Internet Worm Plaguing Computers Worldwide

Washington Post ^ | Brian Krebs

[WaterDragon]

A fast-spreading Internet worm infecting more than a million computers worldwide forced the Maryland Motor Vehicle Administration to shut its offices for the day and is causing problems for other computer networks in the Washington region. The worm, dubbed "Blaster" by security experts, is having a "sporadic" effect on federal agency networks, said a spokesman for the U.S. Department of Homeland Security......(snip) [Article is long but good]

[rwfromkansas]

I can't find it in the registry, but surely I have been infected due to getting the NT Authority System message the past few days until it not appearing now that I have the patch installed and XP firewall up.

Does the patch delete the registry entry? I wouldn't think so.....it seems to just fix the problem, not deal with any existing worm getting through, so I am not sure why I can't find it in the registry.

[rwfromkansas]

I can't find it on my machine in the task manager processes tab either......weird. Any ideas why?

[rwfromkansas]

I got the messages a couple days ago. I just ran regedit and there is no such thing on there as "msblast," so either the patch deleted it, or it was not caused by the virus.

[rwfromkansas]

This has to be one of the most common viruses ever as many people as I have heard appearing to have it.

Than again, it "looks" like I have it, but that can't be.....no registry records or anything.

[tallhappy]

You should see msblast.exe in the task manager's list of processes.

Using regedit you can find the entry that causes it to run on startup and delete that entry.

If you can find neither, then you either don't have the virus or it changes its name. I don't know about the latter.

Killing the process right when you start allows you to go to download new virus definitions and the patch.

[tallhappy]

If your machine isn't giving you a "Generic Host Process" error and then restarting, you don't have it.

Is your machine restaring everytime you use it?

[rwfromkansas]

no....I haven't had the problem since I installed the patch

I got the same message as what the virus causes, however until I installed the patch.

But, it looks like that problem is dealt with now. I won't declare victory until this weekend though. But, I at least don't have the worm.

[cherry]

"Think we've learned our lesson????"

YES!!!!

for a while there I could only be online a very few minutes, but finally got the patch downloaded after selecting the proper one of course.....

thx to all freepers for their help...

[drjoe]

"Boy, am I glad I have no such Windows based system in my worm-free, virus-free and error-free computer that does nothing but work fast and beautifully all the time! In case of a question--it's an iMAC, of course, running OS X --no patches req"


Although I too use a Mac I don't use a MAC. MAC is an acronym for Media Access Control, Mac is a personal computer made by Apple Computer, Inc. Which, however, like Unix and Linux systems is pretty much immune to viruses, worms and the other denizens of the Information Technology Bestiary. Sweet.

[SeeRushToldU_So]

By the way, this worm doesn't come from an email. If you don't have ZoneAlarm you might get the worm. But I think you have it, right?

[CDHart]

Go to www.murlin.com and they have the update and the patch. They're our internet provider where I work. So far, so good.

Carolyn

[CDHart]

My ISP has said that we can't set a firewall because our dialup connections (rural area) are not fast enough. Does this make sense?

Carolyn

[WhyisaTexasgirlinPA]

Yikes.....I don't know.......... I better check.......thanks....

[Ronin]

Not to me, but I am a beginner at this stuff, too. If you are running Windows XP, the firewall is already a part of your program and you don't have to install anything, just turn it on.

[gungadin]

Terpfen said - Because neither Norton's or Zone Alarm will do much against determined people. Get a hardware firewall

Hmmmmm.... Good advice T, but I think for many people who may not have the resources and know-how to operate one successfully, a software firewall such as ZoneAlarm is an excellent choice. Stops this exploit dead anyways. I run the free version myself, and find it performs as expected (no personal connection to the company). Certainly it is well reviewed. I have been using it from when it offered only one way (outwards) filtering, a few years now.

I read something very interesting just now over at Steve Gibson's site (www.grc.com) and he comments on ZoneAlarms singular ability to adaptively stealth port 113 on a computer. This is apparently a feature not even yet found in hardware firewalls.

CDHart wrote - My ISP has said that we can't set a firewall because our dialup connections (rural area) are not fast enough. Does this make sense?

I can see no reason to not run a firewall Carolyn. The rural connection may be slow, but with a machine containing one of today's fast CPU's the firewall should not add any perceptible "overhead" or lag due to its function. A properly configured modem port helps (e.g, Windows normally is shipped with the COM ports set to 9600bps, and this needs to be changed to, say, 57,600 or even 115,200, if on a 56k dialup).

[6ppc]

Do you know why?

It's using a bug in a feature that doesn't exist in Win98 and Win95.

[TaxRelief]

I had to turn off the restart feature in Remote Procedure Call to stay on line long enough for the patch to be downloaded.

How is the shutting off problem stopped long enough to make repairs? Follow these steps:

Start>Run>Type "services.msc" in the box>OK

-Scroll down the list of services to "Remote Procedure Call"

-Right Click on Remote Procedure Call and choose properties.

From "Remote Procedure Call (RPC) Properties (Local Machine)" choose the [Recovery] tab. Use the pull-down menus to change the failure actions to "Take no action".

After downloading the patch and setting up your firewall, please put RPC Recovery actions back to Restart...

[TaxRelief]

For the record, erasing MSBlast from the registry does not prevent its reemergence a few minutes later. Better to turn off the restart feature in RPC. See my previous post for instructions.

[tutstar]

home network...I'm on the kids' pc

[pollywog]

WaterDragon, do you happen to have a link to the patch? There are probably many that could use this info right now.