***VIRUS ALERT!!!!! RPC EXPLOIT ATTACKS!! YOU NEED TO INSTALL THE HOTFIX NOW!!!!

[d_b]

I have the file msblast. Also installed the MS patch. Should I rename it or let it be? Been about an hour since I was rebooted so I assume everything is alright.

Thanks FP

[FlyingPenguin]

My bad, I keep calling it MSBLASTER it's MSBLAST.

If you have MSBLAST.EXE in your startup then you're infected.

I see no harm in doing what I did for now until some official fix is released (there may be other registry hacks that need to be repaired).

What I did was find the file MSBLAST.EXE (I think it's located in either \Windows\System or \Windows\System32) and RENAME it (do NOT delete it). I just renamed it _MSBLAST.OLD

Then run MSCONFIG.EXE and uncheck MSBLASTER from the list.

Reboot and run MSCONFIG again to make sure it's still unchecked.

That worked for me, but it seemed to easy.

I would expect that the security organizations will be releasing more details tomorrow, and AV companies should have a fix or repair tool posted in the next day or two.

------
EDIT
------

Okay Symantec has a removal procedure: http://securityresponse.symantec.com/av ... .worm.html

Seems to be an easy removal unless they discover something else later. I've heard stories that it does a lot more damage on servers.

[Pugsley]

Well... ive had my shit connected since noon and everythign is running fine... i did a full widows update about 2 weeks ago when it was mentioned here... and so far everything is normal... no unesserary network activity... wait my modem keeps TX every 5 seconds... that doesent seem normal... hmm.... duno but everything is normal except that... could that be "IT" trying to beat my systems up? And its not going throgh the network to my other PCs... its just going in and out of mine... so im guessing it is IT trying to get in.... well see.

[DocSilly]

My firewall is currently logging an average of 10-20 hits on TCP 135 per hour.

- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown.

Quite a nasty bugger already, don't wanna know what those open listening ports are for.

[FlyingPenguin]

Symantec has a Removal Tool available now (apparently there's some other nasty registry damage the worm does): http://securityresponse.symantec.com/av ... .tool.html

----
EDIT
----

Just saw that Blade also posted the tools and new info in the original post.

That Trend Micrco cleaning tool is a nice utility Blade - that's going in the tool kit

[wvjohn]

did the ms patch and ran the norton removal tool - no infection - maybe that first reboot screen i got was an attempt to start the service ?

oh well, less work is always better!

[FlyingPenguin]

The reboot is caused by the worm trying to remotely shut down the RPC service so it can replace the file. It apparently takes several tries because it's trying to guess your OS.

It's apparently possible that you won't get infected the first few tries.

As long as you don't have the MSBLAST.EXE file listed in your startup you should be good.

My personal laptop rebooted only once, but it was infected.

[Pugsley]

WOOT!!! thread #3!

[Chris305]

if you have 98 will you be attacked?

[renovation]

they claim not but i know of one win 98 user that may of got the bug ~ my neice

[canton_kid]

Here's an off the wall thought...

Not this one, but the e-mail sending viruses could be useful. Everyone delete all addresses from your outlook book, then go to your favorite spamming product site like enlarge you pennis to the size of a horse type sites and get thier real e-mail address! Then add those addresses to your outlooks

Next time you get hit with a virus that sends out e-mails to everyone in your book you freely spam the spam sites
Nice thing about that is if they happen to have the affliates addresses accessable maybe they will get hammered too. Probly not, but it would be nice if those sites got hammered!


Otherwise I geuss we just have to track them down manually and shoot them

Good luck fighting this thing, first time I have actually been glad the wife wanted to stay with win 98se on her system.
Only one here currently online. I'll be checking the rest anyway and patching anything not already done.

[FlyingPenguin]

They're not saying anything specific about 98. They are only officially saying ME is immune, but since they're both DOS based OSes and as far as I know neither has a port 135 vulnerability, I can't see how 98 could be infected - it doesn't have the vulnerable service running.

There is no security patch for 98.

I have plenty of clients running 98 and none of them have been affected.

If you have any concerns, install a good software firewall (also a router will block port 135 attacks).

The virus is not particularly malicious. If it wasn't so badly written you'd never even know you were infected. All it does is seize control of your computer via the port 135 vulnerability and then attempts infect other computers by random IP scanning for systems with the port 135 vulnerability.

Next week the virus will start a denial of service attack against the Windows Update server.

Other than that, it does nothing to your computer (unless it's a server), and it's absurdly simple to remove - I don't even bother with the removal tool - takes me 10 minutes apply the patch and remove the virus.

We're actually lucky the guy was such a poor programmer - the rebooting makes it easy to tell if a system is infected so this virus should get laid to rest very quickly and not lay around inside thousands of machines sucking up bandwidth for years to come.

By contrast there are still thousands of home systems out there infected with Code Red and people have no clue.

One thought I had is that computer vendors will probably need to pre-install the patch on new computers, and soon, otherwise every single system sold will have problems as soon as the owner gets online without a firewall or router.

That's the only thing that really makes this worm so unique, and why this security bug is such a blunder on Microsoft's part. This is the first time a virus has been able to propogate so easily - essentially any un-patched system with Internet access and not using a router or firewall will be infected as soon as it gets online as long as there are systems out there trying to attack.

[FlyingPenguin]

98 and ME are immune to this. They're not even running the same service that has the exploit.

[FlyingPenguin]

http://theinquirer.net/?article=11018

http://securityresponse.symantec.com/av ... .worm.html