VIRUS
NAME: W32.Blaster.Worm (Symantec)
W32.Lovesan.Worm (McAfee)
Threat
level: CRITICAL
SpRoNKeY's
Prevention Checklist (HERE)
SpRoNKeY's
Portal advises ALL users to take IMMEDIATE
ACTION.
Warning to all Windows NT/2000/XP users
of SpRoNKeY's Portal - a serious virus
is spreading EXTREMELY quickly, and
exploiting a hole in Microsoft's NT-based
operating systems (That's all Windows
XP, Windows 2000, Windows NT 4) in the
RPC (remote procedure call) protocol
used for remote control communications.
The
W32.Blaster.Worm spreads by sniffing
IP addresses for holes in the RPC protocol,
then executing the code on the remote
computer, installing the program there
aswell, which starts sniffing for IP
addresses itself. The payload of the
virus is designed to fire on Saturday
16th, launching a DoS (Denial of Service)
attack at Microsoft's Servers.
Threat
level is considered CRITICAL
Prevention:
SpRoNKeY's
Portal has discovered that running a
stealth firewall will most likely halt
or in our case, stop infection. We recommend
downloading ZONE ALARM personal firewall
IMMEDIATELY from www.zonelabs.com.
Symptoms
of infection:
-
Random system restarts while surfing
/ connected to the internet
- Error message about RPC service failing
(causes system to restart)
- Presence of TFTP* files
- msblast.exe in System32\ directory
- Worm opens sequence of 20 random ports
for listening. This is a constant revolving
range.
SpRoNKeY's
Portal System Prevention Steps:
1)
Search your C:\Windows\System32\ (or
C:\WINNT\System32\) directory for the
file msblast.exe and if found,
proceed directly to removal
instructions.
2)
If you have XP or .net Server 2003,
turn on Internet Connection Firewall
in the properties for your internet
connection. (Found in "View Network
Connections"), or alternatively
if you don't have XP or 2003, Download,
install and run Zone
Alarm (or similar firewall product)
immediately.
3)
Head over to Microsoft's
Windows Update website to download
the fix (Security Bulletin MS03-026)
for problem for your specific OS to
secure your computer.
4)
I personally recommend that you continue
to use some sort of stealth firewall
- Zone Alarm is probably the best, and
its highly configurable and allows you
to host servers. Windows XP's ICF isn't
quite as good, and I would recommend
downloading ZA and using that instead.
5)
If you have a recent virus scanner,
update it to latest Virus Definition
files (www.symantec.com, www.mcafee.com,
www.trend-micro.com might help)
5)
Restart your computer.
6)
Once restarted, search your hard drives
again for msblast.exe. Hopefully
you won't find anything in which case
you're fine, otherwise go to removal
instructions.
Removal
Instructions:
NOTICE!!
Tests on this virus have concluded
that some users will not be able to
download a firewall before their computer
is forced to restart. You can ABORT
the shutdown procedure by clicking:
start | run, then opening "cmd",
and running the command: shutdown -a
.
1)
Before doing anything, run Task Manager
(Ctrl + Shift + Esc), go to the Processes
tab and look for msblast.exe. If
you find it, end it.
2)
Download, install and run as fast as
you can Zone Alarm personal firewall
from the following link:
http://download.zonelabs.com/bin/free/1001_cnet_zdnet/zaSetup_37_202.exe
3)
Head over to one of the two following
pages to download (but not run yet!!)
the standalone fix for the virus:
Symantec
(Norton) Virus Info & Removal
McAfee
Virus Info & Removal
Trend-Micro
(PC-Cillin) Removal Tool (from Xtra
help page)
4)
If system restore is on, temporarily
disable it on all drives.
5)
Run the fix program you have downloaded,
wait for it to finish and tell you it
was successful.
6)
Reboot your system, then proceed to
the System Prevention
Steps section.
-
Good luck to all, hope you remain safe
from this nasty virus.
