com
Quote:
TrendLabs has received several infection reports of this new worm, which exploits the RPC DCOM BUFFER OVERFLOW. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

This worm has been observed to continuously scan random IP addresses and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:

On the 16th to the 31st day of the following months:

January
February
March
April
May
June
July
August

Any day in the months of September to December.
This worm runs on and is able to propagate into Windows NT, 2000, and XP systems.

For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:

Microsoft Security Bulletin MS03-026

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
MSBLAST.EXE

Select the malware process, then press either the the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEYLOCALMACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
?windows auto update" = MSBLAST.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro?s free online virus scanner.

Applying Patches

TrendLabs advises all affected users to apply the patch issued by Microsoft at the following page:

Microsoft Security Bulletin MS03-026

TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.
For product specific solutions, refer to Solution 15888 of Trend Micro's Knowledge Base.

Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network or home PC.

I ws too chicken to try and sort this virus out myself. I have a dell computer and phoned up this morning. It took an hour to get through to the tech team and another 30 minutes to be talked through the reboot instructions and the instructions in the symantic website. I hate to think what my mobile phone bill will be. But at least my computer is now clean again. Commiserations to other sufferers.

Oh this is driving me nuts. My virus software finds the virus and supposedly heals it but then things stop working and it finds the virus again. Have followed the brill instructions provided my oakmaiden below but can't find either of the processes described. Its as if I'm getting reinfected all the time and I don't know where from. Really worried now as its meant to do something tomorrow isn't it. And I'm worried about spreading infection to my customers (I'm web-based business). Can't beleive I'm sitting here 3 days overdue doing battle with some stupid virus which doesn't appear where its meant to and yet still keeps causing havoc with my machine. Spent 1.5 hrs this afternoon downloading new service pack from microsoft but machine still doesn't seem to want to download critical patch updates which appears to be the key.

Just felt the need to let off steam. Aghhhhhhh

Have you set up a firewall? Go to Zonelabs and download their free copy, it will stop the virus getting back in. I have done this and it has blocked nearly 12000 Intrustions since I installed it 4 days ago.