Jump to content

[warning] New Virus That No Anti Virus Apps Detect

Three Drives

By Three Drives
in General Discussion

Recommended Posts

Three Drives

Three Drives

Posted
Posted

I believe that a new virus is out (trojan) which Mcafee and SARC have no data (and cannot yet detect).

It's called msblast.exe and resides in sys32. I renamed to .txt, opened it and found this inside:

I just

waníÿÿÿto say LOVE YOU SAN!! billý·mûgates&

Search & Destroy all lines with "msblast" in your pc and registry.

PS: My computer gave a message "RPC Service has failed, pc will reboot in 45 seconds" and when I found the file and was trying to submit to the SARC, the hacker tried to stop me again,.. check screenshot:

I did eventually submit though

Heads up

thumb-5252.jpg

Link to comment
rjohnstone

rjohnstone

Posted
Posted

Here is what it does...

It puts a reg entry on your system

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

MSBLAST.EXE

It them makes an illegal call to thr RPC service which causes your PC to reboot over and over again.

Just remove the reg entry and delete the file from your system32 directory.

Then apply the MS03-026 patch to your PC.

All done.

Fortunately it's just an annoying worm and not a destructive one.

Edit: McAfee and Norton now have updates to detect and clean the file.

Link to comment
Grusic

Grusic

Posted
Posted

Hi,

I got hit with the little sucker at 9:54am local time this morning.

At first I thought it was some hacker kiddies I had pissed off, but after reading this I realized it was a Worm: http://www.europe.f-secure.com/v-descs/msblast.shtml

As others have said, simple deleting MSBlast.exe and it's associated Reg enty takes care of the problem.

I would suggest that anyone running a firewall also block ports 135, 139 and 445.

Here's some good and free for home use firewall software: http://www.kerio.com/kpf_home.html

@dav: Don't worry, it will find you. ;)

Bling,

Grusic

Link to comment
deadzombie

deadzombie

Posted
Posted

Ok, you guys are going to be in for some fun - removing msblast.exe isn't going to always solve all of your problems - it creates a shell in port 4444 and starts downloading secondary .exe's to help replicate and spread itself. I deleted msblast.exe Friday night, edited the registry and woke up to over 300 copies of it throughout my system this morning!

Update Windows and get your viruscan updates. Scan EVERYTHING you have. Then, if its gone, you should be ok. What a nasty little bugger.

Link to comment
juno

juno

Posted
Posted

heres some other hacker/virus news.

recently, a hacker installed a worm on my computer (still dont know how he did it) that installed pc anywhere and allowed him to use it for my computer. i have 2 partitions on my drive: SuSE linux 8.2 and Windows XP

naturally, windows started getting all f***ed up, this guy was using my internet connection to host the movie Men In Black II. i rebooted, switched over to my suse OS and reformatted the part of the drive he was using (he actually made a whole new partition!). then i used the pc anywhere he so recently installed and promptly nuked his hard drive (completely destroyed it, rendering it unusable, even if they reformat, which isnt possible) so it turns out he was the one who lost.

Link to comment
Ludge

Ludge

Posted
Posted

I've just been and fixed this one. It really is a nasty piece of work... Because it's relatively new it was a buger to find any info on it (was before this thread started). There is good info on the microsoft technet forums. Symantec have released updates to deal with it now, get a firewall and it shouldn't affect you apparently.. Bloody viruses. :rant:

EDIT:

My symptoms were Generic host processes crashing as in three drives' screenshot. Then a window like the one attached except that the timer starts at 59 seconds. Hope this pic helps someone.

Link to comment
Rain

Rain

Posted
Posted

I encountered this worm during this morning at about 0500 hrs (GMT+ 8 hrs), I had a few reboots and what I did to stop it is :

1. turn off my cable modem.

2. Remove windows update from running through registry and system.

After that, my pc was fine and stopped rebooting. I was tempted to reformat and thought windows was having problems. Little did I know it was a wor after reading this.

Did a search and found 2 results.

1. Msblast.exe

2. MSBLAST.EXE-09FF84F2.pf

To anyone having this problem, switch off your modem and start doing some 'search N Destroy'. :)

Link to comment
Bioxoxide

Bioxoxide

Posted
Posted

Yea this little mofo sacred me yesterday in the morning. I was fixing my Aunts computer (reformating hard drive for win xp). It rebooted on me a few times then I did what Rain said (It only happen when there was an active internet connection). Took it out of the registry and used my handy dandy Norton and went worm huntin :who's your daddy: Now iam back to playin my CS :joystick:

Link to comment
Frankenchrist

Frankenchrist

Posted
Posted

Hey guys.

Just HOW do you get a virus? I've never managed to get one on my PC. Ever.

As any serious/smart user should know, you NEED a firewall if you're going online.

To NOT having a firewall, is (imo) equal to walking around in Central Park and leaving a trail of money behind you. You're gonna get robbed. So do yourself a favor - and install a firewall. ZoneALarm does the trick just fine. It doesn't allow the Blaster.exe or any other virus to connect to ANY site, unless you allow it to. So you're pretty safe.

You can DL the free version from here:

Zonealarm

Well, just my 2 cents.

PS. No, I don't work @ Zonelabs. I just think it's an easy-to-use-yet-powerful firewall.

Link to comment
rjohnstone

rjohnstone

Posted
Posted

I never got hit with it, but a lot of the guys I work with did.

All I can say is.... FIREWALL... get one.

My firewall and router logs were full of blocked attempts.

But then again, I installed the patch when it came out.

Here at work we installed the patch on over 850 servers in one night just to make sure we didn't get hit. Plus our firewall will block the inbound packets anyway, but better safe than sorry.

Link to comment
hal4000

hal4000

Posted
Posted

A fire wall won't stop this worm I just got to do some side jobs

fixin the churches Pc's the all firewalled and behind a router and still they all

got it right away since a lot of people dosn't like to apply patches or are intimidated by them. :rolleyes:

all were just rebooting nonstop. :nuts:

so any one reading the post please apply the patch or have some one you trust

to do it for you.

On a side question why it dosn't afect Win 98 machines?

I would like to get enlighted on that. :D

Link to comment
rjohnstone

rjohnstone

Posted
Posted

A properly configured firewall will stop the virus from getting in.

Deny all unsolicited inbound requests on your firewall and for the sake of this virus, add a block on ports 135 and 4444.

My firewall at home blocks everything except ports 80, 110 and 443. And traffic is only allowed to come in over those ports if the initial request for the traffic came as an outbound request. I'm running a combination of a Cisco router with ACL's and ZoneAlarm Pro. Basically, to the world, my server does not exist. My ISP only knows my server/router by MAC address as they let me setup my system that way.

Yes... you should patch regardless.

All it takes is one persons PC on the inside to get hit and your network is done.

EDIT:As for the Win98 question, not sure exactly as I don't use it.

Since the hack is related to Distributed Com Components (DCom), which 95, 98 and ME don't come with, they wouldn't be vulnerable.

Link to comment

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Go to topic listing
×
×
  • Create New...