W32.Blaster.Worm Removal Tool *updated*

Go and grab the patch and cleaner tool for this nasty virus that allows a user too access any of the following OS and take control of yer pc.

YOU HAVE BEEN WARNED!

Security Patch Information

For more information about how to resolve this vulnerability, click the appropriate link in the following list:

Windows Server 2003 (All Versions)
Windows XP (All Versions)
Windows 2000 (All Versions)
Windows NT 4.0 (All Versions)

go and grab the patch from here

http://support.microsoft.com/?kbid=823980#WinXP

get the cleaning tool here

http://securityresponse.symantec.com...oval.tool.html

Run the patch 1st and then run the cleaner in that order only ok.

Glad too be of service too yah all

The Diplomat

My girlfriend got it on her PC yesterday. Called me in panic telling me that her PC broke down, as it was shutting down all the time. Had to "diagnose" the darn think over the phone and try to explain to her how to apply the removal tool and MS patch to fix it, after i mailed it to her. God it took me the whole day !
Girls and PCs dont mix

Me poor uncle foned me saying as soon as he connected too the net it would shut his pc down everytime, I went and looked and checked the error log with xp admin tools and sure enough there was a few rpc calls. I said will sort in the morning for him. I got home and there was a global msg on me msn account using Trillian giving me info and urls to go and get the patch and cleaner. I didnt know about it as I have zonealarm 4 up and running and configured with max settings without compromising opening webpages. Installed the patch ran the cleaner and my PC is clean as a whistle

Greetz from the HapPy Diplomat

Oh goodness, two days ago my sister called me saying that she kept being forced to restart her computer every two minutes, that there was some kind of Remote Procedure Call error. I really should have suspected a virus sooner, but I was at work at the time so I just told her to go into services and change the Remote Procedure Call Service to not shut down her computer on errors. I figured that it was just time for a format and reinstall. After that she told me of many more errors and problems that I had no idea what would cause. I'd heard of a really bad new virus, and it looks like she got it.

Thanks for the links!

---

Last edited by dhc014; 13-08-2003 at 06:16.

Well, here is how to remove it manually if you don't like to patch ( wierd but hey such people exist )

1) open your configuration screen and find RPC service, click properties and search for reboot. Turn it to restart service.

2) reboot

3) open your registry ( with regedit ) and search the registry for msblast.exe ( or search the exact keys on the microsoft site )

4) now open cmd ( ms-dos ) and go to your %windir%\system32 and write del msblast.exe. DO NOT PRESS ENTER

5) press crtl+alt+del and kill msblast.exe, after you did so try to press enter in cmd as fast as possible.

6) You are clean, now install a firewall!

http://club.cdfreaks.com/showthread....n+AND+virus%2A

How exactly does it spread around?
2 of my friends had it yesterday, but others don't (yet).

edit: oops I just found the answer in the general software-topic, sorry!

Computer keeps restarting

I know I am in the middle of moving home whenever(all packed), will keep posting important topics like this one.

Greetz The Diplomat

i had it today... thank god i had installed nav 2003 just a couple of hours before...
i still have a question: how does it spread? i didn't check the email... i didn't even set any of my accounts... i wasn't browsing... i really can't believe that this damn thing just... "floats around" the www infecting at wil...

A typical IP address might look like this 10.45.345.4

I think the author of this worm virus has coded a small program and lets him enter the following and do a search 10.*.(thats an example) All ip addresses which start with 10 will be sent back to him he then does a mass attack on those ip addresses that start with 10, and hey presto you are infected without even knowing it. He then as full access at dos level mode only and allows him too delete files, or even issue a command too format yer drive(s) he also executes a script file so evertime you are on the net he will know, and then he can either issue an rpc which will shut your pc down within 30 seconds, or start zapping yer OS.


Hope that little explanation helps

Greetz From The Diplomat

Read the technical details here: http://securityresponse.symantec.com...ster.worm.html

Basically, the current state of the worm simply spreads itself. Once you're infected, the worm generates a random IP address and targets that computer trying to infect it.

Chances are very slim that the author actually ever controls your computer. It restarts because the worm causes an error in the RPC service, and the service (by default) is set to restart your computer if it encounters an error.

yeah, the worm spreads by itself and doesn't require any user interaction to infect computers. if ur computer is vulnerable, it'll automatically install and run itself. ironically, the windows patch (which was also available through windows update) came out on july 16, which was nearly a month ago.

Good Work Intercept.

Im sure you saved a lot of people from getting this worm.
and helped a lot of others remove it

Cheers

from what i've read - its pretty poorly programmed as well. not nearly as efficient as the one that crippled korea.

Imagine if it were well programmed then ...

Heh, I went over to a friends house just now to help him with his computer (new mobo), and so we reinstalled XP and everything was dandy. Then we installed the Ethernet drivers and logged on to the internet. Guess what happened

I must say it's very clever way to use this exploit, and like Hemi says, imgine what would have happened if it were "good" programming, like those viruses that change size and name by themselves.

I just got a msg off a friend I know in the USA on ICQ that this worm is suppose to strike big time tomorrow and cause chaos. I asked my friend where it came from and this is what she said.

[20:31] Maria: a friend emailed it to me

[20:35] Maria: should I pass this around to have people
search for it?

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
in the righthand pane select
windows auto update = msblast.exe
and delete it if it exists.

_______________________________________________
So if your are unsure about this then take your pc's off-line till Monday, and export a copy of your registry now as a backup. You can then restore in safe mode if needs be.

I keep getting warnings from MSN (using Trillian as my client for all chat servers) that the worm is out of control and causing chaos

Take it how you will, this is an important development and major risk to newbies and pros.

Just doing my job for the community

Greets The Diplomat

It's going to attack windows-update only.
MS tut on how to get rid of Msblast here

Just in case... > W32.Blaster.Worm Removal Tool

when downloading the patch, there was the xp 32 and 64 bit option.
I chose 32 bit - whats the difference?

There are 2 versions of Windows XP, 32bit and 64bit. The 64bit is essential for compatability with 64bit processors i think. Some of the benefits summarized here