I had all the symtops of this worm. My PC would shut down claiming
NT/athority, then the RPC message and shutdown/retstart in 60 seconds. Well
I downloaded the patch from Microsoft and set my firewall the ICF in Win XP
to be enabled. Then I downloaded the latest scan engine AND DAT file form
MacFee and the Virus checker found NOTHING!

Did the worm just try and get in and since I had Virus-scan running while it
was it was doing the RPC thing that Blaster DIDN'T get through?

I just wonder if the darn thing is still here waiting to give me trouble
again!

Oh yeah I looked in the Registry and NO message as was mentioned was there
either.

"Nick" > wrote in message
...
> I had all the symtops of this worm. My PC would shut down claiming
> NT/athority, then the RPC message and shutdown/retstart in 60 seconds.
Well
> I downloaded the patch from Microsoft and set my firewall the ICF in Win
XP
> to be enabled. Then I downloaded the latest scan engine AND DAT file form
> MacFee and the Virus checker found NOTHING!
>
> Did the worm just try and get in and since I had Virus-scan running while
it
> was it was doing the RPC thing that Blaster DIDN'T get through?
>
> I just wonder if the darn thing is still here waiting to give me trouble
> again!
>
>

I had the exact same question yesterday, and I still have
not received an answer. Had all the symptoms, turned on
firewall, was able to stay on line, ran symantec removal
tool and nothing was found, did the registry-nothing,
nothing in task manager, full system scan with Norton-
nothing. If you find out, let me know too, will you.
>-----Original Message-----
>Oh yeah I looked in the Registry and NO message as was
mentioned was there
>either.
>
>"Nick" > wrote in message
...
>> I had all the symtops of this worm. My PC would shut
down claiming
>> NT/athority, then the RPC message and
shutdown/retstart in 60 seconds.
>Well
>> I downloaded the patch from Microsoft and set my
firewall the ICF in Win
>XP
>> to be enabled. Then I downloaded the latest scan
engine AND DAT file form
>> MacFee and the Virus checker found NOTHING!
>>
>> Did the worm just try and get in and since I had Virus-
scan running while
>it
>> was it was doing the RPC thing that Blaster DIDN'T get
through?
>>
>> I just wonder if the darn thing is still here waiting
to give me trouble
>> again!
>>
>>
>
>
>.
>

Hi Nick,
You could still have issues, I am posting the procedure that we are
currently using for worm removal below for your convenience.

You can use these steps yourself if you are comfortable working in your
registry:

1. Remove the infected computer from the network and reboot into Safe Mode.

2. Locate the files below, plus the Value "windows auto update" under the
Run registry key and deleted them all:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

MSBLAST.EXE under the "C:\Windows\system32" folder

MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch" folder

2a. If you are running Windows XP (any version) it is also recommended that
the Internet Connection Firewall be enabled to prevent re-infection when
connecting to the internet.

3.Contact your Antivirus provider for assistance in using any removal tools
they are providing or you can use one that Symantec is providing.
Symantec's Removal tool
<http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.re
moval.tool.html>.

4. If the OS continues to shut down when trying to connect to
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp, with the
dialog box stating the OS will be shutting down in 30 seconds.

Set the RPC Service to "Take No Action" and reboot, this should allow you
to download the patch and install it.

Disclaimer:
While this may remove the worm in the short term it is advisable to backup
any data and then format and reinstall the computer. Once infected by a
virus, worm or other malicious program it is not possible to verify that
another program that could compromise the system has not been left by the
original infection.

Third party products mentioned in this posting are the sole responsobility
of the vendor providing them and in no way should this be considered an
endoresement by Microsoft.

