Virus alert
  • Register
  • Help
Results 1 to 17 of 17

Thread: Virus alert

  1. #1
    Local Tyrant gibgib's Avatar
    Join Date
    Mar 2000
    Location
    Sunshine Coast, Queensland
    Posts
    3,515

    Virus alert

    One of my students had a nasty worm on their XP machine today. Mere deletion & renaming does not rid the host PC of this virus.
    It installed a program called "msblast.exe" in the system32 folder.
    Norton Corporate couldn't rid it either.
    I suggest prevention is better than cure on this one.
    If you are using Windows, perhaps get the patch NOW so it bounces off you.

    <a href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp" target="_blank">http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp</a>

    Advertisement


    The symptom of the virus is a dialogue box popping up telling you your computer will reboot in 60seconds & then counts down, ultimately restarting your PC.

    If you know of non-tech aspired users it may pay to help them prevent their PC's from this fate. It's a bit tricky, especially on a dial up connection.

  2. #2
    1000+ Posts
    Join Date
    May 2001
    Location
    Sydney, NSW, Australia
    Posts
    3,620
    This is a dodgy worm this one... it doesn't spread by e-mail so most people don't "get" how it spreads itself.

    A friend of mine spent her whole day at uni yesterday ridding something like 16 Windows XP machines in her biomed lab of the worm because no one had run the patch on them. disappro

    If you do get it... the Symantec tool was the most effective at removing it, provided you are REALLY quick and get it done within the 60 seconds you have.

    Here's the removal tool: <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html</a>

    and here's more info on the virus: <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html</a>

    Derek

  3. #3
    Fellow Frogger! Paul Smith's Avatar
    Join Date
    May 2000
    Location
    Camperdown, NSW, Australia
    Posts
    624
    It is an odd worm - appparently it has been described as a 'lazy' bit of hacking.

    It does not affect Win95 and Win98 machines - only NT4, 2000, XP and 2003 Server.

    It is though, apparently the way viruses/worms will go in the future - MS was foolhardy enough to boast about these OSes being the most secure they had ever made - that was a red rag to the hackers.

    Paul
    Paul Smith

    1974 DS23 EFI BW Auto
    1974 G Special 1220


    http://www.simplicitas.com.au

  4. #4
    Member
    Join Date
    Nov 2002
    Location
    Melbourne
    Posts
    41
    Spent last night trying to find why my computer wanted to keep turning off and rebooting.
    Kept getting , Windows must now restart because remote procedure call server has terminated unexpectedly.
    Enabling the firewall got the system up and running last night, but after reading the first post went and updated with the latest microsoft fix and my anti virus software.

    All OK, touch wood.

  5. #5
    1000+ Posts purrr-geot's Avatar
    Join Date
    May 2003
    Location
    melb
    Posts
    4,377
    For those of you have internet access with IPRIMUS and are getting disconnected its due to a Worm thats been spread.
    <a href="http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html" target="_blank">http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html</a>
    Also see the note on the main page of <a href="http://www.iprimus.com.au" target="_blank">www.iprimus.com.au</a> about it.

    There were user/password issues over the weekend which has resulted ina lot of people needing new dialup numbers cos of a server change. ALL PEOPLE on Primus Pack plan will need a INFINITY dial;in number - if they dont , they'll get a user/pass msg.

    Any probs private msg me and i'll fix it for you!!(iprimus customers only)

    Regards Asanka

  6. #6
    Moderator Alan S's Avatar
    Join Date
    Mar 2001
    Location
    Queensland, Australia
    Posts
    8,923
    Speaking of this @$%^&$%^ virus, guess what we've been doing since 2pm today?

    Best bit was, we were doing a preventitive patch when we were spat off & the next thing we knew, the bloody computer had a gutful of it. eek! eek!
    My son's in the business and reckons the phone ran red hot all day. It seems if you're running Widows '98 all is well but XP and the like are very vulnerable.

    It took until 8.40pm to eventually get rid of it, sort the mess & have it all back up & running.

    Be nice to meet the types who do these things up a dark ally hey!! mallet mallet

    Alan S
    If it ain't broke, use a 12" shifter.....that usually does the trick!!

  7. #7
    1000+ Posts Rod Hagen's Avatar
    Join Date
    Nov 2001
    Location
    Melbourne
    Posts
    1,630
    Ah! I'm reminded yet again of one of the many joys of using a Mac!

    Good luck guys and gals.

    Cheers

    Rod
    Rod's Home Page

    Rod's car page

    Peugeot 407 SV HDi estate 2008, Peugeot 407 SV Hdi Sedan 2006, Peugeot 406 ST (deadish), Peugeot 307 XSE, - Previously 403s, 404, 504, 505 sLI Wagons, 306 XSi, Renault 12, Citroen DSpecial

  8. #8
    1000+ Posts n b j's Avatar
    Join Date
    Jun 2003
    Location
    Sydney
    Posts
    1,239
    Yeah my sisters computer got the virus, so did my dad's.

    I still havn't cleaned it off their system, as long as there is no internet conection present or if on a network...you pull the network cord out, then your computer will not restart. This then allows you to clean the virus.

    Problem is the patches aren't as simple as installing them if you are already infected, they simply prevent you from getting the virus... You have to spend ages removing XY and Z from here and there and installing this and that.

    I didn't have the time, I simply put a firewall on both the infected PC's and all is well I will clean the virus off them on the weekend. But atleast with a firewall the virus is inefective and it won't reboot your system.

