Three Drives Posted August 11, 2003 Report Share Posted August 11, 2003 I believe that a new virus is out (trojan) which Mcafee and SARC have no data (and cannot yet detect). It's called msblast.exe and resides in sys32. I renamed to .txt, opened it and found this inside: I just waníÿÿÿto say LOVE YOU SAN!! billý·mûgates& Search & Destroy all lines with "msblast" in your pc and registry. PS: My computer gave a message "RPC Service has failed, pc will reboot in 45 seconds" and when I found the file and was trying to submit to the SARC, the hacker tried to stop me again,.. check screenshot: I did eventually submit though Heads up Link to comment
rjohnstone Posted August 12, 2003 Report Share Posted August 12, 2003 Here is what it does...It puts a reg entry on your systemHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunMSBLAST.EXEIt them makes an illegal call to thr RPC service which causes your PC to reboot over and over again.Just remove the reg entry and delete the file from your system32 directory.Then apply the MS03-026 patch to your PC.All done.Fortunately it's just an annoying worm and not a destructive one.Edit: McAfee and Norton now have updates to detect and clean the file. Link to comment
dav Posted August 12, 2003 Report Share Posted August 12, 2003 Where can we download msblast? Link to comment
Grusic Posted August 12, 2003 Report Share Posted August 12, 2003 Hi, I got hit with the little sucker at 9:54am local time this morning. At first I thought it was some hacker kiddies I had pissed off, but after reading this I realized it was a Worm: http://www.europe.f-secure.com/v-descs/msblast.shtml As others have said, simple deleting MSBlast.exe and it's associated Reg enty takes care of the problem. I would suggest that anyone running a firewall also block ports 135, 139 and 445. Here's some good and free for home use firewall software: http://www.kerio.com/kpf_home.html @dav: Don't worry, it will find you. Bling, Grusic Link to comment
BamBam Posted August 12, 2003 Report Share Posted August 12, 2003 Click HereOld exploit and patched about a month ago go to winupdate and fix Link to comment
deadzombie Posted August 12, 2003 Report Share Posted August 12, 2003 Ok, you guys are going to be in for some fun - removing msblast.exe isn't going to always solve all of your problems - it creates a shell in port 4444 and starts downloading secondary .exe's to help replicate and spread itself. I deleted msblast.exe Friday night, edited the registry and woke up to over 300 copies of it throughout my system this morning!Update Windows and get your viruscan updates. Scan EVERYTHING you have. Then, if its gone, you should be ok. What a nasty little bugger. Link to comment
juno Posted August 12, 2003 Report Share Posted August 12, 2003 heres some other hacker/virus news.recently, a hacker installed a worm on my computer (still dont know how he did it) that installed pc anywhere and allowed him to use it for my computer. i have 2 partitions on my drive: SuSE linux 8.2 and Windows XPnaturally, windows started getting all f***ed up, this guy was using my internet connection to host the movie Men In Black II. i rebooted, switched over to my suse OS and reformatted the part of the drive he was using (he actually made a whole new partition!). then i used the pc anywhere he so recently installed and promptly nuked his hard drive (completely destroyed it, rendering it unusable, even if they reformat, which isnt possible) so it turns out he was the one who lost. Link to comment
RoyalPain Posted August 12, 2003 Report Share Posted August 12, 2003 holy sh##, made me switch to win 2k3 from win xp. bloody virus.thanx guys. Link to comment
contrasutra Posted August 12, 2003 Report Share Posted August 12, 2003 I believe it affects 2k3 as well.Acording to the MS website, the only OS it doesnt affect is WindowsME.Confirmed:http://www.microsoft.com/technet/treeview/...in/MS03-026.asp Link to comment
godpunk Posted August 12, 2003 Report Share Posted August 12, 2003 Originally posted by contrasutra@Aug 11 2003, 10:49 PM Acording to the MS website, the only OS it doesnt affect is WindowsME. Well of course it doesn't affect Windows ME....that OS is practically a virus in and of itself. <_<-godpunk Link to comment
Ludge Posted August 12, 2003 Report Share Posted August 12, 2003 I've just been and fixed this one. It really is a nasty piece of work... Because it's relatively new it was a buger to find any info on it (was before this thread started). There is good info on the microsoft technet forums. Symantec have released updates to deal with it now, get a firewall and it shouldn't affect you apparently.. Bloody viruses. :rant:EDIT:My symptoms were Generic host processes crashing as in three drives' screenshot. Then a window like the one attached except that the timer starts at 59 seconds. Hope this pic helps someone. Link to comment
Rain Posted August 12, 2003 Report Share Posted August 12, 2003 I encountered this worm during this morning at about 0500 hrs (GMT+ 8 hrs), I had a few reboots and what I did to stop it is : 1. turn off my cable modem. 2. Remove windows update from running through registry and system. After that, my pc was fine and stopped rebooting. I was tempted to reformat and thought windows was having problems. Little did I know it was a wor after reading this. Did a search and found 2 results. 1. Msblast.exe 2. MSBLAST.EXE-09FF84F2.pf To anyone having this problem, switch off your modem and start doing some 'search N Destroy'. Link to comment
Bioxoxide Posted August 12, 2003 Report Share Posted August 12, 2003 Yea this little mofo sacred me yesterday in the morning. I was fixing my Aunts computer (reformating hard drive for win xp). It rebooted on me a few times then I did what Rain said (It only happen when there was an active internet connection). Took it out of the registry and used my handy dandy Norton and went worm huntin :who's your daddy: Now iam back to playin my CS :joystick: Link to comment
b0se Posted August 12, 2003 Report Share Posted August 12, 2003 I got hit by this also, I removed the msblast.exe startup using msconfig.msc. Need to delete the other file though, and search the registry... Link to comment
alilm Posted August 12, 2003 Report Share Posted August 12, 2003 I got hit by this, but it doesnt seem to affect me anymore, how did i get it? Link to comment
Frankenchrist Posted August 12, 2003 Report Share Posted August 12, 2003 Hey guys.Just HOW do you get a virus? I've never managed to get one on my PC. Ever.As any serious/smart user should know, you NEED a firewall if you're going online.To NOT having a firewall, is (imo) equal to walking around in Central Park and leaving a trail of money behind you. You're gonna get robbed. So do yourself a favor - and install a firewall. ZoneALarm does the trick just fine. It doesn't allow the Blaster.exe or any other virus to connect to ANY site, unless you allow it to. So you're pretty safe.You can DL the free version from here:ZonealarmWell, just my 2 cents.PS. No, I don't work @ Zonelabs. I just think it's an easy-to-use-yet-powerful firewall. Link to comment
rjohnstone Posted August 12, 2003 Report Share Posted August 12, 2003 I never got hit with it, but a lot of the guys I work with did.All I can say is.... FIREWALL... get one.My firewall and router logs were full of blocked attempts.But then again, I installed the patch when it came out.Here at work we installed the patch on over 850 servers in one night just to make sure we didn't get hit. Plus our firewall will block the inbound packets anyway, but better safe than sorry. Link to comment
hal4000 Posted August 12, 2003 Report Share Posted August 12, 2003 A fire wall won't stop this worm I just got to do some side jobs fixin the churches Pc's the all firewalled and behind a router and still they all got it right away since a lot of people dosn't like to apply patches or are intimidated by them. all were just rebooting nonstop. :nuts: so any one reading the post please apply the patch or have some one you trust to do it for you. On a side question why it dosn't afect Win 98 machines? I would like to get enlighted on that. Link to comment
Voodoo411 Posted August 12, 2003 Report Share Posted August 12, 2003 i got hit one week ago. at first i think there was something wrong with >NEt framework, which i just installed, but later i know what it is. Windows firewall works fine to block it. MS patch was out. Link to comment
rjohnstone Posted August 12, 2003 Report Share Posted August 12, 2003 A properly configured firewall will stop the virus from getting in.Deny all unsolicited inbound requests on your firewall and for the sake of this virus, add a block on ports 135 and 4444.My firewall at home blocks everything except ports 80, 110 and 443. And traffic is only allowed to come in over those ports if the initial request for the traffic came as an outbound request. I'm running a combination of a Cisco router with ACL's and ZoneAlarm Pro. Basically, to the world, my server does not exist. My ISP only knows my server/router by MAC address as they let me setup my system that way.Yes... you should patch regardless.All it takes is one persons PC on the inside to get hit and your network is done.EDIT:As for the Win98 question, not sure exactly as I don't use it.Since the hack is related to Distributed Com Components (DCom), which 95, 98 and ME don't come with, they wouldn't be vulnerable. Link to comment
Enhanced Posted August 13, 2003 Report Share Posted August 13, 2003 For PCs Infected by this worm download this patch from symantec Click HereRemoval instrutions hereOSXP Link to comment
trueno92 Posted August 13, 2003 Report Share Posted August 13, 2003 tanks for postin (Y) it was exactly what i was lookin for.got hit with it at work "www.bradycorp.com" and our sap servers are down for the count.. wanted to get this goin at home now. Link to comment
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now