Re: bw 1356
Shilo, do you have the tool for removal? If not, maybe this will help. Sorry, but I don't think IBM will let me share software. Anyway here is some general info., and about half way down are some instructions for manual removal if you don't have the Symantec or McCafee removal software (Disclaimer, use at your own risk. The instructions, if not followed carefully, could result in lost files/data, or currupted files): GOOD LUCK! I hate this Virus Hacker BS [img]images/graemlins/cussing.gif[/img]
Web page last updated: 8/14/03 4PM (EST)
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.
You must IMMEDIATELY take the following actions to protect your workstation (if you have already done so, thank you):
1. Remove the W32.Blaster.Worm, if detected, using the Symantec removal tool or use the McAfee removal tool
2. Upgrade your Windows service pack, if necessary, and download the MS 03-026 patch from ISSI
NOTE: Do not update to SP4 at this time, SP3 is preferred.
3. Open Norton AntiVirus and run LiveUpdate
For instructions, go to the IT Security Portal
Having problems? See our FAQs
Name of the Virus: W32/Lovsan.worm, msblast.exe, tftp, W32.Blaster.Worm (Symantec), Win32.Poza (CA), WORM_MSBLAST.A (Trend)
A Removal tool is available from Symantec.
A Removal tool is available from McAfee.
Take the following steps before running the fix tool
1.) Remove the computer from the network by disconnecting the LAN cable.
2.) Run the fix tool.
3.) Boot up in safe mode.
4.) Run the fix tool.
NOTE: When it completes, the removal tool will ask you if you want to open a URL with patch information. Select "No" and instead obtain the patch through the ISSI as instructed below.
If the date of the month is 16 and larger, or the month is between January and August, the worm creates a working thread to send random data to windowsupdate.com almost continuously. 40 byte packets are sent in 20 millisecond intervals to port 80. This might cause a Distributed Denial-of-Service attack on that website.
Are Definitions Available: YES
Detection is available through: Live Update
Detected using Virus Definitions dated:
LiveUpdate definitions dated: 8-11-03
If you have been in contact with this worm contact the Virus CERT right away: XXXXXXXXXX.
Operating Systems Affected:
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444, and then pass a TFTP command to download the worm to the %WinDir%\system32 directory and execute it.
Indications of Infection
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
Removal Instructions: A Removal tool is available from Symantec.
As an alternative to using the removal tool, you can manually remove this threat.
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Important Note: W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before you can continue with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Do one of the following:
Windows 95/98/Me: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
Run a full system scan and delete all the files detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made to the registry.
For details on each of these steps, read the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
3. Restarting the computer in Safe mode or ending the Worm process
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode.
Starting in safe mode.
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.
4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
Run a full system scan.
If any files are detected as infected with W32.Blaster.Worm, click Delete.
5. Reversing the changes made to the registry
CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.
Click Start, and then click Run. (The Run dialog box appears.)
Then click OK. (The Registry Editor opens.)
Navigate to the key:
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.