Solved

Worm Blast Virus removal from XP variant strain

Posted on 2003-11-18
9
665 Views
Last Modified: 2013-12-04
I cannot get rid of a Worm which is causing the PC to shutdown without notice or is giving a RPC shutdown message. I have tried to cleanse using Worm Blast and Lovsan software with no luck.I have been advised that it may be a variant.
I notice that the virus is trying to read out of my floppy as the light keeps flashing intermittently. I have tried scanning with Norton and I cannot get to the end of my scan. Therefore I cant get a note of what is causing it. It does state that files have been infected though. I have windows XP.

any suggestions ?
0
Comment
Question by:sstirrat
9 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 32 total points
ID: 9772156
Dear sstirrat,

Have you used MS blaster worm removal tool ?

If not , use it and check if that would solve the issue

Thanks,
Sunray
0
 
LVL 3

Assisted Solution

by:Popeyediceclay
Popeyediceclay earned 31 total points
ID: 9772389
when it tries to shut your computer down automatically, send this command to the Run prompt:
shutdown /a (it should be in the system path)
That should stop it from shutting down (you might need to be at the command prompt)
That should help by giving you time to install the patch
Also, Check for a folder in C:\WINNT\System32 called "wins", if it's there, it's probably the Welchia
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 31 total points
ID: 9772678
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 31 total points
ID: 9773015
"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9773019
Virus Checking

If you cant get the PC to boot you will need to scan from Dos
http://www.europe.f-secure.com/download-purchase/tools.shtml



Online (Free) Virus Checking can be done at

SYMANTEC (You must have ActiveX enabled on your browser for it to work!)
http://security.symantec.com/ssc/vc_scan.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=ROSUPWFYJOKMFIDPMSV 

Trend Micro (Housecall)
http://housecall.trendmicro.com/

But You really Need some good quality Anti Virus Installed!

FreeWare

AntiDote Lite http://www.vintage-solutions.com/English/Antivirus/Super/index.html
Avast http://www.avast.com/
F-Prot http://www.f-prot.com/products/
V-Catch http://www.vcatch.com/download.html

The BIG Boys in AV

McAfee
http://www.mcafee.com/default.asp

Symantec (or the firm formally known as Norton)
http://www.symantec.com

Sophos (This Protects My Corporate Network)
http://www.sophos.com/

Command
http://www.commandsoftware.com/
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9773285
If it's a Welchia variant, look for 2 processes in the Task Manager:
DLLHOST.EXE
SVCHOST.EXE (both in caps)
use kill.exe (from command line) to stop them and delete the exe's in the wins folder I mentioned earlier

kill.exe comes with the win2k resource kit, free download
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11145162
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now