MSBlast W32.Blaster.Worm / LovSan :: removal instructions

OK. Thanks.

What strange things are going on, Suz? Open up another thread and describe them so we can help ya.

It's not that bad, thanks for the offer. The weird stuff may have just originated from a specific website (NEA -- can't get some pages to open, am getting weird messages [no, I don't remember wording] when I try to open and/ or print.) I was mostly worried in the context of this worm, whether a few strange things (a few more in addition to the above) indicated that the worm was worming around, and if I should follow instructions here. If it's not possible that it is that worm, I would prefer not to go to the trouble. My virus definitions are all up to date, patches patched, etc.

So, I got symantec to run and it found no msblast.exe. I guess you're right , craven, it's not my issue. I went to windows (seems to be a windows or DSL problem maybe?) to see about downloading updates (it's been a while) and I can't get them to load. The whole process just dies in the water at one step (after I set it up and pick through the updates) when I hit install and nothing happens.

I'll post this here because I can't cut and paste it back over to my other thread. But, I guess my problem should stay off this thread....

soz,

Because of the number of computers and servers affected you might see strange internet behavior without having been exploited. Maybe the site you mention was on a windows box.

I am currently investigating reports of this worm causing DoS attacks on linux servers that have nothing to do with windowsupdates.

lil'k,

can you summarize your problems for me? I have been pretty distracted with this worm (the vice president of the company I work for got this over at his home in Houston and I had to help him and others get rid of it manually).

NOTE: Remember that the windows updates site id the target of a distributed denial of service attack by all of these infected servers and computers. I have not been personally following their success at filyering the malicious traffic but I have had reports of intermittent problems with windows updates.

They are probably filtering traffic at their routers like mad and might even have added extra hardware to deal with the DDoS attack but even the most powerful and secure configurations on the internet are vulnerable to temorary difficulties resulting from a strong DDoS attack. I remember Yahoo being taken down for hours from one such attack that was actually less sofisticated than this one.

So your troubles with windows updates *might* be on their end. Though if the problem was only at the install part of the update then it's possible that it is isndeed on yours.

Damn, yer good...

Of course, thems of us who get dead computers might just drop out of your personal playground...

The lesson learned is: visit the windows update site regularly and install all critical updates immediately! alternatively, use the automatic windows update feature to automatically download all critical updates, or at least subscribe to microsoft's security notification service at http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/notify.asp.

The only reason why worms like this one can propagate is due to user ignorance. properly patched systems are not affected.

LOL Seal!! Took me a while to get what you meant but twas worth the effort.

MS Blast
Lord, lordy, Craven, but you have put in a lot of work! Everyone should be mighty grateful!

If my computer shows no symptoms, and I keep my AV up to date, I imagine I'm okay. But how can I tell for sure whether my computer has been infected?

You can look for the registry key. But really, if your AV definistions are up to date. Your Windows is patched and if a virus scan finds nothing then don't worry.

I am not 100% sure but I do not think this worm has an incubation phase, so if you aren't being shut down every 60 seconds you probably don't have this.

Tom, it isn't a matter of just keeping your anti-virus program up to date. Some of these viruses and worms are generated faster then the AV companies can respond to them. It is a good idea to follow the same practice in regard to your computer's operating system by keeping it up to date.

Many bootlegged copies of the Windows operating systems are out there and are the most vulnerable because they are unable to be updated by the Windows Update website.

As for being reassured that your computer is not infected, what I do is keep my AV up to date, purchase the latest versions of it as they become available, set the AV to constantly scan everything and once a month have the AV do a manual full scan of my computer system. If I am still not reassured I can always get a second opinion by going to a competitor's website and doing an online scan.

My best offense is my defense. I practice safe computing and in 10 years of internet use, I've been hit by a virus only once and that was my own fault. Money was tight and I didn't update the virus program when the version expired and updated virus signature files were no longer being issued.

MSBlast
Several months ago I posted a question about Norton Firewall vs XP'own version. Just for curiosity, I looked up the post, and followed Craven's instructions to access it. To my horror I found that although I had enabled it, back then, it wasn't enabled any more! How or why this happened I don't know, except that perhaps a malign spirit got into my hard drive.

Seriously, I can't figure out what caused this, but I guess I've been lucky, because I haven't had any problems. I think I'll check it out every so often, in case this disablement happens again.

Le'me tell you Tomkitten, I believe every word of it.

Firewall
Tom:

I tried both on XP firewall and found it really didn't do the trick and so I went the way of Norton and was quite satified with it..

When it came up for renewal, I decided to check around for something else and found Sygate Personal Firewall.. It is free for personal use, easy to setup and gives me total stealth protection.

SyGate Firewall

Murray

MSBlast
Thanks, Murray. I'm interested to learn that you found Norton compatible with XP. Even with disabling the XP firewall I couldn't get the Norton to work, although it worked fine on Windows Me.

This is so &^$*%#*d up! It said I didn't have any viruses over and over and over again. I checked with Norton and with pcpitstop.com. But, I finally got into my log records and there it was. The blasted blaster.worm. So, I ran the worm removal tool and after quite some time it finished saying I didn't have the virus. So, it's gone? Deleted? And the problems I have now are residual?

Whooooray! Hope that does it for you.

As a tip, if you've saved any files on floppy disks be sure you run your anti-virus program on those before accessing the files there or you'll reinfect your PC.

I'm not sure if you have the same worries with CD's. I've never used them as a storage media. I'm from the world of 8" floppies and haven't taken the time yet how to use my CD write software yet.

I'm sure one of the tech freaks can answer that one for you.

Oh....and now run, do not walk to the Windows Update site and update your Windows operating system!

Ha! As soon as I realized windows and norton were working for me I did everything I could with them (I think). I did load all (but 3 that won't load) of the updates they laid out for me. I will reboot with the whole mess of them before going to bed (oy, it's late!).

Now, to see if these dloads have helped.......

Looks like that msblast can show different symptoms on different machines. I just got a report that it had been removed and have installed windows firewall. Kind of holding my breath, but that little countdown screen is way overdue compared to the last couple of days.

Will git all patches tomorrow (yeah, I know) as i'm on a shorter than ususal fuse tonight.

By the way, Symantic says XP users must disable System Restore for the removal tool to work. I was not able to do that, though I don't recall the verbage explaining why I couldn't. In any case, I got a good report, and haven't been shut down yet.

Still holding breath. Becoming bluer than blatham's old avatar.

Thanks for all the help Craven, Monger, and MurrayS.