I have had 4 people request assistance about this. It has not been bad to fix, only annoying. My 2000 and XP machines were not affected at work. :) None of my home machines were affected.

I heared on the news this morning that M$ said users should install firewalls and update their virus definitions. Is M$ saying that the XP firewall does not work? :D

It is still beyond me why people write viruses. I have a few theories, but I still think it is stupid. :mad:

I had a few people with 98 and Me that called me all excited last night.:)

The sad thing is that it could have been avoided easy. Wonder what it is going to take to make people learn.

I had two people call me, both of which where home users and did not know much about computers. However the companys that got hit should really look into there IT department.

What is really odd for me is that yesterday, i got hit with 4! different trojans on our business machine, that scared the heck out of me, luckily i managed to get rid of them before they started to infect the system.

Microsoft®'s and Symantec®'s patches are effective except that some users failed to notice the worm's alterations on specific Services (found on Administrative Tools\Services)(WXPPro). Log On preferences of some services have been changed to specific accounts and the worm even installed passwords (Thanks?!). Microsoft® might only missed out on this issue given the urgency of the situation. How much is a Linux again?:p I had my share of the pie but system optimizers always have it their way.

Quick question on this. Been helping a friend out of town clean an infected machine. She ran the Microsoft patch and all seems well now. I also had her download the Symantec file to get rid of it, but does she need to do this. Sounds like the Microsoft patch took care of it all, right?

Its best to take all the precautions and be safer than sorrw, because you want to be 100% sure that it is gone, otherwise it might show up again and that is a pain.

Here (http://securityresponse.symantec.com/avcenter/FixBlast.exe) is the fix for the virus if you believe you have it.

Updating virus definitions will increase your chance from getting the infection again as the worm itself is not entirely eradicated. I've worked on several systems with the worm and all have XP and noticed the same weird Service preference. Ater applying the patch AND virus definitions, I chose the Local System option on the Log On preferences for every instance that I get the weird account "NT Authority\..." + 14?-character password and made some of my friends and clients very happy. What's very weird is that after I deleted the msblast.exe from my Windows\System32 directory before applying the patch and virus update, it came back with the same registry entry and file making me believe that this is not only a polymorphic virus but a stealth one as well. Hope this helps.

Originally posted by X-Con 7977
Updating virus definitions will increase your chance from getting the infection again as the worm itself is not entirely eradicated. I've worked on several systems with the worm and all have XP and noticed the same weird Service preference. Ater applying the patch AND virus definitions, I chose the Local System option on the Log On preferences for every instance that I get the weird account "NT Authority\..." + 14?-character password and made some of my friends and clients very happy. What's very weird is that after I deleted the msblast.exe from my Windows\System32 directory before applying the patch and virus update, it came back with the same registry entry and file making me believe that this is not only a polymorphic virus but a stealth one as well. Hope this helps.

Curious that it resided on MS Activation site. I got it with a new clean install by activating XP Home sp1. Right from the horses mouth. No ISP was set up yet. :rolleyes:

OK, I got the XP OS up and running good yesterday (8/12/03) and today managed to download and install all the security updates this morning for my version of windows. Now it is evening and I was again alerted by XP that security updates were available. I went to Windows Update site and scanned for needed security updates. I was notified that all the updates that were downloaded and installed yesterday were still needed. As Scotty said to Capt. Kerk, "I'm giving her all I can sir, If I give her anymore she'll blow for sure". :eek:

According to symantec there are three variants out on this little bugger so it may take a while to totally get rid of it especialy if it got in to start with.
The variants are probably the reason for additional update notices. Whoever, started this one apparently decided to not make it extremely easy to wipe out in one swoop, however at least it wasn't as bad as the code red worm:t

however at least it wasn't as bad as the code red worm

Not yet anyway. :rolleyes:

Those updates were the same ones I already updated. Now who's messed up here?

The winupdate site has been under siege for the last 2 days as near as I can tell. Part of the blaster payload is a denial of service attack against the update site. I too haven't gotten accurate readings when I've been able to log on to the site.:eek:

Originally posted by kevrob1
The winupdate site has been under siege for the last 2 days as near as I can tell. Part of the blaster payload is a denial of service attack against the update site. I too haven't gotten accurate readings when I've been able to log on to the site.:eek:

Here is a disturbing thought. My default ISP pass word was modified and works!!!:(

To make matters worse, my phone has been on and off for several hours. Hmmmmmmmm!

Probably right. Made my own "NT Athourity\.." account and 6-character password and things are quite normal. It might be the system getting rid of the worm. In any case, I didn't regret doing it anyway.:) Things are quite back to normal might it helped or not. Definitely a good thing!

