worm virus !!!

Gamer · 12th August 2003, 10:07

http://www.tweakers.net/nieuws/28292

dutch only.

english :

Quote:

WORM_MSBLAST.A

Aliases: W32/Lovsan.worm, Lovsan, W32.Blaster.Worm

Description:

TrendLabs has received several infection reports of this new worm, which exploits the RPC DCOM BUFFER OVERFLOW. This vulnerability in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

This worm has been observed to continuously scan random ip addresses (x.x.x.0) and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:

On the 16th to the 31st day of the following months:

January
February
March
April
May
June
July
August

Any day in the months of September to December.
This worm runs on and is able to propagate into Windows NT, 2000, and XP systems.

For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:

Microsoft Security Bulletin MS03-026

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
MSBLAST.EXE

Select the malware process, then press either the the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

TrendLabs advises all affected users to apply the patch issued by Microsoft at the following page:

Microsoft Security Bulletin MS03-026

TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.

got the same problem this morning, problem solved in 10 minutes

Bosw8er · 12th August 2003, 10:12

http://www.arstechnica.com/archive/news/1059332882.html

Gamer · 12th August 2003, 10:17

I know, windows update isn't one of my favourite sites

12th August 2003, 11:15

Soooooo many "connection reset by peer" on irc

ModdiN MansoN · 12th August 2003, 18:12

@ work today, about 7 people brought in their pc with that virus on it :wtf:

12th August 2003, 18:17

Quote:

Originally posted by ModdiN MansoN
@ work today, about 7 people brought in their pc with that virus on it :wtf:

no wonder. normally a virus spreads by mail, but this virus just starts infecting machines by picking random IP's :wtf:

not one virusscanner stops it, and prolly most firewalls either!

FreeStyler · 12th August 2003, 18:41

had 2peeps with the problem.
Next to all the coputer @ work.

DUR0N · 12th August 2003, 21:53

kewl virus :s

12th August 2003, 22:15

had it last night, quite irritating

13th August 2003, 14:24

BlackIce on paranoid mode will do it

12th August 2003, 10:12	#2
Bosw8er [M] Reviewer Join Date: May 2002 Posts: 3,717	http://www.arstechnica.com/archive/news/1059332882.html __________________ "Think of how stupid the average person is, and realize half of them are stupider than that."

12th August 2003, 10:17	#3
Gamer [M] Reviewer Join Date: May 2002 Posts: 4,513	I know, windows update isn't one of my favourite sites __________________

12th August 2003, 18:12	#5
ModdiN MansoN Member Join Date: May 2002 Posts: 470	@ work today, about 7 people brought in their pc with that virus on it :wtf: __________________

12th August 2003, 18:41	#7
FreeStyler Member Join Date: Oct 2002 Location: Antwerp Posts: 1,187	had 2peeps with the problem. Next to all the coputer @ work. __________________ Put brain in gear BEFORE engaging mouth.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
MIT builds battery from bacterial virus, humans to power machines by 2012	jmke	WebNews	0	3rd April 2009 10:05
Malicious Worm Causes CPU Fan To Stop Working	jmke	WebNews	1	27th February 2009 11:39
Microsoft Offers $250,000 Reward to Catch Worm Authors	jmke	WebNews	0	15th February 2009 00:07
Conficker worm spikes, infects 1.1 million PCs in less than 24 hours	jmke	WebNews	0	16th January 2009 22:15
Buy an Asus Eee Box and get a free virus	jmke	WebNews	0	10th October 2008 17:18
Virus Infects Space Station Laptops (Again)	jmke	WebNews	0	28th August 2008 13:11
January 2006 Virus and Spam Statistics	jmke	WebNews	0	19th February 2006 17:43
First potential virus risk for Windows Vista found	Sidney	WebNews	0	5th August 2005 18:52
Intel Releases Pentium 4 with Dedicated Virus Coprocessor	jmke	WebNews	1	29th May 2005 09:49
Sober worm makes a comeback	Sidney	WebNews	0	7th May 2005 17:04

12th August 2003, 11:15	#4
Blade Posts: n/a	Soooooo many "connection reset by peer" on irc

12th August 2003, 21:53	#8
DUR0N [M] Reviewer Join Date: May 2002 Posts: 1,543	kewl virus :s

12th August 2003, 22:15	#9
jakkerd Posts: n/a	had it last night, quite irritating

13th August 2003, 14:24	#10
LowBasic Posts: n/a	BlackIce on paranoid mode will do it