Madshrimps Forum Madness - worm virus !!!

http://www.tweakers.net/nieuws/28292

dutch only.

english :

Quote:

WORM_MSBLAST.A

Aliases: W32/Lovsan.worm, Lovsan, W32.Blaster.Worm

Description:

TrendLabs has received several infection reports of this new worm, which exploits the RPC DCOM BUFFER OVERFLOW. This vulnerability in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

This worm has been observed to continuously scan random ip addresses (x.x.x.0) and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:

On the 16th to the 31st day of the following months:

January
February
March
April
May
June
July
August

Any day in the months of September to December.
This worm runs on and is able to propagate into Windows NT, 2000, and XP systems.

For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:

Microsoft Security Bulletin MS03-026

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs*, locate the process:
MSBLAST.EXE

Select the malware process, then press either the the End Process button.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro’s free online virus scanner.

Applying Patches

TrendLabs advises all affected users to apply the patch issued by Microsoft at the following page:

Microsoft Security Bulletin MS03-026

TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.

got the same problem this morning, problem solved in 10 minutes :p