4
   

MSBlast W32.Blaster.Worm / LovSan :: removal instructions

 
 
timberlandko
 
  2  
Reply Mon 18 Aug, 2003 09:10 pm
hehehe ... BTW, I fixed your broken smilie, there, boss ... don't wanna see you embarrassed. Guess I'm not the only one who live-types into Quick Reply instead of using "Post Reply" with all its handy little quicktools. and doesn't take the time to Preview. I prolly spend almost as much time editing my own posts as most folks spend making original posts ... and I only go after the really embarrassing stuff, like broken links or faulty BB Code. I usually just live with the typos and misspellings.

Edit to add the original reason for this post (Go figure, huh Shocked ):

http://zdnet.com.com/2100-1105_2-5065096.html

Quote:
In MSBlast's wake, a DirectX threat[/size]
By Munir Kotadia
Special to ZDNet
August 18, 2003, 11:07 AM PT
URL: http://zdnet.com.com/2100-1105-5065096.html
Microsoft seems to have survived the MSBlast worm attack, but now the company is urging Windows users to patch their systems against a different, and potentially more dangerous, vulnerability in its software.

The patch for this has been available almost a month now, and I'm willing to bet most folks have ignored it. If you don't keep updated, you get what you ask for.
0 Replies
 
Monger
 
  2  
Reply Tue 19 Aug, 2003 06:43 am
timberlandko wrote:
Quote:
New MSBlast variant plugs hole
A new worm comes with an odd twist: It applies a patch for the vulnerability that it and other MSBlast worms use to infect Windows systems.


Even if its well intentioned, its still an exploit, and likely to create more problems than it solves.


Very true. I saw a big network infected with this one today. Noton calls it W32.Welchia.Worm, McAffe says W32/Nachi.worm. It's pretty nasty. The amount of traffic it generates basically shut off the network in a denial of service against itself. I've seen news that it's crashing some routers. Symantec released new virus definitions for it today which detect it but simply didn't work for removing it. Fortunately, McAffe just updated Stinger (it's free & gets rid of 28 big viruses including Blaster) which gets rid of this one very easily.
0 Replies
 
timberlandko
 
  2  
Reply Tue 19 Aug, 2003 08:11 am
Thanks for the update, Monger. One of my idiot clients heard about it and went out and found it yesterday afternoon ("just to be safe" Rolling Eyes Shocked Rolling Eyes )... her panic call came about 10 pm local. I was up untill damn near dawn digging it out of her totally snarled network manually, one machine at a time, 'cause my own collection of quick fixes didna work. Good to know about Stinger ... woulda saved me some grief if I'd bothered to try it. Oh, well ... now I know. I suspect I'll have opportunity to give it a try. At least I convinced her to buy a
HotBrick.
0 Replies
 
Pitter
 
  1  
Reply Sun 2 Nov, 2003 08:28 am
Suspicious E-Mail
I just recieved an e-mail from someone I know that contained fotos. I realized after opening it (the photos were on the e-mail not an attachment) that it was a hoax. I deleted it then a moment later went to "trash" and it wasn't there. I've had my computer for one day! How can I determine whether I've been infected by a virus or worm?
0 Replies
 
Monger
 
  2  
Reply Sun 2 Nov, 2003 10:09 am
The best way to determine if you have a virus has always been to run a good virus scanner. (there are some free online ones here: Free browser-based PC checks)
0 Replies
 
Mari
 
  1  
Reply Thu 15 Jan, 2004 04:00 pm
Thank you!
Thank you for posting this fix...I ended up with this stupid worm last night. I ran the removal tool and checked the registry afterwards. It seems to have removed everything. Smile
0 Replies
 
sarman
 
  1  
Reply Sat 15 May, 2004 12:53 pm
mblast
hi,
i downloaded mblast removal tool and installed the needed patch today
the removal tool cannot find the virus and i still have the same rpc problem!
please help me
0 Replies
 
Craven de Kere
 
  1  
Reply Sat 15 May, 2004 05:16 pm
sarman,

Are you sure that your infection isn't the sasser virus?

See here: http://www.able2know.com/forums/viewtopic.php?t=24107
0 Replies
 
sarman
 
  1  
Reply Sun 16 May, 2004 11:18 am
well, this is it!
thank you very much...
0 Replies
 
Craven de Kere
 
  1  
Reply Mon 17 May, 2004 11:48 am
No problem, if you have other questions let us know.
0 Replies
 
terence638l
 
  1  
Reply Sun 12 Dec, 2004 09:04 am
i have the svchost.exe application thing running in my task manager. i have about 5 or 6 of them running at the same time. I have been told that this is the msblast or welchia worm (are they the same?). I have also been told that it may also be a required system process. Is there a difference between Svchost.exe and svchost.exe?
Which one is the good one and which one is the bad one?
0 Replies
 
Don77
 
  2  
Reply Sun 12 Dec, 2004 09:11 am
Hi terence638l welcome to A2K,
The answer to your question is Yes, you need to run a few tools to be sure,
Please see this Post Post a HJT log in a new thread please,
0 Replies
 
terence638l
 
  1  
Reply Sun 12 Dec, 2004 09:11 am
How do you tell?
Craven de Kere wrote:
sarman,

Are you sure that your infection isn't the sasser virus?

See here: http://www.able2know.com/forums/viewtopic.php?t=24107


Generally, how can you tell when and which worm/virus/trojan/spyware that you have?

Can you tell just by finding the weird unknown apps running in the task manager?
0 Replies
 
Don77
 
  1  
Reply Sun 12 Dec, 2004 09:13 am
Because we posted at the same time Laughing
Please see my earlier response
0 Replies
 
MiTHoS
 
  1  
Reply Fri 15 Apr, 2005 08:28 am
I had a really bad problem with MSblast. I found out I had it when I was trying to set up a network. It was too late when I found it though, my computer kept reseting and I had to go into safe mode to try to get it out. Unfortunatly everything I tried didn't work; I eventually had to reformat my hard drive Sad .
I also have the svchost.exe that's running, but I dont know what it is.
0 Replies
 
Craven de Kere
 
  1  
Reply Wed 25 Apr, 2007 04:07 pm
svchost.exe is a normal system process under most conditions, so its presence alone shouldn't indicate anything other than a normal system process running.
0 Replies
 
kidreal
 
  1  
Reply Thu 26 May, 2011 07:11 pm
@Craven de Kere,
I cant get anything to work in normal mode. And when in safe mode (that works fine), none of the removal programs find the virus. Please help!
0 Replies
 
Robert Gentel
 
  4  
Reply Sun 23 Oct, 2011 12:13 pm
@Craven de Kere,
I have been finding this writeup show up in diverse places. Today I was searching for something I'd remembered writing under my old username and accidentally discovered that this thread was cited as a reference in the book Secure Coding in C and C++. That put a smile on my face and it always makes my day when I accidentally find one of my old contributions of code or research being used somewhere.

Quote:
[de Kere 03] de Kere, Craven. 'MSBlast' / LovSan Write up. http://www.able2know.com/forums/about10489.html (2003).
dlowan
 
  1  
Reply Sun 23 Oct, 2011 02:43 pm
@Robert Gentel,
Sweet.
0 Replies
 
BillW
 
  1  
Reply Sun 13 Jun, 2021 10:35 pm
@Robert Gentel,
And, I just found it again today. Robert, I think you are headed for immortality!
0 Replies
 
 

Related Topics

 
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.07 seconds on 12/22/2024 at 03:30:54