Re: My desktop coomputer is infected with a virus

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 01/02/04

  • Next message: krishale: "spywear & aggressive browsers displacing my bellsouth" 
    Date: Thu, 1 Jan 2004 18:51:00 -0500

    See http://www.microsoft.com/security/incident/blast.asp

    You need a firewall - turn yours on ASAP. Also go to start | run and type

    shutdown /a

    to keep it from rebooting.

    Also -

    >From a notice posted by Jerry Bryant in microsoft.public.security -

    SEVERITY: CRITICAL
    DATE: August 11, 2003
    PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT
    4.0, NT 4.0 Terminal Services Edition

    WHAT IS IT?
    The Microsoft Product Support Services Security Team is issuing this alert
    to inform customers about a new worm named W32.Blaster.Worm which is
    spreading in the wild. This virus is also known as: W32/Lovsan.worm
    (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
    Associates). Best practices, such as applying security patch MS03-026 should
    prevent infection from this worm.

    Customers that have previously applied the security patch MS03-026 before
    today are protected and no further action is required.

    IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets
    re-booted or has mblast.exe exists on customer's system.

    TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable
    systems on TCP port 135. The worm attempts to exploit the DCOM RPC
    vulnerability patched by MS03-026.

    Once the Exploit code is sent to a system, it downloads and executes the
    file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates
    the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    windows
    auto update
     = msblast.exe I just want to say LOVE YOU SAN!! bill

    Symptoms of the virus: Some customer may not notice any symptoms at all. A
    typical symptom is the system is rebooting every few minutes without user
    input. Customers may also see:
    - Presence of unusual TFTP* files
    - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

    To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
    directory or download the latest anti-virus software signature from your
    anti-virus vendor and scan your machine.

    For additional details on this worm from anti-virus software vendors
    participating in the Microsoft Virus Information Alliance (VIA) please visit
    the following links:

    Network Associates:
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

    Trend Micro:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

    Symantec:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

    Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265

    For more information on Microsoft's Virus Information Alliance please visit
    this link: http://www.microsoft.com/technet/security/virus/via.asp

    Please contact your Antivirus Vendor for additional details on this virus.

    PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows
    Server 2003) or use a third party firewall to block TCP ports 135, 139, 445
    and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits
    download and TCP 4444 for remote command shell. To enable the Internet
    Connection Firewall in Windows: http://support.microsoft.com/?id=283673

    1. In Control Panel, double-click Networking and Internet Connections, and
    then click Network Connections.
    2. Right-click the connection on which you would like to enable ICF, and
    then click Properties.
    3. On the Advanced tab, click the box to select the option to Protect my
    computer or network.

    This worm utilizes a previously-announced vulnerability as part of its
    infection method. Because of this, customers must ensure that their
    computers are patched for the vulnerability that is identified in Microsoft
    Security Bulletin MS03-026.
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. Install the
    patch MS03-026 from Windows Update http://windowsupdate.microsoft.com

    As always, please make sure to use the latest Anti-Virus detection from your
    Anti-Virus vendor to detect new viruses and their variants.

    RECOVERY: Security best practices suggest that previously compromised
    machine be wiped and rebuilt to eliminate any undiscovered exploits that can
    lead to a future compromise. See Cert Advisory:
    Steps for Recovering from a UNIX or NT System Compromise.
    http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

    For additional information on recovering from this attack please contact
    your preferred anti-virus vendor.

    RELATED MICROSOFT SECURITY BULLETINS:
    http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

    RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
    This article will be available within 24 hours.

    RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
    As always please make sure to use the latest Anti-Virus detection from your
    Anti-Virus vendor to detect new viruses and their variants.

    If you have any questions regarding this alert please contact your Microsoft
    representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
    the US please contact your local Microsoft Subsidiary. Support for virus
    related issues can also be obtained from the Microsoft Virus Support
    Newsgroup which can be located by clicking on the following link
    news://msnews.microsoft.com/microsoft.public.security.virus.

    Xpozed wrote:
    > hi does any1 kno the patch i need for the virus which reboots ur
    > computer i have xp pro -
    > its the virus that came out a while ago but my computer wasnt
    > affected untill yesterday. I remember hearing about mircosoft which
    > released a patch which fixes the virus, and also there is some things
    > u need to do to get rid of the virus. Does anyone know the web
    > address or can assists me in any way. Thanks

  • Next message: krishale: "spywear & aggressive browsers displacing my bellsouth"

    Relevant Pages

    • Bobax.C
      ... Other files containing the virus have been ... W32.Bobax.C is a worm that exploits both the LSASS ... While this threat may execute on Windows 95/98/Me/Server ... Virus Definitions * ...
      (microsoft.public.windowsxp.security_admin)
    • Re: I ran the exe file !!!!
      ... point before the virus infection. ... For the moment you should simply stick with MS windows Updates. ... What You Should Know About the Swen Worm ... you have Windows ME or Windows XP, you could run the System Restore ...
      (microsoft.public.security.virus)
    • Re: Installing a MS Patch killed my computer
      ... Best bet would've been to remove the worm before trying to install the ... patch - you're trying to lock the barn door after the cows have gotten out. ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ... Symptoms of the virus: Some customer may not notice any symptoms at all. ...
      (microsoft.public.win2000.security)
    • Information about the W32.Blaster.worm
      ... Windows XP, Windows 2000, Windows ... This virus is also known as: ... >anti-virus vendor and scan your machine. ... >participating in the Microsoft Virus Information Alliance ...
      (microsoft.public.win2000.security)
    • Re: rpc errors
      ... Nice advice, but note that if you have the worm, installing the patch isn't ... Windows XP, Windows 2000, Windows Server 2003, Windows NT ... Anti-Virus vendor to detect new viruses and their variants. ...
      (microsoft.public.win2000.security)