--
Curtis Koenig
Support Professional
Microsoft Clustering Technologies Support
MCSA, MCSAS,MCSE, MCSES

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
--------------------
>From: "Nick" >
>Subject: Blaster worm Question
>Date: Wed, 13 Aug 2003 16:20:38 -0400
>
>I had all the symtops of this worm. My PC would shut down claiming
>NT/athority, then the RPC message and shutdown/retstart in 60 seconds.
Well
>I downloaded the patch from Microsoft and set my firewall the ICF in Win XP
>to be enabled. Then I downloaded the latest scan engine AND DAT file form
>MacFee and the Virus checker found NOTHING!
>
>Did the worm just try and get in and since I had Virus-scan running while
it
>was it was doing the RPC thing that Blaster DIDN'T get through?
>
>I just wonder if the darn thing is still here waiting to give me trouble
>again!
>
>
>

I had the same situation yesterday and I have yet to find
any msblast.exe anywhere. The removal tool from symantec
found nothing either. I was fine after I turned on the
firewall and I had downloaded the SP1 Sunday, was hit
with it Monday. I would just like to know what happened.
>-----Original Message-----
>Hi Nick,
>You could still have issues, I am posting the procedure
that we are
>currently using for worm removal below for your
convenience.
>
>You can use these steps yourself if you are comfortable
working in your
>registry:
>
>1. Remove the infected computer from the network and
reboot into Safe Mode.
>
>2. Locate the files below, plus the Value "windows auto
update" under the
>Run registry key and deleted them all:
>
>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVers
ion\Run
>
>MSBLAST.EXE under the "C:\Windows\system32" folder
>
>MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch"
folder
>
>2a. If you are running Windows XP (any version) it is
also recommended that
>the Internet Connection Firewall be enabled to prevent
re-infection when
>connecting to the internet.
>
>3.Contact your Antivirus provider for assistance in
using any removal tools
>they are providing or you can use one that Symantec is
providing.
>Symantec's Removal tool
><http://securityresponse.symantec.com/avcenter/venc/data/
w32.blaster.worm.re
>moval.tool.html>.
>
>4. If the OS continues to shut down when trying to
connect to
>http://www.microsoft.com/technet/security/bulletin/MS03-
026.asp, with the
>dialog box stating the OS will be shutting down in 30
seconds.
>
>Set the RPC Service to "Take No Action" and reboot, this
should allow you
>to download the patch and install it.
>
>Disclaimer:
>While this may remove the worm in the short term it is
advisable to backup
>any data and then format and reinstall the computer.
Once infected by a
>virus, worm or other malicious program it is not
possible to verify that
>another program that could compromise the system has not
been left by the
>original infection.
>
>Third party products mentioned in this posting are the
sole responsobility
>of the vendor providing them and in no way should this
be considered an
>endoresement by Microsoft.
>
>--
>Curtis Koenig
>Support Professional
>Microsoft Clustering Technologies Support
>MCSA, MCSAS,MCSE, MCSES
>
>This posting is provided "AS IS" with no warranties and
confers no rights.
>Please reply to the newsgroup so that others may
benefit. Thanks!
>--------------------
>>From: "Nick" >
>>Subject: Blaster worm Question
>>Date: Wed, 13 Aug 2003 16:20:38 -0400
>>
>>I had all the symtops of this worm. My PC would shut
down claiming
>>NT/athority, then the RPC message and shutdown/retstart
in 60 seconds.
>Well
>>I downloaded the patch from Microsoft and set my
firewall the ICF in Win XP
>>to be enabled. Then I downloaded the latest scan
engine AND DAT file form
>>MacFee and the Virus checker found NOTHING!
>>
>>Did the worm just try and get in and since I had Virus-
scan running while
>it
>>was it was doing the RPC thing that Blaster DIDN'T get
through?
>>
>>I just wonder if the darn thing is still here waiting
to give me trouble
>>again!
>>
>>
>>
>
>.
>

I looked in the Registry too. I found no sun entry. I can get to the
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVers
ion\Run" entry but at point do I see any "blaster.exe" or the typical
messages mentioned to date in the news.

