bw 1356 - Off-Road Forums & Discussion Groups
Ford 67-96 F-Series, 78-96 Bronco All discussions of 67-96 F-Series Trucks and 78-96 Broncos

LinkBack Thread Tools Display Modes
post #1 of (permalink) Old 08-15-2003, 11:10 AM
Posts: n/a
bw 1356

Has anyone rebuilt a bw 1356 transfer case? 88 bronco 302, push button 4wd,Warn manual hubs. I have never been inside a transfer case. I believe I can do the rebuid myself for $200.00 or so. I can get a reman for $650.00 from a local place. Big concerns are special tools, machine shop work, since this drives the cost up. Usually projects like this cost me more and take more time than anticipated. Any info would be appreciated.
Sponsored Links
post #2 of (permalink) Old 08-15-2003, 12:41 PM
Posts: n/a
Re: bw 1356

I've only managed to repost some of my pics since Superford wiped them all. Here's a few that will get you started. I have more, *maybe* I'll get them posted this weekend if I can clean the Blast worm off my home computer
post #3 of (permalink) Old 08-15-2003, 01:16 PM
Join Date: Oct 2001
Posts: 2,508
Thanks: 0
Thanked 0 Times in 0 Posts
Re: bw 1356

Shilo, do you have the tool for removal? If not, maybe this will help. Sorry, but I don't think IBM will let me share software. Anyway here is some general info., and about half way down are some instructions for manual removal if you don't have the Symantec or McCafee removal software (Disclaimer, use at your own risk. The instructions, if not followed carefully, could result in lost files/data, or currupted files): GOOD LUCK! I hate this Virus Hacker BS [img]images/graemlins/cussing.gif[/img]


Web page last updated: 8/14/03 4PM (EST)

Important Notes:

This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.

You must IMMEDIATELY take the following actions to protect your workstation (if you have already done so, thank you):

1. Remove the W32.Blaster.Worm, if detected, using the Symantec removal tool or use the McAfee removal tool

2. Upgrade your Windows service pack, if necessary, and download the MS 03-026 patch from ISSI

NOTE: Do not update to SP4 at this time, SP3 is preferred.

3. Open Norton AntiVirus and run LiveUpdate

For instructions, go to the IT Security Portal

Having problems? See our FAQs

Name of the Virus: W32/Lovsan.worm, msblast.exe, tftp, W32.Blaster.Worm (Symantec), Win32.Poza (CA), WORM_MSBLAST.A (Trend)
Removal Instructions:
A Removal tool is available from Symantec.

A Removal tool is available from McAfee.

Take the following steps before running the fix tool

Physical Networks
1.) Remove the computer from the network by disconnecting the LAN cable.
2.) Run the fix tool.

Wireless Networks
3.) Boot up in safe mode.
4.) Run the fix tool.

NOTE: When it completes, the removal tool will ask you if you want to open a URL with patch information. Select "No" and instead obtain the patch through the ISSI as instructed below.

If the date of the month is 16 and larger, or the month is between January and August, the worm creates a working thread to send random data to almost continuously. 40 byte packets are sent in 20 millisecond intervals to port 80. This might cause a Distributed Denial-of-Service attack on that website.

Are Definitions Available: YES
Detection is available through: Live Update
Detected using Virus Definitions dated:
LiveUpdate definitions dated: 8-11-03

If you have been in contact with this worm contact the Virus CERT right away: XXXXXXXXXX.

Operating Systems Affected:
Windows 2000
Windows XP
Windows ME
Windows NT

When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444, and then pass a TFTP command to download the worm to the %WinDir%\system32 directory and execute it.

Indications of Infection

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown

Removal Instructions: A Removal tool is available from Symantec.
Manual Removal
As an alternative to using the removal tool, you can manually remove this threat.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Important Note: W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before you can continue with the removal instructions. If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.

Disable System Restore (Windows Me/XP).
Update the virus definitions.
Do one of the following:
Windows 95/98/Me: Restart the computer in Safe mode.
Windows NT/2000/XP: End the Trojan process.
Run a full system scan and delete all the files detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made to the registry.

For details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode.
Starting in safe mode.

Windows NT/2000/XP
To end the Trojan process:

Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.

4. Scanning for and deleting the infected files
Start your Symantec antivirus program and make sure that it is configured to scan all the files.
Run a full system scan.
If any files are detected as infected with W32.Blaster.Worm, click Delete.

5. Reversing the changes made to the registry

CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

In the right pane, delete the value:

"windows auto update"="msblast.exe"

Exit the Registry Editor.

TheJuice is offline  
Sponsored Links
post #4 of (permalink) Old 08-15-2003, 01:29 PM
Posts: n/a
Re: bw 1356

Thanks. nice visual reference. It is nice to see the thing only weighs 72.5 lbs. I pulled the NP 205 out of my 79, the thing must have weighed 200 lbs. It took three men and a stout boy to get it back in. Good luck getting rid of the worm.
post #5 of (permalink) Old 08-16-2003, 05:14 AM
Join Date: Dec 2001
Posts: 4,011
Thanks: 0
Thanked 0 Times in 0 Posts
Re: bw 1356

I'd throw a NP208 in there if I were to get a remanufactured/ used one. Of course that would mean getting the linkage too. The 208 has got the 205 beat for a lower ratio but the 205 as you described is a BEAST. [img]images/graemlins/smile.gif[/img] I dream of the 205/203 marriage myself.
BigNorm is offline  
post #6 of (permalink) Old 08-19-2003, 12:03 PM
Posts: n/a
Re: bw 1356

Got most of the pics back up:
Sponsored Links

Quick Reply

Register Now

In order to be able to post messages on the Off-Road Forums & Discussion Groups forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Please enter a password for your user account. Note that passwords are case-sensitive.


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:


Thread Tools
Show Printable Version Show Printable Version
Email this Page Email this Page
Display Modes
Linear Mode Linear Mode

Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

For the best viewing experience please update your browser to Google Chrome