Sadly, I got hit with it. First one ever to get me - but it was my own stupid fault. I hadn't put on the new virus scan (on laptop while painting tower), and I took down my firewall to test for conflict - and that's when I got it. For me though, guess someone used the excecute code function of it. It wiped out my Kernel - I only got the shut down message once. I reinstalled and all is happy with the world now.

I just fixed another computer tonight, helped a friend online, and have another job scheduled. Now with the NT Authority account, I noticed that was where the RPC commands were coming from, and saw the profile, but are you saying that if I create that account before hand with a password, it can't create an account and can't shut down? Just a question - not sure I understood that point of this thread, but then again it's late.

This sounds seriouse, Whats the best Anti-Virus software out, I need one for my new system

Norton has to be probably one of the best ones available, that and McAfee.

I use AVG from Grisoft, it's free for personal use (www.grisoft.com). It's been as good as Norton in my experience with it, and I've used it to clean a lot of computers. I would say Norton is probably the best, but I really can't say it's any better than AVG. Either is better than McAffee. That program is a JOKE. It sounds false alarms on zipped jpeg/txt files with password protection, and it lets REAL viruses right through. That's *WITH* the updates. It comes pre-installed on most commercial PC's - but I wouldn't trust it.

I trust norton av more than i do anything else.

lol i prolly have it...arg. so all it just does is a remote person can install/uninstall apps. on my computer?

well, go right ahead! see how much stuff you can cram in my 56k bandwidth lol
i'll probably notice it slowin down lol

I'm on about 26K, and it was able to wipe out my system. The virus itself is tiny, and the code that they can execute on it can do just about anything. If you've got it, you'll know - you probably wouldn't be able to keep your computer up long enough to post. It'll pop up notices telling you it's shutting down in 60 seconds.

Start-Run-> "cmd" then type "shutdown -a"

will abort the shut down and give you time to work and remove it

Originally posted by fizur2002
Norton has to be probably one of the best ones available, that and McAfee.

I tend to avoid products that take issues with their own core system files
I have witnessed Norton products inadvertently shaft themselves on more than one occasion.
Norton Utilities decided its own system files were problematic and promptly deleted them. This prevented the uninstall utility from functioning and lead to lots of registry editing to remove the references scattered all over the place.
Norton Antivirus found a virused file on a fresh install of windows.
The file was one of its own core files, which it claimed it was going to quarantine but actually deleted.
Norton AV never recovered from this little blunder and the installation disk now sits on my desk doing a pretty mean impression of a coffee mat. :D

My works uses McAfee for reasons of cost only because the powers that be won't pay for Sophos.
Whist I have no issues with McAfees ability to protect our network.
I do not like the way it drags down the performance of the machines it's installed on.

Personally I use Sophos Sweep and given the choice I'd use it at work too.

I usedc to be a big fan of norton products until I actually started looking at them a little better.
Norton anti-virus install files take up a whopping 40+Mb of space and thats BEFORE you install it.
All those fancy and irrelevant bells and whistles really annoy me. I don't care what it looks like or sounds like or how flashy and round its interface is, I just want something that doesn't gobble up my system resources, is fast, and protects my PC from unwanted incursions by viruses, worms and trojan horses.

I now use VET anti-virus. Install files are 4Mb (7Mb installed). Its updates are just over 1Mb (compared to the 3-4Mb monsters of norton) and it only uses up a smidgeon of my ram.
Its also ugly, but very fast and has caught EVERY infection including this Poza one and stopped it dead in its tracks.

Perhaps someone should modify norton anti-virus like kazza was modified. Stripping out all the crud and leaving behind a sleek streamlined program that does what it needs to and nothing else.

scary... havent used a virus scan for 3 years now, and no fire wall... i just dont open anything i dont know and about 1-2 a month i'll used 3 diff onlinve scans to check my computer.... the only virus i have problems with is when i reinstall windows xp and forget to get the patches i ALWAYS end up with some silly bugger in my shard pictuers and shard documents folder and all the sub folders in those folders... i'm assume a security hole but its always easy to get rid of...

donno just dont like the system resourses used bye virus scaners... call me crazy but 3 years and no big hits... i'm doin something right :o

I remember a certain fella around here who said pretty much the same thing as you TiGgErDbC, as a matter of fact he even responded to this very thread. Anyway I'm not wishing you any bad luck but AVG is free for virus scanning and it's light on system resources. www.grisoft.com :t

My dad got this virus too. He never stops Norton AV and has the Microsoft XP firewall running at all times. I use PC-Cillin (trend micro) and it's firewall and nerver had any problem. He even updates his definitions daily and still got it. PC-Cillin came with my MSI mobo as well as his, but he didn't want to skip out on the month left he paid for with Norton, now look what he got. Oh and Microsoft's firewall sucks big time, I don't believe it is really even there. Do any of you have the URL for a firewall checking site? I had one a while ago and lost it.

I've often wondered myself if the firewall built into XP is realy there or not.

For a good firewall checking site, try:

https://grc.com/x/ne.dll?bh0bkyd2

There are others out there but the guy who runs this place (Steve Gibson) really knows his stuff.

I agree with zybch, since Steve Gibson has improved his nanoscan I went back and tested my Sygate Firewall and found an open port that wasn't there or didn't show up before. I switched back to Kerio Personal Firewall and all is well.

Kerio stopped all scans by default, while you have to configure Sygate for ports 1001 through 1004, or there abouts...:t

Gibson's site is good stuff Maynard...:cool:

GRC is awesome security site, and his utilities are amazingly sweet and compact, since he writes everything in pure assembly. I like his new screen saver 'graviton' too (found in wizmo). It's simple graphically but rather complex mathematically. I test my computer from time to time - but I haven't seen this new one he's got. Unfortunately it's down right now due to bandwidth max:(

Originally posted by Paco103
If you've got it, you'll know - you probably wouldn't be able to keep your computer up long enough to post. It'll pop up notices telling you it's shutting down in 60 seconds.

Start-Run-> "cmd" then type "shutdown -a"

will abort the shut down and give you time to work and remove it

Thanks Paco103
That little piece of information proved very useful over the weekend when my girlfriends laptop aquired MSBLAST.EXE

I have since heard rumours that this countdown to shut down doesn't actually do anything once it reaches zero but I tend to think that is just rubish.

Can anybody validate this statement as I'm curious.

Personally I use Zone Alarm Pro. Its user freindly and easily configurable without going into the a*se of it.
Outpost Pro is good too if you need greater configurability for apachi servers or stuff like that.
Big respect to Steve Gibson @ GRC.com is the man, he knows his stuff.

Originally posted by BipolarBill
A router seems to be plenty effective. :cool:

I agree. I've been trying to convince my friends that for less than $60 (Router/Switch/Firewall device) and some minor configuration (port forwarding), they can surf, game, chat, or whatever with reasonable assurance that their boxes won't get infected the moment they hook up to the net. Unfortunately, two of the three remain unconvinced, and laugh off the threat(s).

The one who is concerned is stationed in Europe, where he has this strange ISDN/USB modem combination. From his description, it goes something like this:

Phone jack -> Unlabeled Box (probably ISDN) -> "Teledat" USB modem -> PC.

So connecting a router is not that clear cut. There's a CAT5 cable connecting the suspected ISDN box and the USB modem. One would think that maybe this would be the place to install a router; but with ISDN, I don't know. In looking around for USB-type routers, I failed to find any that had firewall capabilities.

If y'all have a solution to the above problem, I'd appreciate it, and will pass it along to my buddy, who figures he has another 10 months before he gets shipped back to the States. So he's going to do the best he can with ZoneAlarm and keeping up with MS' Critical (and sometimes fatal :)) Updates.

:eek:

Thanks for any insights or ideas.

I just bought a LinksSys 4 port router on E-bay for $40.00 shipped to Hawaii. It has a built in firewall. TCWO.com has the same router for $62.00 + shipping. That should do the trick.

This whole blasterworm virus caused many of my friends and family to freak out! haha, i loved it! That meant that they all came to me about how to fix it, and that means more $$ in my pocket!
i did get it on my system, but after watching tech live on TechTV, i saw it on there, and then got the update. ;)

Im just glad that it didnt do any damage.

I've missed Blaster and Sobig thus far, and I'm fairly surprised. I have a DSL router (has firewall capability but it's not active) and I run Norton AntiVirus. I think the router doesn't respond to incoming ports, which is probably why I don't get hit so much.

-Aarmenaa

PS-I'm switching virus protection programs after this-Norton didn't have a def for Blaster for quite some time. I'm not getting my monies worth with them.

I too got MSBLAST.exe last week via 56K with no firewall. Norton caught it and I had it removed and patched in about a half hour.
About a three days before, I had a hard time shutting my external modem off.
each time I would have to shutdown the whole box just to disconnect. All was well after I used the Fixblast.exe removal tool.

Sheesh! I guess even dynamic IP dial-up folks like me need a firewall too!