MSBlast W32.Blaster.Worm / LovSan :: removal instructions

hehehe ... BTW, I fixed your broken smilie, there, boss ... don't wanna see you embarrassed. Guess I'm not the only one who live-types into Quick Reply instead of using "Post Reply" with all its handy little quicktools. and doesn't take the time to Preview. I prolly spend almost as much time editing my own posts as most folks spend making original posts ... and I only go after the really embarrassing stuff, like broken links or faulty BB Code. I usually just live with the typos and misspellings.

Edit to add the original reason for this post (Go figure, huh ):

http://zdnet.com.com/2100-1105_2-5065096.html


The patch for this has been available almost a month now, and I'm willing to bet most folks have ignored it. If you don't keep updated, you get what you ask for.

Very true. I saw a big network infected with this one today. Noton calls it W32.Welchia.Worm, McAffe says W32/Nachi.worm. It's pretty nasty. The amount of traffic it generates basically shut off the network in a denial of service against itself. I've seen news that it's crashing some routers. Symantec released new virus definitions for it today which detect it but simply didn't work for removing it. Fortunately, McAffe just updated Stinger (it's free & gets rid of 28 big viruses including Blaster) which gets rid of this one very easily.

Thanks for the update, Monger. One of my idiot clients heard about it and went out and found it yesterday afternoon ("just to be safe" )... her panic call came about 10 pm local. I was up untill damn near dawn digging it out of her totally snarled network manually, one machine at a time, 'cause my own collection of quick fixes didna work. Good to know about Stinger ... woulda saved me some grief if I'd bothered to try it. Oh, well ... now I know. I suspect I'll have opportunity to give it a try. At least I convinced her to buy a
HotBrick.

Suspicious E-Mail
I just recieved an e-mail from someone I know that contained fotos. I realized after opening it (the photos were on the e-mail not an attachment) that it was a hoax. I deleted it then a moment later went to "trash" and it wasn't there. I've had my computer for one day! How can I determine whether I've been infected by a virus or worm?

The best way to determine if you have a virus has always been to run a good virus scanner. (there are some free online ones here: Free browser-based PC checks)

Thank you!
Thank you for posting this fix...I ended up with this stupid worm last night. I ran the removal tool and checked the registry afterwards. It seems to have removed everything.

mblast
hi,
i downloaded mblast removal tool and installed the needed patch today
the removal tool cannot find the virus and i still have the same rpc problem!
please help me

sarman,

Are you sure that your infection isn't the sasser virus?

See here: http://www.able2know.com/forums/viewtopic.php?t=24107

well, this is it!
thank you very much...

No problem, if you have other questions let us know.

i have the svchost.exe application thing running in my task manager. i have about 5 or 6 of them running at the same time. I have been told that this is the msblast or welchia worm (are they the same?). I have also been told that it may also be a required system process. Is there a difference between Svchost.exe and svchost.exe?
Which one is the good one and which one is the bad one?

Hi terence638l welcome to A2K,
The answer to your question is Yes, you need to run a few tools to be sure,
Please see this Post Post a HJT log in a new thread please,

How do you tell?


Generally, how can you tell when and which worm/virus/trojan/spyware that you have?

Can you tell just by finding the weird unknown apps running in the task manager?

Because we posted at the same time
Please see my earlier response

I had a really bad problem with MSblast. I found out I had it when I was trying to set up a network. It was too late when I found it though, my computer kept reseting and I had to go into safe mode to try to get it out. Unfortunatly everything I tried didn't work; I eventually had to reformat my hard drive .
I also have the svchost.exe that's running, but I dont know what it is.

svchost.exe is a normal system process under most conditions, so its presence alone shouldn't indicate anything other than a normal system process running.

I cant get anything to work in normal mode. And when in safe mode (that works fine), none of the removal programs find the virus. Please help!

I have been finding this writeup show up in diverse places. Today I was searching for something I'd remembered writing under my old username and accidentally discovered that this thread was cited as a reference in the book Secure Coding in C and C++. That put a smile on my face and it always makes my day when I accidentally find one of my old contributions of code or research being used somewhere.

Sweet.

And, I just found it again today. Robert, I think you are headed for immortality!