W32.Blaster.Worm

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

BryenWorscht

Thread Starter
Joined
Jun 6, 2002
Messages
32
I just got a new PC that came with Windows XP, this is the first time I have ever used Windows XP. About 2 1/2 minutes into my first connection with my new PC, I got the blaster worm virus. Norton first tells me that I have the virus, then it tells me I cant get rid of it, then it tells me to download a Norton tool to remove the virus, THEN, when that tool scans my system, it tells me i DONT have the virus. then i look in my virus log reports and see about 1000 attempts to delete and/or access the virus within about 1 hour. I realize that there are probbaly 1000 solutions and threads for this problem, but I always just start my own new thread when I have a problem, even the most common ones. I try searching for threads containing the words "blaster worm" but i get a lot of stuff that has nothing to do with what i am trying to do. i just dont want my new pc to be infected anymore and was hoping someone here knows EXACTLY which simple steps i need to take to rid mysef of this. thank you

norton says that

We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:


TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"


i probably should find out how to do this also or what it even means anyhow... does this mean i should download zone alarm - - also how much better is zone alarm pro than just the freeware version of it?
 
Joined
May 28, 2003
Messages
2,366
Here is some steps that have worked before. They come from Sophos Security.

msblast.exe Fix from Sophos....."how to list"

To clean computers infected with MS Blast, users must delete the
registry key and the executable.

1. Using regedit.exe, locate the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

2. Delete the value listed below:

"windows auto update"="msblast.exe"


3. Delete the file:

%Windir%\system32\msblast.exe

4. Open Task Manager, and stop the msblast.exe process.

Clean-up utilities:
X-Force recommends the following clean-up tool, offered by Sophos:
http://www.sophos.com/support/disinfection/blastera.html#2

Additional Information:

ISS X-Force Alert
http://xforce.iss.net/xforce/alerts/id/147

Micosoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

BTW, how did you manage to get it in less than 3 minutes? If you do not have a firewall, I'd get one now. You can get a great free one at Zone Alarm

The Pro version of ZoneAlarm adds several features. Comparison chart. But the free version is a great basic firewall.


Hope this helps.
 
Joined
Dec 28, 2002
Messages
1,983
Do this:

Here is how to find out if you have the worm, and how to delete this worm.

Subject: Checking for W32.blaster worm infecting the network and How to fix computers if the computers are infected
How can you tell if you computer is infected with the virus:

Please check you computer for possible infection! If you computer is
infected with the worm then you should be able to locate a file call
msblast.exe in the following location:

C:\winnt\system32\msblast.exe
C:\windows\system32\msblast.exe

You will also find the following registry entry in your computer
registry:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows
auto update="msblast.exe"

* If you didn't find the worm, you shall make sure to update your
windows computers to fix the RPC vulnerabilities. See the following for
the installation instruction:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp Also, please make sure Symantec Antivirus install and updated.

* If you find a computer with the worm, disconnected off the
network by removing the network cable. Please inform or E-mail Help
Desk about the infection and make sure to have them install or update
the Antivirus software.

To Remove the worm download the following tool from symantec web site
and save in into a CD or Diskette then follow the instruction below or
contact help desk or systems duty administrator to get the Microsoft RPC
Patch and worm fix:

1. Download the FixBlast.exe file from: http://securityresponse.symantec.com/avcenter/FixBlast.exe

2. Save the file to a convenient location, such as your downloads
folder or the Windows Desktop (or removable media that is known to be
uninfected, if possible). Store it on a diskette or CD.

3. Close all the running programs before running the tool. If you are running Windows XP, then disable System Restore.
Refer to the section, "System Restore option in Windows Me/XP," for
additional details.

CAUTION: If you are running Windows XP, we strongly recommend
that you do not skip this step. The removal procedure may be
unsuccessful if Windows XP System Restore is not disabled, because
Windows prevents outside programs from modifying System Restore.

4. Double-click the FixBlast.exe file to start the removal tool.
5. Click Start to begin the process, and then allow the tool to
run.

NOTE: If, when running the tool, you see a message that the tool was not
able to remove one or more files, run the tool in Safe mode. Shut down
the computer, turn off the power, and wait 30 seconds. Restart the
computer in Safe mode and run the tool again. All the Windows 32-bit
operating systems, except Windows NT, can be restarted in Safe mode. For
instructions, read the document "How to start the computer in Safe Mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

6. Restart the computer and reconnect the network cable.
7. Run the removal tool again to ensure that the system is clean.
8. If you are running Windows XP, then re-enable System Restore.
9. you must update your windows computers to fix the RPC
vulnerabilities. Follow the installation instruction:
http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp Also, Contact Help Desk to install Symantec Anti-Virus Software and Run Update to make sure that you are using the most current virus definitions.
 

BryenWorscht

Thread Starter
Joined
Jun 6, 2002
Messages
32
The only way I know how is if you have Norton AntiVirus and you go to the Symantec site and there will be a link to a tool that you can download called FixBlast, I deleted it awhile back, but it should still be there. I actually dont know for sure if you need to have a Norton subscription to download it...
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Also get the M$ critical updates for your OS and IE to keep from getting reinfected.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top