4
   

MSBlast W32.Blaster.Worm / LovSan :: removal instructions

 
 
roger
 
  1  
Reply Wed 13 Aug, 2003 10:46 pm
Oh, good advice on checking the files saved on floppies, Butrflynet.
0 Replies
 
Butrflynet
 
  1  
Reply Wed 13 Aug, 2003 11:13 pm
littlek wrote:
Ha! As soon as I realized windows and norton were working for me I did everything I could with them (I think). I did load all (but 3 that won't load) of the updates they laid out for me. I will reboot with the whole mess of them before going to bed (oy, it's late!).

Now, to see if these dloads have helped.......


Try those 3 that wouldn't load after you reboot, Lil'K. Those are probably the most important ones and they won't download until they see the needed conditions (previously required updates) on your PC.

In other words, the updates don't let you skip ahead to the most current update, you have to download them all in order and reboot in between so the PC displays those newer files to give the signal to continue with the next download.
0 Replies
 
Craven de Kere
 
  1  
Reply Wed 13 Aug, 2003 11:29 pm
Re: MSBlast
Tomkitten wrote:
Thanks, Murray. I'm interested to learn that you found Norton compatible with XP. Even with disabling the XP firewall I couldn't get the Norton to work, although it worked fine on Windows Me. Rolling Eyes


XP requires newer versions of Norton AV and I am quite sure that their firewall must be a newer version as well.
0 Replies
 
Craven de Kere
 
  1  
Reply Wed 13 Aug, 2003 11:31 pm
lil'k,

I'd be interested in seeing a copy of the logs. If blaster is evolving and attacking AV programs I'm very interested.
0 Replies
 
Monger
 
  1  
Reply Thu 14 Aug, 2003 06:50 am
roger wrote:
By the way, Symantic says XP users must disable System Restore for the removal tool to work. I was not able to do that, though I don't recall the verbage explaining why I couldn't.


They recommend turning off System Restore before dealing with the worm because System Restore might back it up, and as a result it has the potential of restoring infected files later on. Antivirus programs are not able to remove threats from the System Restore folder.
0 Replies
 
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2003 06:54 am
I'm unsure if the worm tries to restore. Thta's one doubt I have.

INFECTED USERS: do not get online this weekend. You will be party to a DDoS attack if you do. The worm goes off (startes the attack) on the 16th.
0 Replies
 
Monger
 
  1  
Reply Thu 14 Aug, 2003 06:59 am
Craven de Kere wrote:
I'm unsure if the worm tries to restore. Thta's one doubt I have.

Well yeah if the worm was still around to run programs it would have no need for system restore. Oh wells, it's just something Symantec recommends these days.
0 Replies
 
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2003 07:06 am
Yeah, but I saw one worm that actually used the system restore process. i doubt this one does because of the level of access it gets but some less powerful worms have used that feature.

None very sucessfully.
0 Replies
 
littlek
 
  1  
Reply Thu 14 Aug, 2003 10:57 am
Craven, should I be able to copy those files? I can't. I can C&P otherwise, but not those.
0 Replies
 
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2003 10:59 am
Which files lil'k? I dinna sleep last night and am zombie-like.
0 Replies
 
littlek
 
  1  
Reply Thu 14 Aug, 2003 11:00 am
The A-V log report says:

file c:\WINNT\system32\TFTP986 is infected with the W32.Blaster.Worm Virus. Unable to repair this file.

file c:\WINNT\system32\TFTP986 is infected with the W32.Blaster.Worm Virus. Access to the file was denied.

You asked above about the antivirus log reports.
0 Replies
 
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2003 11:02 am
Did you use the removal tool? Or did you do the manual steps?
0 Replies
 
littlek
 
  1  
Reply Thu 14 Aug, 2003 11:06 am
I used the removal tool but it said the virus wasn't there (and applied the patch). I ran Norton virus check about 10 times after that initial check and they came up blank. I also went to www.pcpitstop.com and ran a virus scan there that came up blank.

I managed to get to the windows update site (I ran windows 2000 setup many times and it did disk checks, maybe I fine-tuned the machine into submission?) and download files needed for my system. But, there were 2 or 3 that didn't load. So far, my computer seems to be running perfectly.

Did that answer your Q?
0 Replies
 
Craven de Kere
 
  1  
Reply Thu 14 Aug, 2003 11:07 am
Yeah, sounds like the antivirus caught it and deleted it. I hope that's the end of that story.
0 Replies
 
littlek
 
  1  
Reply Thu 14 Aug, 2003 11:08 am
me too!
0 Replies
 
littlek
 
  1  
Reply Thu 14 Aug, 2003 11:09 am
ok, I have to go check on my bro's cat - - - see yas later!
0 Replies
 
Craven de Kere
 
  1  
Reply Sat 16 Aug, 2003 07:32 pm
Funny bit of news:

The author of the worm made a mistake and wrote it to DDoS windowsupdates.com I had been wondering how MS would deal with this and I windered if the author was clever enough to target the subdomain of microsoft.com that the updates are hosted under.

Turns out the worm didn't take this into consideration and was only attacking windowsupdates.com

MS just unparked that domain and directed it at another site (a text jokes site) and the DDoS was thwarted.

I'm not sure if the latest variants of the worm corrected this. In any case there are at least two variants of this worm that were released so update your definitions again if you haven't done so since you got the definitions with the original worm.
0 Replies
 
Butrflynet
 
  1  
Reply Sat 16 Aug, 2003 07:38 pm
I've been keeping an eye on The Internet Health Report for most of the day and there has been little to no hiccup at all.

Bet the gurus at MS Land are patting themselves on the back for that long ago decision to just use a forwarding service for the change in Windows update sites.
0 Replies
 
Craven de Kere
 
  1  
Reply Sat 16 Aug, 2003 07:41 pm
Well it shouldn't have caused much in way of problems anyway. They'd just have to have had a few guys tinkering with the routers for the weekend.

Since they had almost a week to prepare it was probably no huge threat.
0 Replies
 
littlek
 
  1  
Reply Sun 17 Aug, 2003 07:49 am
I actually stayed off the computer for over 24 hours! It was like quitting smoking. Almost.
0 Replies
 
 

Related Topics

 
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 6.6 seconds on 12/22/2024 at 03:56:49