W32.Blaster.Worm - RPC vulnerability causes reboots in Windows NT, 2K, and XP.

[ProviaFan]

Originally posted by: owensdj
One question I have about this worm is if a computer is being rebooted by it because it's connected to the Internet, does that mean the computer itself is infected by the worm or does it mean the operating system just needs the security patch?

A computer can be rebooted even if the patch has been installed, as long as the RPC port is not blocked by a firewall. If a computer without the patch is rebooted while on the internet, it will become infected (if I understand this correctly). I hope this is clear enough for you to understand without too much difficulty.

 

[Kwad Guy]

I have to say that people who are on broadband really have no excuse for letting this bite them. Windows updates are trivially easy to apply (and fast if you have broadband). And everyone should really be running some sort of firewall.

That said, this bites for those who got bit...

Kwad

 

[gplracer]

I have a friend that is on Comcast. He said his computer gets to the blue screen that says windows xp pro is now starting and just stays at that screen. What should we do? We cannot get into windows at all.

 

[StraightPipe]

Originally posted by: Kwad Guy
I have to say that people who are on broadband really have no excuse for letting this bite them. Windows updates are trivially easy to apply (and fast if you have broadband). And everyone should really be running some sort of firewall.

That said, this bites for those who got bit...

Kwad

I agree, It doesnt touch me, all those updates automatically installed on my machines.

 

[Cadaver]

My Linksys router has a NAT-style firewall (no port forwarding; all ports closed & stealthed). Apparently this was enough to prevent any infection or reboot attempts. I've since patched my system, but thankfully wasn't affected. I've run Norton AV and the Symantec FixBlast utility just to be sure.

 

[seismik]

One question I have about this worm is if a computer is being rebooted by it because it's connected to the Internet, does that mean the computer itself is infected by the worm or does it mean the operating system just needs the security patch?

If it's rebooting itself, you're infected.

Has issue been addressed in a WinXP windowsupdate security fix already? I havent been online since August 7th, but as of then I was totally up to date. Am I still at risk? Also, I have never had remote assitant activated on my computer. I think I may actually have never installed that particular client (that is, removed it from the list of things that were installed when i put XP on my system).

Yes, it's been addressed. If you haven't been online you haven't got the update, which means you're at risk unless you're behind a firewall.

our server at work got the worm and now logging into and out of my computer takes FOREVER. some programs dont function properly either, like network neighborhood, the search function on the start menu, xcel documents open then close right away.

It's a pretty easy fix, you just boot the server up in safe mode, scan for the virus with an updated scanner (or download the tool on Symtantec) and find all infected files, stop the process, reboot and patch. We had a few people infected at my office who were not at all computer savvy who managed to repair the damage themselves with similiar instructions, so you should be ok. For future outbreaks I would not run a M$ system exposed though, especially in a business environment. It's one thing to plug your PC into a cable modem unguarded but an entire office?

 

[Bonesdad]

Thanks for the update mod...i love my ZoneAlarm!!!

 

[jagr10]

WTF am I supposed to do on my other computer which is slow as hell! p3 500. By the time it finishes loading all the startup programs the 60 secs are up for a reboot. I don't even have a chance to download or even run a program in that time. Should I just go in safe mode and copy the exe file and run it there?

 

[owensdj]

jliechty, I don't get that. I thought the security patch would prevent the reboots even if port 135 wasn't blocked? What's the point of the patch if it doesn't fix this?

 

[tboneuls]

Originally posted by: jagr10
WTF am I supposed to do on my other computer which is slow as hell! p3 500. By the time it finishes loading all the startup programs the 60 secs are up for a reboot. I don't even have a chance to download or even run a program in that time. Should I just go in safe mode and copy the exe file and run it there?

Did you try going to a CMD and typing shutdown -a? (or run shutdown -a) That SHOULD abort any shutdown.

Safe Mode should work as well.

BTW, I got a shutdown with something about RPC before I heard about all this. I quickly ran shutdown -a and stopped it. Thought nothing of it(the comp was dying anyway). Should I be worried about being infected? I am running ZoneAlarm and Norton AV.

 

[MikeMike]

well try getting the updates while on 28.8k dialup!!! it sucks!! i didnt know that shutdown -a would abort though, but i removed the msblast.exe and some other thing it setup, then went into the registry killed those, and i no longer have the shutdown, but i do keep getting a "program error dont send thingy that is still from the blaster virus." yes i sumhow, or my brother, i KNOW it wasnt me cuz i wasnt home, recieved this while on DIALUP!!! 1/2 speed dial up at that. and before i thought there was no reason for a firewall when on this stuff. o well luckily my computer was off, cuz it leaks water. now i am running the removal tools, and everything to make sure its gone.

