W32 Blaster Worm

http://www.cert.org/advisories/CA-2003-20.html ^ | CERT

[dfwgator]

How does one go about finding out if ones system has been infected?

Just go around showing your computer and ask "does this look infected?" (Sorry, couldn't resist)

[Iowa Granny]

thank you. I'm not very tech savay. I may just get a new computer. This one is less than a year old, but I just can't figure it out.

And Dell doesn't seem to be answering their phone, so tech support is nonexistant. I started calling yesterday around noon,,,, still no answer,,, the line is busy.

[BlackbirdSST]

Unfortunately that would require blasting our entire sales force.

In my case that would mean the CEO, HR Head, CFO and numerous VP's. No real love lost but, figure the odd's! Blackbird.

[Mannaggia l'America]

We use a Sonic Wall firewall at my office and it still infected one of the PC's here.

So just a firewall may not help. Run Windows Update frequently!

[Bikers4Bush]

Lol!

[TheBigB]

Update your virus software and run a full systems scan.

[Bikers4Bush]

See post #12.

[Joe Hadenuf]

Thanks.....

[dfrussell]

How does one go about finding out if ones system has been infected?

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

[ClearCase_guy]

This worm is not spread through e-mail, but is a flaw in the Microsoft RPC code.

Interesting that your ISP would define a worm as "a flaw in the Microsoft RPC code". Makes me think that someone with a BA in English is writing announcements for your ISP.

[stlnative]

go to your START menu, use SEARCH for File or Folders and enter MSBlast.exe it will show up if you have it.

If you have it, update your virus software and then run it. If you do not have a virus software, go to http://www.grisoft.com and download the free virus scanner (AVG), after you download it it will start to install it and will ask to check for updates on the free AVG software, make sure you let the software get the current updates after you install it, as the inital software does not have the fix in it, you have to update it after you download it. After you have have done all that then run it through a full virus scan and it will pick up and remove the MSBlast.exe worm from your system.

[mitchbert]

If you know how to open your Task manager you can view currently running processes. If you find one called "msblast.exe" you have it. Kill the process. Then perform the update.

You can also kill it through the registry but unless you are very comfortable running around in there I don't recommend it. You can cause more damage than you can imagine. Still, if you're brave...

1. From the Start menu choose RUN
2. Type REGEDIT then click OK
3. Open the tree in the following sequence: HKEY_LOCAL_MACHINE
SOFTWARE
MICROSOFT
WINDOWS
CURRENT VERSION
RUN - click on this folder to open it. You will see a number of keys and values in the right hand pane.
If you see an entry under "Name" that says "windows auto update" with a value "msblast.exe" delete this key. Note - there is a folder down the tree called "Windows Auto Update" that is supposed to be there. Don't touch it. It's not the virus location.
-You will have to restart your PC for the registry change to take effect.

NOTE AGAIN - IT IS BEYOND FOOLISH TO RUN AROUND IN THE REGISTRY UNLESS YOU ARE VERY CONFIDENT OF WHAT YOU"RE DOING> PLEASE BE CAREFUL!

If you don't already have a firewall, get one and keep it up to date. Firewalls are your friend. Since I installed one on my home PC I can't believe how many times something's tried to hit me. Good luck.

[dfrussell]

I may just get a new computer

This assumes that the new ones will not be vulnerable, which is probably not a good assumption :)

You might want to just install a personal firewall and shut off most services you don't need/want (almost everything for most people).

ZoneAlarm, Sygate and BlackIce work reasonably well. Just don't get excited and start complaining to ISPs when you discover your system is being probed a lot... waste of time usually.

If you have a firewall, things like this are pretty much moot. You also might want to consider using a filtered ID from spamcop.net or hushmail.com rather than using your ISP... they run $30 a year and provide virus and spam filtering.

[OXENinFLA]

thanks, I opened my task manager and didn't see it.

I've update my Anti-Virus software (Panda) and am running a scan now, just to be sure.

[HAL9000]

Kill the process. Then perform the update.

Also, remember to stand on one foot, wave a dead chicken over the keyboard and chant praises to Microsoft while performing the update.

[You Dirty Rats]

My company has been hit by a virus today. All MS office products are messed up. The network boys are working on it. Those of us in userland are out of luck.

[New Horizon]

Affects NT 4, 2000, XP.

[dfrussell]

It depends upon what you permit through your firewall :)

[dfrussell]

Full list:

* Microsoft Windows NT 4.0
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003

[mitchbert]

That was dirty. Now my boss is staring at me wondering what I'm laughing about! :-)