Home

 Virus Info | Firewall | W32.Blaster.Worm | W32.Welchia.Worm | W32.Sobig.F@mm | INDEX | DEMO'S | Other Links | Driver Updates | Mohaa HELP Page | SPEED TEST | Mohaa Patches | MOHAA Links | MOH console | MAP LIST | Mohaa OBJ Maps 1 | Mohaa OBJ Maps 2 | Mohaa SP Maps | Mohaa DM Maps | Mohaa DM Maps 2 | Mohaa Map Packs | Spearhead Patches & No CD Cracks | Spearhead Maps & Links | Spearhead Maps | MoH Breakthrough | Pacific Assault | MOHAA Civil War | Mohaa junglewarfare | Mohaa AssaultOnIraq | MOHAA 1936! | Mohaa Swat Mod | Mohaa Operation Marketgarden | Mohaa Map making | Call of Duty | NOLF | NOLF MAPS | NOLF HELP Page | Operation Flashpoint | Operation Flashpoint 2 | RogueSpear | GHOST RECON | Ravin Shield | RogueSpear info | American's Army | Battlefield 1942 | BF 1942 Expansion Pack | BF 1942 Expansion Pack | Battlefield Vietnam | BF-1942 Maps | Wolfenstein | Wolfenstein Map II | Computer INFO | Ram INFO | add your link here | Gamespy Info | Upcoming Games | Screen Shots
ONLINE GAMES 8
W32.Blaster.Worm

VIRUS: W32.Blaster.Worm info

If your computer becomes infected with the Please follow the steps below:
  1. Start PC and log on to Internet
  2. When you get the message "Windows Will be Shutdown in 60 seconds"
  3. Click START then click RUN and then type in the RUN box "shutdown -a" (without the quotes) and click OK  

This should stop the countdown.

Next you need to remove the virus - See Link below 

The important thing is to get the patch from Microsoft or you will keep on getting the virus. - See link below

Click here for the virus removal tool 

Click here For the Microsoft patch (Win XP) 

Click here For The Microsoft patch (Win 2000) 

SECURITY: Buffer Overrun In RPCSS Service Could Allow Code Execution - Windows XP

Important Note: This patch closes the security vulnerability exploited by the Blaster worm.  eMachines STRONGLY RECOMMENDS that you apply this patch as soon as possible to avoid becoming infected by this worm.  More information on this worm is available below.

Microsoft has released a patch eliminating a "buffer overrun" vulnerability in Windows Remote Procedure Call (RPC). RPC is a protocol that a program can use to request a service from a program located on another computer in a network. An attacker who successfully exploited this vulnerability could gain complete control over a remote computer. After applying this patch, affected computers will no longer be susceptible to this vulnerability.

Note: After this Fixlet has run the patch closing this vulnerability, it will run a tool that will remove the Blaster worm from your computer if you have already been infected.  After this tool has been run, it will ask you if you want information about the RPC patch from Microsoft.  You don't need to install this patch again, as it will already be installed, but it will not hurt you if you do reinstall it. 

Note: In order to ensure that the Blaster worm is not accidentally reintroduced to your system, you need to disable System Restore to any remove previous restore points.  You may do so by following these steps:

  1. Click on the START button.
  2. Click on ALL PROGRAMS.
  3. Click on ACCESSORIES.
  4. Click on SYSTEM TOOLS.
  5. Click on SYSTEM RESTORE.
  6. Click on SYSTEM RESTORE SETTINGS (on the left side of the Window).
  7. Check the box next to "Turn off System Restore".
  8. Click on the APPLY button.
  9. A message will appear asking if you are sure. Please click on the YES button.
  10. Now uncheck the box next to "Turn off System Restore". This will remove previous restore points that might be infected with the virus.
  11. Click on the OK button.
Note: After you run this Fixlet message, you must restart your computer for the vulnerability to be closed.

Note: If after you restart your computer, the Fixlet message is still relevant, it may mean you have been reinfected right after you removed the worm.  If this happens, run the Fixlet message again and restart your computer again.  This time, you should be protected from reinfection.