"lucy" > wrote in message
...
> I had the same situation yesterday and I have yet to find
> any msblast.exe anywhere. The removal tool from symantec
> found nothing either. I was fine after I turned on the
> firewall and I had downloaded the SP1 Sunday, was hit
> with it Monday. I would just like to know what happened.
> >-----Original Message-----
> >Hi Nick,
> >You could still have issues, I am posting the procedure
> that we are
> >currently using for worm removal below for your
> convenience.
> >
> >You can use these steps yourself if you are comfortable
> working in your
> >registry:
> >
> >1. Remove the infected computer from the network and
> reboot into Safe Mode.
> >
> >2. Locate the files below, plus the Value "windows auto
> update" under the
> >Run registry key and deleted them all:
> >
> >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVers
> ion\Run
> >
> >MSBLAST.EXE under the "C:\Windows\system32" folder
> >
> >MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch"
> folder
> >
> >2a. If you are running Windows XP (any version) it is
> also recommended that
> >the Internet Connection Firewall be enabled to prevent
> re-infection when
> >connecting to the internet.
> >
> >3.Contact your Antivirus provider for assistance in
> using any removal tools
> >they are providing or you can use one that Symantec is
> providing.
> >Symantec's Removal tool
> ><http://securityresponse.symantec.com/avcenter/venc/data/
> w32.blaster.worm.re
> >moval.tool.html>.
> >
> >4. If the OS continues to shut down when trying to
> connect to
> >http://www.microsoft.com/technet/security/bulletin/MS03-
> 026.asp, with the
> >dialog box stating the OS will be shutting down in 30
> seconds.
> >
> >Set the RPC Service to "Take No Action" and reboot, this
> should allow you
> >to download the patch and install it.
> >
> >Disclaimer:
> >While this may remove the worm in the short term it is
> advisable to backup
> >any data and then format and reinstall the computer.
> Once infected by a
> >virus, worm or other malicious program it is not
> possible to verify that
> >another program that could compromise the system has not
> been left by the
> >original infection.
> >
> >Third party products mentioned in this posting are the
> sole responsobility
> >of the vendor providing them and in no way should this
> be considered an
> >endoresement by Microsoft.
> >
> >--
> >Curtis Koenig
> >Support Professional
> >Microsoft Clustering Technologies Support
> >MCSA, MCSAS,MCSE, MCSES
> >
> >This posting is provided "AS IS" with no warranties and
> confers no rights.
> >Please reply to the newsgroup so that others may
> benefit. Thanks!
> >--------------------
> >>From: "Nick" >
> >>Subject: Blaster worm Question
> >>Date: Wed, 13 Aug 2003 16:20:38 -0400
> >>
> >>I had all the symtops of this worm. My PC would shut
> down claiming
> >>NT/athority, then the RPC message and shutdown/retstart
> in 60 seconds.
> >Well
> >>I downloaded the patch from Microsoft and set my
> firewall the ICF in Win XP
> >>to be enabled. Then I downloaded the latest scan
> engine AND DAT file form
> >>MacFee and the Virus checker found NOTHING!
> >>
> >>Did the worm just try and get in and since I had Virus-
> scan running while
> >it
> >>was it was doing the RPC thing that Blaster DIDN'T get
> through?
> >>
> >>I just wonder if the darn thing is still here waiting
> to give me trouble
> >>again!
> >>
> >>
> >>
> >
> >.
> >

Hey Lucy,

You may NOT have had MSblast.exe anyway but you are still subjected to the attacks and symtoms of the worm read the excerpt I found on MacFee's website at:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Lucy read here:

"
Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.

However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.

Other symptoms may include:

a.. inability to cut/paste
b.. inability to move icons
c.. Add/Remove Programs list empty
d.. dll errors in most Microsoft Office programs
e.. generally slow, or unresponsive system performance
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pickup msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all."

So maybe we are OK Lucy? All I know is the symptoms are gone I am updated.




