?
Solved

Worm Blast Virus removal from XP variant strain

Posted on 2003-11-18
9
Medium Priority
?
683 Views
Last Modified: 2013-12-04
I cannot get rid of a Worm which is causing the PC to shutdown without notice or is giving a RPC shutdown message. I have tried to cleanse using Worm Blast and Lovsan software with no luck.I have been advised that it may be a variant.
I notice that the virus is trying to read out of my floppy as the light keeps flashing intermittently. I have tried scanning with Norton and I cannot get to the end of my scan. Therefore I cant get a note of what is causing it. It does state that files have been infected though. I have windows XP.

any suggestions ?
0
Comment
Question by:sstirrat
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 128 total points
ID: 9772156
Dear sstirrat,

Have you used MS blaster worm removal tool ?

If not , use it and check if that would solve the issue

Thanks,
Sunray
0
 
LVL 3

Assisted Solution

by:Popeyediceclay
Popeyediceclay earned 124 total points
ID: 9772389
when it tries to shut your computer down automatically, send this command to the Run prompt:
shutdown /a (it should be in the system path)
That should stop it from shutting down (you might need to be at the command prompt)
That should help by giving you time to install the patch
Also, Check for a folder in C:\WINNT\System32 called "wins", if it's there, it's probably the Welchia
0
 
LVL 8

Assisted Solution

by:nader alkahtani
nader alkahtani earned 124 total points
ID: 9772678
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 124 total points
ID: 9773015
"svchost.exe" errors with RPC messeges and reboots

OR

"NT Authority...shut down in 1 min"

Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html


This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Fixes Available here
http://support.microsoft.com/?kbid=823980

More Links
http://www.cert.org/advisories/CA-2003-19.html

Automatically Remoce the Virus with

http://www.sophos.com/misc/blastsfx.exe

Download and run it, it will create a directory called SOPHTEMP

From Command line type

C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC

How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

in the righthand pane select

windows auto update = msblast.exe

and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.


Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.



How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.

To do this:

go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches

Windows NT/2000

Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches

From http://www.sophos.com/support/disinfection/blastera.html
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9773019
Virus Checking

If you cant get the PC to boot you will need to scan from Dos
http://www.europe.f-secure.com/download-purchase/tools.shtml



Online (Free) Virus Checking can be done at

SYMANTEC (You must have ActiveX enabled on your browser for it to work!)
http://security.symantec.com/ssc/vc_scan.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=ROSUPWFYJOKMFIDPMSV 

Trend Micro (Housecall)
http://housecall.trendmicro.com/

But You really Need some good quality Anti Virus Installed!

FreeWare

AntiDote Lite http://www.vintage-solutions.com/English/Antivirus/Super/index.html
Avast http://www.avast.com/
F-Prot http://www.f-prot.com/products/
V-Catch http://www.vcatch.com/download.html

The BIG Boys in AV

McAfee
http://www.mcafee.com/default.asp

Symantec (or the firm formally known as Norton)
http://www.symantec.com

Sophos (This Protects My Corporate Network)
http://www.sophos.com/

Command
http://www.commandsoftware.com/
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 9773285
If it's a Welchia variant, look for 2 processes in the Task Manager:
DLLHOST.EXE
SVCHOST.EXE (both in caps)
use kill.exe (from command line) to stop them and delete the exe's in the wins folder I mentioned earlier

kill.exe comes with the win2k resource kit, free download
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11145162
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month11 days, 20 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question