Click here to download and install this patch and to run Symantec's removal tool.
Click here for more information from Microsoft about the RPC vulnerability.
Click here for more information from Microsoft about the Blaster worm.

Have you taken the necessary steps to help ensure that your computer is clean and protected from the second phase of the MSBlast.exe virus or LovSan Web Worm? If not, we recommend that you immediately follow our suggested steps below.

The MSBlast.exe virus or LovSan Web Worm may enter your computer through a vulnerability in your computer's Microsoft Windows®-based operating system. According to current reports, this virus or worm is designed to cause computers to launch an electronic attack against Microsoft's Windows® help web site on August 16, 2003.

If you are using one of the following Microsoft Operating Systems, we recommend that you follow the instructions below to remove or safeguard your computer from the MSBlast.exe virus or LovSan Web Worm. Even if your computer isn't affected now, it could be in the future.

Microsoft Windows® NT 4.0
Microsoft Windows® NT 4.0 Terminal Services Edition
Microsoft Windows® 2000
Microsoft Windows® XP
Microsoft Windows® Server 2003

Please take the time to print out follow the steps outlined below to help ensure that your computer is safe and clear of the MSBlast.exe virus or LovSan Web Worm. (This and other related information can also be found on our web site at http://www.comcast.net.)
  1. Close all open programs and press and hold down the following keys simultaneously: Ctrl (Control), Alt and Delete
  2. Click the Task Manager button
  3. Select the Processes tab



  4. Click the Image Name column to sort the list in alphabetical order



  5. Select the msblast.exe file by clicking on it once. Then, click the End Process button. If you do not see msblast.exe in the list of running tasks, please proceed to Step 6 as you should still check your system for the Worm and apply the Microsoft patch. (Some operating systems require that you log in as Owner/Administrator in order to install this patch)



  6. Now you can close the Windows® Task Manager screen by clicking the X in the upper right hand corner.
  7. Next, determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which operating system you have on your computer.
  8. Click on the Start button, go up to Run. Type winver and press the Enter key. The window displayed will indicate which operating system is being used (Windows(r) 2000, Windows(r) XP, etc.)
  9. Once you have determined your operating system, go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp and click on the link for your operating system.



  10. Click Download on the right side of the page.



  11. Choose Run or Open from this location.



  12. Confirm security warning pop-up by clicking Yes.
  13. Follow pop-up instructions.
  14. Once your computer has finished go to http://securityresponse.symantec.com/avcenter/FixBlast.exe, when prompted click Open.
  15. When it has finished, you will have successfully checked your system for the MSBlast Worm and installed the patch.
Please note: If done incorrectly, some of the steps in this FAQ can cause problems with your Operating System. You should carefully review all terms, policies, and instructions on any of the websites that you visit while following these steps. Please note that while Comcast is providing this information to help you remove the MSBlast.exe virus and LovSan Web Worm, Comcast is not responsible for any damage done to your computer from any source to remove this worm.

We thank you for taking the time to ensure that your computer is protected.

Based on the number of submissions received from customers and based on information from the Symantec's DeepSight Threat Management System, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat.

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.

Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

  • TCP Port 135, "DCOM RPC"
  • UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service (DoS) on Windows Update. This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Click here for more information on the vulnerability that this worm exploits, and to find out which Symantec products can help mitigate risks from this vulnerability.

NOTE: This threat will be detected by virus definitions having:
  • Defs Version: 50811s
  • Sequence Number: 24254
  • Extended Version: 8/11/2003, rev. 19

Symantec Security Response has developed a removal tool to clean infections of W32.Blaster.Worm.

Also Known As: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
Type: Worm
Infection Length: 6,176 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
CVE References: CAN-2003-0352

protection
  • Virus Definitions (Intelligent Updater) *
    		•

    August 11, 2003

  • Virus Definitions (LiveUpdate) **
    		•

    August 11, 2003

    *

    Intelligent Updater definitions are released daily, but require manual download and installation.
    Click here to download manually.

    **

    LiveUpdate virus definitions are usually released every Wednesday.
    Click here for instructions on using LiveUpdate.

    threat assessment

    Wild:

    Threat Metrics

    High Medium High

    Wild:
    High

    Damage:
    Medium

    Distribution:
    High

    Damage

    Distribution

    technical details

    When W32.Blaster.Worm is executed, it does the following:

    1. Creates a Mutex named "BILLY". If the mutex exists, the worm will exit.

    2. Adds the value:

      "windows auto update"="msblast.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the worm runs when you start Windows.

    3. Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.

      NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.

    4. Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.

    5. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

      NOTES:
      • This means the local subnet will become saturated with port 135 requests.
      • Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
      • While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.

    6. Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.

    7. Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer msblast.exe and tell it to execute the worm.

    8. If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

    The worm contains the following text, which is never displayed:

    I just want to say LOVE YOU SAN!!
    billy gates why do you make this possible ? Stop making money and fix your software!!


    Symantec ManHunt
    Symantec ManHunt Protocol Anomaly Detection technology detects the activity associated with this exploit as "Portscan." Although ManHunt can detect activity associated with this exploit with the Protocol Anomaly Detection technology, you can use the "Microsoft DCOM RPC Buffer Overflow" custom signature, released in     Security Update 4, to precisely identify the exploit being sent.

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    removal instructions

    Removal using the W32.Blaster.Worm Removal Tool
    Symantec Security Response has developed a removal     tool to clean infections of W32.Blaster.Worm. This is the easiest way to remove this threat and should be tried first.

    Manual Removal
    As an alternative to using the removal tool, you can manually remove this threat.

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    Important Notes:
    • W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before you can continue with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.
    • Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works 100% of the time.
      • If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.
      • In many cases, on both Windows 2000 and XP, changing settings for the Remote Call Procedure (RPC) Service may allow you to connect to the Internet without the computer shutting down. Follow these steps:
        1. Do one of the following:
          • Windows 2000. Right-click the My Computer icon on the Windows desktop and then click Manage. The Computer Management window opens.
          • Windows XP. Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.
        2. In the left pane, double-click Services and Applications and then select Services. A list of services appears.
        3. In the right pane, locate the Remote Procedure Call (RPC) service.

          CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two
        4. Right-click the Remote Procedure Call (RPC) service and click Properties.
        5. Click the Recovery tab.
        6. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
        7. Click Apply and then OK

          CAUTION: Make sure that you change these settings back when you have removed the worm

    1. Disable System Restore (Windows XP).
    2. Update the virus definitions.
    3. End the Trojan process.
    4. Run a full system scan and delete all the files detected as W32.Blaster.Worm.
    5. Reverse the changes that the Trojan made to the registry.
    For details on each of these steps, read the following instructions.

    1. Disabling System Restore (Windows XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
    For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

    2. Updating the virus definitions
    Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

    • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

      The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

    3. Ending the Worm process
      To end the Trojan process:
      1. Press Ctrl+Alt+Delete once.
      2. Click Task Manager.
      3. Click the Processes tab.
      4. Double-click the Image Name column header to alphabetically sort the processes.
      5. Scroll through the list and look for msblast.exe.
      6. If you find the file, click it, and then click End Process.
      7. Exit the Task Manager.
    4. Scanning for and deleting the infected files
    1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    2. Run a full system scan.
    3. If any files are detected as infected with W32.Blaster.Worm, click Delete.

    5. Reversing the changes made to the registry

    CAUTION    : Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
    1. Click Start, and then click Run. (The Run dialog box appears.)
    2. Type regedit

      Then click OK. (The Registry Editor opens.)

    3. Navigate to the key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    4. In the right pane, delete the value:

      "windows auto update"="msblast.exe"

    5. Exit the Registry Editor.

    Revision History:

    August 13, 2003:

    • Added download location.
    August 12, 2003:
    • Upgraded to Category 4 from Category 3, based on increased rate of submissions.
    • Added additional aliases.
    • Updated Technical Description.
    • Added information to removal on changing settings for RPC.

    Write-up by: Douglas Knowles