MIKE

 

[cow123]

LOL, last night i was running memtest86 on friends computer to check ram. anyway, afterwards i booted into windows.. just beforehand i was discussing this virus that had been going around (because he never had his xp firewall on). get into windows, log on, and what do ya know! a window comes up saying the computer will reboot in 60 seconds ROFL, have to say i found it highly amusing! and my friend suspected i maybe put the virus on the computer with the memtest86 cd i brought over - as it seemed highly co-incidental after i had just been talking about it

anyway, i removed it the same way i had removed one such pesky worm from my computer a while back - stopped it in task manager and removed it from startup in msconfig (although unknown to me, it runs 2 at once of odd uppercase filenames, made of random letters about 8-9 characters in length so after i stopped the first one, another appeared etc etc until i realised there was another in memory at the same time creating newer ones). the file names to look out for are hidden executables in the windows folder with upper case random lettered filenames at 92.0kb in size

 

[carpenter]

brettjrob has it right, do as he has listed and you'll get rid of this. If your machine is infected and you apply the patch, you will still infect other machines. This patch has been out for weeks now, can't believe people didn't put it on right away. Was in the local comp. store yesterday and today and people were dropping off their computers left and right. Those guys are going to make a killing off of others laziness. The net has really slowed down the last couple of days because of everyone scrambling to get the patch. So the worm got us both ways.

 

[DavidTan]

I just got it today! I see the msblast.exe on my startup. Should I uninstalled it and run zonealarm also..

 

[ProviaFan]

Originally posted by: DavidTan
I just got it today! I see the msblast.exe on my startup. Should I uninstalled it and run zonealarm also..

Absolutely. Follow the instructions posted in this thread for patching your system and removing the worm.

 

[joshg]

our server at work got the worm and now logging into and out of my computer takes FOREVER. some programs dont function properly either, like network neighborhood, the search function on the start menu, xcel documents open then close right away.

FYI this worm also affects "basic" COM events on your computer. This means that you can't Paste files in the Windows window manager, you can't drag icons, etc. Also, since Microsoft Office is embedded heavily with COM events, it will basically be unusable if you have the virus.

If you are experiencing these type of strange symptoms, as well as svchost.exe crashes, you might want to check yourself out for this worm.

Hope this helps!

 

[overclockerking]

Thanks Mod. Just got it fixed.

 

[wetcat007]

Originally posted by: NOX

Originally posted by: dexvx
Instead of wasting money putting a bounty on Saddamn, they should start putting bounties on these scrum who make the worms.

Why? It's Bill Gates (Microsoft), which needs to fix this problem! It seems that every month a new exploit for Windows it coming off the production line. I never ever hear of Apple computers being attacked.

Bill Gates continues to make all his billions while his b1tches (Windows users) continue to get screwed!

No one uses apple, so people never bother finding exploits.

 

[wetcat007]

Through Open Ports, generally a router will protect your network, because ur router will block the ports, and unless it uses windows, it wont go anywhere inside ur network.

 

[Jayczar]

Good thing I already updated as I have gotton 5 calls this week from friends and relatives
wondering why their PC has been rebooting.....LOL!!!!!!!!

 

[Intelman07]

Has this thing did anything? Its saturday.....

 

[NOX]

Originally posted by: wetcat007

Originally posted by: NOX

Originally posted by: dexvx
Instead of wasting money putting a bounty on Saddamn, they should start putting bounties on these scrum who make the worms.

Why? It's Bill Gates (Microsoft), which needs to fix this problem! It seems that every month a new exploit for Windows it coming off the production line. I never ever hear of Apple computers being attacked.

Bill Gates continues to make all his billions while his b1tches (Windows users) continue to get screwed!

No one uses apple, so people never bother finding exploits.

A lot of people use Apple, other forms of Unix, and Linux. People never attacked them because it is MUCH harder to do and people simply don't want to waste their time trying. Windows is simply way to EASY to pass-up for these guys. That is all I'm saying.

 

[StraightPipe]

Originally posted by: jagr10
WTF am I supposed to do on my other computer which is slow as hell! p3 500. By the time it finishes loading all the startup programs the 60 secs are up for a reboot. I don't even have a chance to download or even run a program in that time. Should I just go in safe mode and copy the exe file and run it there?

I guess you boot safe mode so you dont get the restart. but I run auto microsoft.update and never delt with the worm, I've had to help several friends fix this mess. many of them with highspeed, no excuse.

 

[MadRat]

Originally posted by: wetcat007
Through Open Ports, generally a router will protect your network, because ur router will block the ports, and unless it uses windows, it wont go anywhere inside ur network.

Actually alot of Cisco mini-routers use NT, at least a form of NT, and are susceptible to the worm, too.