W32.Blaster.Worm

[ViperMagic]

Ok, my friend calls me up today and says he belives he has this virus, because his task manager, msconfig, regedit, etc all refuse to stay open for more than a few seconds. My computer's been doing the same thing for the past few days, but he dosent remember where he heard that this is a sympton of the virus. Symantec is no help as for the actual symptoms, think anyone can help?

Edit: I'd look for the regkeys it puts in and everything, but regedit wont stay open.

 

[spidey07]

ummm...

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

If the computer is shutting down and saying "Windows must now restart because the RPT service terminated" then your infected and actively spreading the worm.

Also current post here...
http://forums.anandtech.com/messageview.cfm?catid=38&threadid=1114378

 

[ViperMagic]

Yeha, I foudn that. But i dont see any way to tell if I have the worm or not without examining the registry, which I seem to be incapable of.

 

[yukichigai]

Look in your Windows/System or Windows/System32 folder for hidden .exe files with names similar to actual windows programs. The easiest way to tell is under the program description; if it is a real Windows process it will have an actual description, whereas the virus will usually just list the filename again. Also, go to download.com and download "Process Viewer". It's a better version of Task Manager. You can use this to turn off the offending virus process (delightfully called "kill"ing the process) and then delete the file. Keep in mind there will be multiple virus files, but only one will be an active, running process at any given time. Make sure you search the registry for the offending filenames too.

EDIT: Unfortunately I don't know of any links to fix this easily, i.e. Symantec patches or something similar.

 

[neutralizer]

How would you go about getting something like this?

 

[neutralizer]

How would you go about getting something like this?

 

[Encryptic]

Originally posted by: neutralizer
How would you go about getting something like this?

A dirty toilet seat?

 

[yukichigai]

Originally posted by: neutralizer
How would you go about getting something like this?

Kazaa, or one of the many buffer overflow exploits that have been mentioned here before. If someone can cause your computer to reboot remotely they can also cause you to download software remotely.

 

[neutralizer]

Okay, I don't use kazaa and I'm nicely firewalled, so yeah, I think I'm fine, besides, I've windows updated recently... damn winxp...

 

[spidey07]

Originally posted by: neutralizer
How would you go about getting something like this?

Plugging into a network. From the companies I've talked to (from 4 billion to 30 billion) they've shut everything down.

 

[lowtech1]

It could be virus that exploit the tftpd daemon for a buffer overflow to trigger the NTauthority reboot.com/shutdown.exe in RPC.

do what Norton suggested for the virus removal in safemode with the network cable unplug. Then surf to MS site and download the Patch , or run update.

you can then proceed to disable & audit the following files: ftp.exe, tftp.exe, command.com, cmd.exe, telnet.exe, wscript.exe, and cscript.exe (if you are not runing a web/ftp server).

 

[yukichigai]

Some Symantec articles that may be your virus, or a relative.

Trojan.Stealther.B

W32.Kergez.A@mm

Avkiller.Trojan

W32.HLLW.Huntocx (Doesn't say what processes it stops specifically)

All W32.Yaha.J@mm variants: W32.Yaha.S@mm, W32.Yaha.T@mm, W32.Yaha.U@mm, etc. (The most likely candidate, an oldie but goodie)

You can do more searching yourself by going to Symantec's search page and doing a search for terminate or terminates. There are several backdoors which have this behavior as well, so hope that isn't what it is.

 

[AzNKiD]

1) patch the rpc
2) if file webdav.exe and ftfp??? is in your startmenu/programs/startup/ delete them
3) boot into safe boot and delete file windows/system32/msconfig32.exe
4) boot back to normal and do a full virus scan/ spyware
5) run msconfig and see any weird programs on start.

just suggestion, dont hate me if this miss up your OS

 

[yukichigai]

Originally posted by: AzNKiD
1) patch the rpc
2) if file webdav.exe and ftfp??? is in your startmenu/programs/startup/ delete them
3) boot into safe boot and delete file windows/system32/msconfig32.exe
4) boot back to normal and do a full virus scan/ spyware
5) run msconfig and see any weird programs on start.

just suggestion, dont hate me if this miss up your OS

Also make sure to get the file msconfig35.exe, as well as anything with explorer in the name that isn't explorer.exe. Espeically iexplore.exe. That thing will seriously mess up your system.

Seriously, remember everything but the last bit about iexplore.exe. Explorer.exe is the Windows shell, nothing else.

 

[lowtech1]

Originally posted by: yukichigai

Originally posted by: AzNKiD
1) patch the rpc
2) if file webdav.exe and ftfp??? is in your startmenu/programs/startup/ delete them
3) boot into safe boot and delete file windows/system32/msconfig32.exe
4) boot back to normal and do a full virus scan/ spyware
5) run msconfig and see any weird programs on start.

just suggestion, dont hate me if this miss up your OS

Also make sure to get the file msconfig35.exe, as well as anything with explorer in the name that isn't explorer.exe. Espeically iexplore.exe. That thing will seriously mess up your system.

Seriously, remember everything but the last bit about iexplore.exe. Explorer.exe is the Windows shell, nothing else.

Why stop there.....might as well go for format c: