Help needed - MSBLAST

Hi Stumpy

Stardocks's IRC server is down because of the massive power outage that has affected the north east over here.

MSBlast is worm that infects your computer when you're online. It takes advantage of a RPC buffer overrun flaw on XP. The worm installs MSBLAST.EXE in your windows system directory and adds itself to your registry's list of startup programs. I then crashes the RPC service, forcing the computer to reboot. You can kill the MSBlast.exe process running, delete it from the system directory, and search and remove it from the registry.

However, if you do so but install the patch that fixes the RPC overflow flaw, as soon as you get back on line, odds are you'll get infected with the worm again, which is the problem I had fixing a neighbor's computer. I had to download the patch from Microsoft's site on another computer because everytime I tried doing it on his, it would get re-infected and reboot before I had time downloading the patch.

Here's the link to Microsoft's patch for XP. You'll still have to remove MSBlast.exe from your system as the patch only corrects the RPC buffer overrun flaw.

http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en

There is another thread somewhere on this board regarding the worm and a news item on the WC frontpage that probably has more information.

[Message Edited]

Thanks Chris, that seems to have done thne trick, As I have not been online for a few days, I didn't realise that there was another thread regarding this problem. thanks again for the quick response.

Chris, I had to fix 2 computers already with that virus. It's nasty. It's even harder downloading the patch on a slow computer with a dialup connection. I should make a copy while I think about it for my tools.

if the computer tries to reboot due to the msblast worm before you can get the thing fixed, in the 'run' box, type 'shutdown -a'. that will kill the shutdown process. also, if you don't turn off the system restore process before attempting to rid the system of the msblast worm, the system restore feature of XP will restore the system to use the msblast worm via the registry.

I got hit last night, while testing firewalls at GRC. (ironic, ain't it?) Trend Micro's PC-Cillin caught it instantly!
/me loves PC-Cillin.

Yea, alot of the virus scanners have the definition now. So hopefully the worm dies soon. Unless those people that don't know what a firewall and anti-virus is keep spreading it. But there are plenty free ones out there.

Here's a good tool for removing the worm. You'll need to still run the patch but this is a good way to make sure all traces of the worm are gone

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

good thing I am running ME. no worms today thank you!

This http://www.microsoft.com/security/incident/blast.asp for the patch might be easier for those with dial-ups........

I'm going to download that fix from symantec and putting the update on a small CD-R I have. I like the micro CDs, they are good for things like this.

#10 by Skinner Weaksid - 8/15/2003 9:41:33 AM I'm going to download that fix from symantec and putting the update on a small CD-R I have. I like the micro CDs, they are good for things like this.

That's what I did, Weaksid. Already used it and will probably continue to use it for a while, yet. Lot's of people with no firewall and/or antivirus software out there.

or you can always go into msconfig and disable the worm from running there. after doing that, reboot the system and the worm won't shutdown the system on you while you're doing the removal. it works. i just did it on 3 machines this morning. just be sure to turn off system restore before removing the worm.

I understand exactly what Weaksid means. I couldn't believe how many people were dropping off at IRc chat with Virii and simple boot attacks. People just don't seem to understand how dangerous the internet is. Hopefully, they are just starters and don't use their computers for really important work.

Luckily, these Viruses don't mutate on their own like real life viruses. Oops, I shouldn't have said that. Some shmuck will probably creat one that does just that.

I've tried many firewalls and anti-virus programs. I think Norton Internet Security Professional is the best. Better than Zone Alarm Pro, which comes a not so close second. Because, NIS Pro comes with Anti Virus built in(NAV) and loads of other stuff too.

http://www.msn.com/Blaster/msblaster.htm