"lucy" > wrote in message ...
> I had the same situation yesterday and I have yet to find
> any msblast.exe anywhere. The removal tool from symantec
> found nothing either. I was fine after I turned on the
> firewall and I had downloaded the SP1 Sunday, was hit
> with it Monday. I would just like to know what happened.
> >-----Original Message-----
> >Hi Nick,
> >You could still have issues, I am posting the procedure
> that we are
> >currently using for worm removal below for your
> convenience.
> >
> >You can use these steps yourself if you are comfortable
> working in your
> >registry:
> >
> >1. Remove the infected computer from the network and
> reboot into Safe Mode.
> >
> >2. Locate the files below, plus the Value "windows auto
> update" under the
> >Run registry key and deleted them all:
> >
> >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVers
> ion\Run
> >
> >MSBLAST.EXE under the "C:\Windows\system32" folder
> >
> >MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch"
> folder
> >
> >2a. If you are running Windows XP (any version) it is
> also recommended that
> >the Internet Connection Firewall be enabled to prevent
> re-infection when
> >connecting to the internet.
> >
> >3.Contact your Antivirus provider for assistance in
> using any removal tools
> >they are providing or you can use one that Symantec is
> providing.
> >Symantec's Removal tool
> ><http://securityresponse.symantec.com/avcenter/venc/data/
> w32.blaster.worm.re
> >moval.tool.html>.
> >
> >4. If the OS continues to shut down when trying to
> connect to
> >http://www.microsoft.com/technet/security/bulletin/MS03-
> 026.asp, with the
> >dialog box stating the OS will be shutting down in 30
> seconds.
> >
> >Set the RPC Service to "Take No Action" and reboot, this
> should allow you
> >to download the patch and install it.
> >
> >Disclaimer:
> >While this may remove the worm in the short term it is
> advisable to backup
> >any data and then format and reinstall the computer.
> Once infected by a
> >virus, worm or other malicious program it is not
> possible to verify that
> >another program that could compromise the system has not
> been left by the
> >original infection.
> >
> >Third party products mentioned in this posting are the
> sole responsobility
> >of the vendor providing them and in no way should this
> be considered an
> >endoresement by Microsoft.
> >
> >--
> >Curtis Koenig
> >Support Professional
> >Microsoft Clustering Technologies Support
> >MCSA, MCSAS,MCSE, MCSES
> >
> >This posting is provided "AS IS" with no warranties and
> confers no rights.
> >Please reply to the newsgroup so that others may
> benefit. Thanks!
> >--------------------
> >>From: "Nick" >
> >>Subject: Blaster worm Question
> >>Date: Wed, 13 Aug 2003 16:20:38 -0400
> >>
> >>I had all the symtops of this worm. My PC would shut
> down claiming
> >>NT/athority, then the RPC message and shutdown/retstart
> in 60 seconds.
> >Well
> >>I downloaded the patch from Microsoft and set my
> firewall the ICF in Win XP
> >>to be enabled. Then I downloaded the latest scan
> engine AND DAT file form
> >>MacFee and the Virus checker found NOTHING!
> >>
> >>Did the worm just try and get in and since I had Virus-
> scan running while
> >it
> >>was it was doing the RPC thing that Blaster DIDN'T get
> through?
> >>
> >>I just wonder if the darn thing is still here waiting
> to give me trouble
> >>again!
> >>
> >>
> >>
> >
> >.
> >

Hi Nick,
The worm creates a Key under the run key called "windows auto update" not
blaster.exe. You will see the msblast.exe or blast.exe as running processes
in the task manager though.

--
Curtis Koenig
Support Professional
Microsoft Clustering Technologies Support

Microsoft Certified Systems Engineer
Microsoft Certified Systems Engineer - Security

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
--------------------
>From: "Nick" >
>Subject: Re: Blaster worm Question
>Date: Thu, 14 Aug 2003 13:20:20 -0400
>
>I looked in the Registry too. I found no sun entry. I can get to the
>"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVers
> ion\Run" entry but at point do I see any "blaster.exe" or the typical
>messages mentioned to date in the news.
>