    Also, for those of you who have an isssue with the virus, this is a really great resource, follow the links at the bottom, they are very usuefull and make life a bit easier when it comes to getting rid of the virus:

    <a href="http://isc.sans.org/diary.html?date=2003-08-11" target="_blank">http://isc.sans.org/diary.html?date=2003-08-11</a>
    "Do my eyes deceive me, or is Senna's Lotus sounding rough ?" - Murray Walker
    206XR 1.6ltr - SOLD
    BMW E36 325i Coupe
    73 Porsche 911RS

  9. #9
    Good Sport danielsydney's Avatar
    Join Date
    Jul 2001
    Location
    NSW
    Posts
    4,917
    Now now alan we must not resort to violence...

  10. #10
    1000+ Posts
    Join Date
    May 2001
    Location
    Sydney, NSW, Australia
    Posts
    3,620
    Rod Hagen:
    Ah! I'm reminded yet again of one of the many joys of using a Mac!
    Yeah!
    <a href="http://www.macsrock.com/modules.php?name=News&file=article&sid=196" target="_blank">Mac's Rock - Here we come, to save the day!
    </a>

    Derek

  11. #11
    Fellow Frogger! bennymarsh's Avatar
    Join Date
    Feb 2003
    Location
    Sydney
    Posts
    272
    I havnt had email for the last 2 days because Sydney Uni pulled the cord on all the servers! And i appear to be the only person in my institute with internet access because they forgot to add the proxy settings to this computer mallet

    No Email is a pain though!

    But my grandmothers computer got the virus because she kept ignoring the updates that were coming through! Luckily i updated my computers about 2 weeks ago dance

    Benny
    206 1.6 XT Auto China Blue in the house.

    Hopefully soon to be C3...or C2.....owner.....maybe.....one day....I hope!!!!!

  12. #12
    1000+ Posts Rod Hagen's Avatar
    Join Date
    Nov 2001
    Location
    Melbourne
    Posts
    1,630
    Just out of interest, how well does the symantec removal tool at <a href="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html" target="_blank">http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html</a> work on this one?

    I gather PC people have problems staying connected long enough to download in some cases. Maybe people could find a local Mac owner to downlaod a copy for them?

    Cheers

    Rod
    Rod's Home Page

    Rod's car page

    Peugeot 407 SV HDi estate 2008, Peugeot 407 SV Hdi Sedan 2006, Peugeot 406 ST (deadish), Peugeot 307 XSE, - Previously 403s, 404, 504, 505 sLI Wagons, 306 XSi, Renault 12, Citroen DSpecial

  13. #13
    1000+ Posts n b j's Avatar
    Join Date
    Jun 2003
    Location
    Sydney
    Posts
    1,239
    Rod, the best way to download it on your PC is don't conect to the internet, or if you have braodband, just unplug your network card.

    then once your PC starts up press "CTRL+ALT+DELETE" and end the process that says "mblast"

    then you can connect to the net and download the necasarry patches.

    Alternativly you can turn your PC on with the network cord unplugged and install some firewall software and get the firewall to block ports 135 and 4444. These are the ports the virus uses. Once these are blocked, it can't shutdown your PC and you can connect to the internet and get the patches, etc...
    "Do my eyes deceive me, or is Senna's Lotus sounding rough ?" - Murray Walker
    206XR 1.6ltr - SOLD
    BMW E36 325i Coupe
    73 Porsche 911RS

  14. #14
    1000+ Posts Rod Hagen's Avatar
    Join Date
    Nov 2001
    Location
    Melbourne
    Posts
    1,630
    n b j:
    Rod, the best way to download it on your PC is don't conect to the internet, or if you have braodband, just unplug your network card.
    Ah. Glad to know there is a way you can deal with it without too much trouble. I was going to offer to send CD's with the various patches and removal tool to those who needed it , but it sounds like this won't be necessary.

    Cheers

    Rod and his Mac.
    Rod's Home Page

    Rod's car page

    Peugeot 407 SV HDi estate 2008, Peugeot 407 SV Hdi Sedan 2006, Peugeot 406 ST (deadish), Peugeot 307 XSE, - Previously 403s, 404, 504, 505 sLI Wagons, 306 XSi, Renault 12, Citroen DSpecial

  15. #15
    UFO
    UFO is offline
    CitroŽn Tragic UFO's Avatar
    Join Date
    Aug 2001
    Location
    Gerringong, NSW, Australia
    Posts
    9,666
    Hi guys

    My crew here at work have just completed the roll out of a scripted install of the patch and the scan update to over 2500 machines. Took us some time to solve it, but we're OK.

    Lotsa fun. We were due for a hit. We had Melissa then I love you over the last coupla years so I had a "feeling in my water" that something was due.

    frown
    Craig K
    2009 C5 HDi Exclusive

  16. #16
    Fellow Frogger! two-oh-philic's Avatar
    Join Date
    Feb 2003
    Location
    Glen Waverley, Melbourne
    Posts
    419
    You guys keep saying it takes ages but on a single computer, mcaffee says do this (by hand version):

    Apply the MS03-026 patch
    Terminate the process msblast.exe
    Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
    Edit the registry
    Delete the "windows auto update" value from
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
    Windows\CurrentVersion\Run
    205 GTi (S2 ) rolled

    '96 306XR "Sex" Black

  17. #17
    Fellow Frogger!
    Join Date
    May 2002
    Location
    Adelaide
    Posts
    642
    Yup I got it too, downloaded and ran the worm from microsoft and for the last two days everything has been fine touch wood!!
    05' Megane 225 Cup

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •