Solved

Worm Blast Virus removal from XP variant strain

Posted on 2003-11-18
9
661 Views
Last Modified: 2013-12-04
I cannot get rid of a Worm which is causing the PC to shutdown without notice or is giving a RPC shutdown message. I have tried to cleanse using Worm Blast and Lovsan software with no luck.I have been advised that it may be a variant.
I notice that the virus is trying to read out of my floppy as the light keeps flashing intermittently. I have tried scanning with Norton and I cannot get to the end of my scan. Therefore I cant get a note of what is causing it. It does state that files have been infected though. I have windows XP.

any suggestions ?
0
Comment
Question by:sstirrat
9 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 32 total points
Comment Utility
Dear sstirrat,

Have you used MS blaster worm removal tool ?

If not , use it and check if that would solve the issue

Thanks,
Sunray
0
 
LVL 3

Assisted Solution

by:Popeyediceclay
Popeyediceclay earned 31 total points
Comment Utility
when it tries to shut your computer down automatically, send this command to the Run prompt:
shutdown /a (it should be in the system path)
That should stop it from shutting down (you might need to be at the command prompt)
That should help by giving you time to install the patch
Also, Check for a folder in C:\WINNT\System32 called "wins", if it's there, it's probably the Welchia
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 31 total points
Comment Utility
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 31 total points
Comment Utility
"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Virus Checking

If you cant get the PC to boot you will need to scan from Dos
http://www.europe.f-secure.com/download-purchase/tools.shtml



Online (Free) Virus Checking can be done at

SYMANTEC (You must have ActiveX enabled on your browser for it to work!)
http://security.symantec.com/ssc/vc_scan.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=ROSUPWFYJOKMFIDPMSV

Trend Micro (Housecall)
http://housecall.trendmicro.com/

But You really Need some good quality Anti Virus Installed!

FreeWare

AntiDote Lite http://www.vintage-solutions.com/English/Antivirus/Super/index.html
Avast http://www.avast.com/
F-Prot http://www.f-prot.com/products/
V-Catch http://www.vcatch.com/download.html

The BIG Boys in AV

McAfee
http://www.mcafee.com/default.asp

Symantec (or the firm formally known as Norton)
http://www.symantec.com

Sophos (This Protects My Corporate Network)
http://www.sophos.com/

Command
http://www.commandsoftware.com/
0
 
LVL 3

Expert Comment

by:Popeyediceclay
Comment Utility
If it's a Welchia variant, look for 2 processes in the Task Manager:
DLLHOST.EXE
SVCHOST.EXE (both in caps)
use kill.exe (from command line) to stop them and delete the exe's in the wins folder I mentioned earlier

kill.exe comes with the win2k resource kit, free download
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now