MSBLAST RPC worm fix
From: Antnee (anthony_at_visualante.org)
Date: 08/13/03
- Next message: Antnee: "The Remote Procedure Call (RPC) terminated unexpectedly"
- Previous message: Jupiter Jones [MVP]: "Re: I wish it only happened twice!!!!!!!!!!1"
- In reply to: Papercut: "MSBLAST RPC worm fix"
- Next in thread: Rob: "Re: MSBLAST RPC worm fix"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Aug 2003 19:52:58 -0700
See http://www.visualante.org/msblast for more
information on the issue, including how to fix any
infected systems
The site is being updated as and when necesary to keep
you all up to date with developments
>-----Original Message-----
>::3rd Post::
>
>Okay guys, here it is, hope this helps.
>
>First of all, I would like to say that I DO NOT WORK FOR
>MICROSOFT.
>
>I am an ex-computer technician who only wants to help
the
>world out, any worm creator is merely someone who wishes
>to cause havoc.
>
>Any information I give on this post is from personal
>experience, I removed this worm from my computer
yesterday
>without reformatting my hard drive.
>
>Use this information AT YOUR OWN RISK.
>
>
>Okay, having said that, here's how I removed MSBLAST
from
>my computer.
>
>Step 1. Turning off RPC
>It's difficult to do anything while you only have 60
>seconds, so this is a way around the RPC being
terminated.
>
>Make sure that you have your IE icon on your desktop
>before you do this.
>
>If you have your Windows XP cd, there is what is called
a
>recovery console. To get to the recovery console, start
>your computer with the XP CD in your cd drive, if your
>CDROM is a boot option, it will say "Press any key to
boot
>from CD..." press a key, and the windows setup will
begin.
>
>You should eventually see options saying "To install XP,
>press ENTER", there's an option on
>that screen which reads "To repair a previous
installation
>of Windows using the recovery console, press R"
>(If I remember right, the key is R, it may be different.)
>
>If you get to the recovery console, it looks like a dos
>prompt, it will say "Which installation of windows would
>you like to repair" with a list above it.
>
>Your installation should be 1 (if it's different, it
>should have a number beside it), so put 1 in there, and
>press enter. It will then ask for the
>administrator password, so put that in and press enter.
>
>You should now be in the recovery console.
>
>Type this command into the recovery console:
>DISABLE RpcSs
>
>And press enter. You should get a message that
>says "RpcSs has gone from SERVICE_AUTO_START to
>SERVICE_DISABLED, you must restart your computer for
these
>changes to take effect."
>
>Type EXIT in the recovery console and your computer
should
>reboot, do not boot from CD this time.
>
>THIS IS IMPERATIVE: WHEN YOU ARE FINISHED REMOVING THE
>WORM, TURN THIS BACK ON. (I'll explain how to turn it
>back on near the end of this post.)
>
>Step 2. The removal
>Okay, with RpcSs turned off, MSBLAST cannot turn off
your
>computer (at least that's how it worked for me.)
>HOWEVER, your computer will run screwy. For instance,
you
>wont have a start menu (that's why you need the IE icon
on
>your desktop.)
>
>You should be able to get on the internet and do what
>needs to be done now.
>
>Go to housecall.antivirus.com and follow the
instructions
>for an online scan of your hard drive. After it's
>finished, there should be a virus that comes up along
the
>lines of W32.MSBLAST.WORM, when the scan is complete,
tell
>housecall to delete the worm.
>
>We're done with housecall now.
>
>Step 3. The fix
>
>Now that we've removed the worm, we need the fix so it
>wont bother us again.
>
>Go to this microsoft site:
>http://www.microsoft.com/technet/treeview/?
>url=/technet/security/bulletin/MS03-026.asp
>
>Download the patch that corresponds with your version of
>windows to your desktop, then install it. This part
>should be pretty automatic.
>
>If everything goes as I hope it will, you should be
immune
>to MSBLAST now.
>
>Step 4. Turning RPC back on
>
>Now that you have the virus removed (hopefully) you need
>to turn RpcSs back on.
>
>Get back to the recovery console from the instructions
in
>step 1, only this time we're going to do the reverse.
>
>Type this command into the recovery console:
>
>ENABLE RpcSs SERVICE_AUTO_START
>
>You should recieve a message saying "RpcSs has gone from
>SERVICE_DISABLED to SERVICE_AUTO_START, you must reboot
>your computer for these changes to take effect."
>
>Type EXIT into the recovery console and let your
computer
>reboot.
>
>
>If all went well, you are home free.
>
>
>I hope this fix helps with the MSBLAST worm, I hate
seeing
>this kind of thing happen to everyone.
>...
>
>
>..
>
>
>.
>
- Next message: Antnee: "The Remote Procedure Call (RPC) terminated unexpectedly"
- Previous message: Jupiter Jones [MVP]: "Re: I wish it only happened twice!!!!!!!!!!1"
- In reply to: Papercut: "MSBLAST RPC worm fix"
- Next in thread: Rob: "Re: MSBLAST RPC worm fix"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
