LoveSan, Blaster & MSBlaster VIRUS warning - If using Windows please read

jrobbio · #1 12-Aug-2003, 09:31

This one has already got me and I had a virus scanner running at the time. I've had to reformat my C: drive as its caused me all kinds of trouble. Make sure you get the windowsupdate for this. This may be a problem as a DoS is being made on windowsupdate.microsoft.com making it impossible to connect to. If you do encounter this, do not connect to the internet as it causes all sorts of problems and see this page for more information: http://www.annoyances.org/exec/forum/winxp/r1060701365

This is a little bit more about the virus:

A rapidly duplicating worm known alternatively as LoveSan, Blaster, and MSBlaster is spreading to Windows systems across the Internet, exploiting a vulnerability Microsoft fixed over a month ago. This is also the same remote procedure call (RPC) ... See:

jrobbio · #2 12-Aug-2003, 09:39

I got this from mess.be

Quote:

Updated: D'z warned me about this earlier on and now Symantec released a security report regarding the W32.Blaster.Worm.

This worm will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. It will attempt to download and run the file Msblast.exe.

You should block access to TCP port 4444 at the firewall level, and block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service on windowsupdate.com. This is an attempt to disable your ability to patch you computer against the DCOM RPC vulnerability.

To find out whether you're infected, press Ctrl+Alt+Del and verify if the process MsBlast.exe is running. If it is, kill the process MsBlast.exe from the task manager. Next, execute regedit.exe and search for the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

Delete "windows auto update"="msblast.exe" from the right pane.

Final step: delete msblast.exe from either the Windows System and/or System32 folders.

Update #2: Do these instructions stupefy you? D'z was one of the very first to create an auto-cleaner for this worm, and now Symantec released a removal tool.

[Detailed removal instructions: Symantec.com]

JdS · #3 12-Aug-2003, 09:48

Thank you for warning... Infact I was just reading up on it on one other forum I go to occasionally.

This explains all those blocked attempts to my PC's port 135 all of a sudden. Thank you Zone Alarm

Don't you have a firewall or something going on inside your PC, Rob?

jrobbio · #4 12-Aug-2003, 09:53

Yes I do, but I've been hasty lastely and disabled it because it was causing problems with some other software. Egg on my face or what!

I don't believe this, just reinstalled XP after formatting and the first thing I get is this blighter after connecting the internet. F$£$

Rob

JdS · #5 12-Aug-2003, 09:57

I just happened to read this, maybe you have too; sounds like a good idea before getting online after a fresh re-install:

Quote:

Prevention
If you are using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003, you should follow these steps to help protect your system:

Make sure you have a firewall.
If you have Windows XP or Windows Server 2003, enable the Internet Connection Firewall (ICF).

Div · #6 12-Aug-2003, 10:11

Is it spread by email (Outlook)?

JdS · #7 12-Aug-2003, 10:24

According to this article: http://zdnet.com.com/2100-1105_2-5062524.html , it's

Quote:

... The worm attacks Windows computers via a hole in the operating system, which Microsoft warned of 16 July....

I know this is bad timing Rob, but if you look at the page above notice the ad for Windows 2003 (top-right); it says:

Quote:

Microsoft
Windows Server 2003: Get trial software demos, benchmarks, checklists and more.

Now we know what the more is all about

Garth Farley · #8 12-Aug-2003, 12:47

Yup, it's a biggie. Got an internal email about this a few days ago, but never bothered to run the update (you need at least SP2 installed for Windows 2000, and I've work to do). I got a telling off anyway, the company firewall has been hit by many's a 135 request.

Good job the vulnerability was notified to Microsoft before it got public. Not that they rushed to admit there existed such a flaw.

GF

jrobbio · #9 15-Aug-2003, 11:02

Just an update to say that expect a majory slow internet tomorrow (16th August)

See this article for more information.

Quote:

With more than 300,000 systems potentially flooding windowsupdate.com, the Internet could witness the most powerful distributed denial-of-service attack to date, experts say.

Rob

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: