Author
|
Topic: WINDOWS WORM WARNING!!!!
|
njclary
unregistered
|
posted
OOOOhhhhh- I got it. My puters all wormy. I will try what you are advising but I will probably need other help. This thing is all messed up. and I am having trouble staying on . I'll need to close for now. talk at you sweet people later [I hope]
Joel
IP: Logged |
|
|
helpforhomeschoolers
Advanced Member
Member # 15
|
posted
This is a more concise note on the above post. Point is get the patch before you get the worm.
We wanted to make you aware of a new virus currently making its way around the Internet. MSBlast is an Internet worm that exploits a known vulnerability in Windows 2000, NT, and XP. This worm is NOT spread via Email, instead, it scans the Internet looking for vulnerable computers. When it finds one, it will install a program called msblast.exe onto the computer. Once infected, the computer will begin replicating the worm and passing it on to others. If the worm fails to replicate, it may cause the computer to crash.
If your computer is running Windows 2000, NT or XP, please visit the Windows Update Web Site at http://windowsupdate.microsoft.com/ to protect your computer against this worm. Users of Windows 95, 98, or 3.11 are not at risk.
To read more about the MSBlast worm please visit the following news articles:
http://news.zdnet.co.uk/internet/0,39020369,39115645,00.htm
http://www.informationweek.com/story/showArticle.jhtml?articleID=13100032
To obtain a fix for the worm to install on an infected computer, please visit: www.symantec.com and download the W32.Blaster.Worm removal tool.
Posts: 4684 | From: Southern Black Hills of South Dakota | Registered: Jun 2002
| IP: Logged |
|
|
helpforhomeschoolers
Advanced Member
Member # 15
|
posted
This is a warning for all windows xp; windows me, windows nt users.
I have been all day battling a worm that infected my computer. This worm does not enter through email as most infections do. It enters through a port during internet connection.
It causes your computer to shut down.. crash everytime you open wndows 60 seconds later boom you are down.
The worm enters through a windows security breech. you can download a patch to prevent this at download security patch from microsoft
If you run windows MAKE SURE YOU HAVE INSTALLED THIS PATCH!!! DO IT BEFORE YOU GET THE WORM
The patch will stop the worm from working, but it will not remove the worm from your system; you will have to use your virus software for the latest tool to remove it.
The worm is called:
W32.Blaster.Worm.
Also Known As: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
You can also remove it manually; here is how:
Important Notes: W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before you can continue with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch. Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works 100% of the time.
If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.
In many cases, on both Windows 2000 and XP, changing settings for the Remote Call Procedure (RPC) Service may allow you to connect to the Internet without the computer shutting down. Follow these steps: Do one of the following: Windows 2000. Right-click the My Computer icon on the Windows desktop and then click Manage. The Computer Management window opens. Windows XP. Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.
In the left pane, double-click Services and Applications and then select Services. A list of services appears. In the right pane, locate the Remote Procedure Call (RPC) service.
CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two
Right-click the Remote Procedure Call (RPC) service and click Properties. Click the Recovery tab. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service." Click Apply and then OK
--------------------------------------------------------------------------------
Disable System Restore (Windows XP). Update the virus definitions. End the Trojan process. Run a full system scan and delete all the files detected as W32.Blaster.Worm. Reverse the changes that the Trojan made to the registry.
For details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation
3. Ending the Worm process To end the Trojan process:
Press Ctrl+Alt+Delete once. Click Task Manager. Click the Processes tab. Double-click the Image Name column header to alphabetically sort the processes. Scroll through the list and look for msblast.exe. If you find the file, click it, and then click End Process. Exit the Task Manager.
4. Scanning for and deleting the infected files Start your antivirus program and make sure that it is configured to scan all the files.
Run a full system scan.
If any files are detected as infected with W32.Blaster.Worm, click Delete.
5. Reversing the changes made to the registry
CAUTION: I recommend that you back up the registry before making any changes to it.
Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
Click Start, and then click Run. (The Run dialog box appears.) Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.
Posts: 4684 | From: Southern Black Hills of South Dakota | Registered: Jun 2002
| IP: Logged |
|
|
|