The Remote Procedure Call shutdown and msblast.exe

[VerLux]

This has been going pretty strong today and may get worse before it gets better.

http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

Here is the manual removal information from the link:

Terminating the Malware Program

This procedure terminates the running malware process from memory.

1. Open Windows Task Manager press
CTRL+SHIFT+ESC, and click the Processes tab.
2. In the list of running programs*, locate the process:
MSBLAST.EXE
3. Select the malware process, then press either the the End Process button. (usually msblast.exe)
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
”windows auto update" = MSBLAST.EXE
4. Close Registry Editor.

You need to apply the patch from Microsoft to prevent the buffer overflow that allows the virus into your system through DCOM. For XP users like me, the download is at this link:
http://download.microsoft.com/downlo...80-x86-ENU.exe
and the page with the details for XP users that link is located on:
http://microsoft.com/downloads/detai...displaylang=en

Here is Microsoft's general information page about this DCOM buffer overflow issue and the patches:
http://support.microsoft.com/default...b;en-us;823980

[VerLux]

Ok, that was the worm fix, here is the solution to the computer-shutting-down problem:

Go to your Services panel (Control Panel -> Administrative Tools -> Services or Start->Run->type services.msc, click OK), find Remote Procedure Call, right-click and select Properties, click Recovery tab, change "Shut down" to "Take no action" and Apply, OK.

I'm amazed how fast these things spread and are then recognized as threats. This morning when it happened to me twice scans came up clean. Don't know what time today msblast.exe was added to virus definitions.

[Tufenuf]

Norton has just released a "W32.Blaster.Worm Removal Tool" available at the link below.


http://securityresponse.symantec.com...oval.tool.html

Tufenuf

[photolady]

I've already had calls this morning and last night about this problem. This thread is the first I've seen that explains how to fix computer shutting down in easy to understand terms.

Thanks Verlux.

Tufnuf, seen the symantec removal. but unless client can get computer to stay running, that isn't much help.

[KatMac]

Thanks VerLux and Tufenuf, you both saved the day for me and probably many others as well! This is one of the first places I came for help, knew there would be something here if I could just stay online long enough to grab it. What a nightmare! Seems everyone I know got slammed with this one today. Followed VerLux's instructions first, to keep up and running long enough to get Symantec download from Tufenuf's link. Had to turn off Outpost Firewall (for whatever reason I could not and still can't access any web pages with firewall on). Machine still not acting quite right, so will probably run tool again per Symantec's advice to run it twice. Anyway, thanks for posting the pertinents! -Kat

[ChiefE7]

Katmac if you read Symatecs info on the removal tool you'll see that they also tell you run your virus protection tool after the removal tool. Mine caught and removed two versions of blaster virus and cleaned them out. Tought this might help.

[Tufenuf]

Just thought I'd post the link below which has easy to follow instructions regarding the W32/Blaster that is running rampant and how to deal with it.

http://www.cert.org/tech_tips/w32_blaster.html


Tufenuf

[KatMac]

Hi Chief,
Yes, thanks, updated Norton and scanned, nothing found. Have the Removal Tool and Patch on floppies, they will probably be worn thin before the day is out

BTW, for XP users: M$ Patch offers 32 bit and 64 bit. I'm presuming average home user is 32 bit?

[Doc]

What I don't understand is why people are running to update their virus signatures and download fixes, when you have been able to get the patch from M$ for almost a month now.

Wouldn't installing the patch prevent the need for all of this other stuff or am I missing something?

Doc

[KatMac]

Doc: Ideally, yes. But there are wide variety of users out there who aren't online or even booted up regularly: The casual home user who doesn't go online much in summer, it's more a wintertime distraction. Or others, like me, are so insanely busy with non-cyber life lately that they simply don't have time to get online on a regular basis. Then there's the extreme: My mother's PC is only booted up and/or online maybe a few times a year, usually when the grandkids come by (can't get Mom past the intimidation phase). So every couple months I blow the cobwebs off her PC and update Windows and Norton on her machine. Takes longer that way, but updating her PC weekly doesn't take priority over other things she needs my help with. (With her minimal use, she got the worm, too BTW.) So there's lots of things to consider. Also, the patch M$ released in July was revised 4 times since it's initial release, perhaps a good idea to redownload again?

[DuaneB]

Yes, both XP Home and Pro home users need the 32-bit download, not the 64-bit.

[Leurgy]

Just tried to get into the windows update site, and was unable to. Thought the DoS was set for the 16th. Perhaps too many people looking for the patch?

[DuaneB]

Symantec's sites are tough to get into also. I'm sure there are alot of busy people and servers today.

[Fuelm@n]

VIRUS ALERT: 'MSBlast' worm spreads around world


August 12, 2003



McAfee Security's Anti-Virus Emergency Response Team (AVERT) has issued a medium risk virus alert for the 'MSBlast' virus.


The MSBlast worm has infected as many as 100,000 computers in the past 24 hours. The worm, which security experts believe started spreading early Monday, scans for vulnerable computers so widely that an unpatched Windows XP computer on the Internet could be infected in as little as 25 minutes.
Read more about the virus:
http://g.msn.com/0NL33936/24


Virus profile:
http://g.msn.com/0NL33936/22


Microsoft virus patch:
http://g.msn.com/0NL33936/23

[ChiefE7]

To all interested: If your wondering whether you have XP 32 or 64 bit, not to sweat.....M$ has not released XP 64 bit yet, I believe 64 bit has a release date of 18 Aug 03.....I think they decided to have a little advanced publicity on XP64...hehehe