IF YOU GET A MESSAGE ON YOUR COMPUTER THAT LOOKS LIKE THIS YOU ARE HOSED:

http://www.thefearless.net/zatrix/temp.gif

THIS IS AN EXPLOIT THAT USES THE WINDOWS REMOTE CALL PROCESS. YOU GET IT BY HAVING A COMPUTER DIRECTLY ON THE INTERNET WITHOUT A FIREWALL OR ROUTER.

THE TROJAN GIVES AN ATTACKER FULL ROOT ACCESS TO YOUR MACHINE IN THE FORM OF A C:> PROMPT AND HE WILL ACTUALLY HAVE MORE POWER OVER YOUR MACHINE THAN YOU DO.

TO FIX:

Disconnect your machine from the internet.
Back up anything you want to save, such as Word files, Pictures, whatever...
Reformat your hard drive do a fresh install.
And yes, I'm serious.

When you are done, do the following:

1) From Start menu click RUN.

2) Type in regedit

3) Double click HKEY_LOCAL_MACHINE

4) Double click Software

5) Double click Microsoft

6) Click on OLE in the left section of the window and on the right section you will see something that says DCOM.

7) Double click the icon for DCOM and a popup window will appear. The letter "Y" will be there. Change it to an "N" and click OK.

8) Close the window. Reconnect to the internet and immediately click the Start menu and choose Windows Update. Follow the instructions and keep running update until the scanner comes up with no more critical updates.

Now, either disconnect from the internet again or shut your computer off. Go to whatever computer store you have locally and buy a Netgear WGR614. I am specifically recommending that router for reasons I wont bore you with.
Personally, I use Cisco equipment, but I'm a geek.

In the future, either run Windows Update once a day or set it up for automatic reminders. Just run a search on your machine for "automatic update" and it'll guide you through it.

Also, if you do ANY file sharing at all, which you should NOT because it's not safe, get yourself a virus program and check for updated virus files EVERY time you want to download music, BEFORE you start downloading.

Thanks Nakona... I was going to do the same thing in about five minutes.

I would like to add two things.

If you ever have a problem that seems strange and unexplainable, you should check for viruses and spyware as part of your troubleshooting.

Goto http://housecall.antivirus.com for viruses

(Click on the button that says continue without registering)

Goto http://www.safer-networking.org for spyware (Spybot)

and/or

http://www.lavasoftusa.com (Ad-Aware)

By the way...

Do not think you are safe if you don't get one of those shutdown messages.

That's from the first generation exploit.

The code was changed a few days ago so that the RPC service does NOT shut down.

Both versions of this exploit are in the wild and it was ported to run on windows machines last week, so any AOL script kiddy can run it now.

Is a full re-install the only way? NOthing infected here at work yet, and I am in the process of checking them all right now...

FUCK ME!!!!!! That is exactly what I got..FUCK FUCK FUCK!!!!!

Originally posted by nakona


TO FIX:

Disconnect your machine from the internet.
Back up anything you want to save, such as Word files, Pictures, whatever...
Reformat your hard drive do a fresh install.
And yes, I'm serious.
.

OK, I have never reformated a machine. Could you tell me how? I'm not a serious puter guy, I just know enough to be dangerous:D

Stick your W2K or XP disk in your CD drive and restart.

During the startup process, before windows itself begins to load, there will be a message at the bottom of the screen regarding hitting any key to boot from CD.

Do that.

Then follow the instructions for a new/fresh install.

That simple huh? cool thanks. Anything else I need to know? My wife works from home so I have to get this fixed as soon as possible.

Originally posted by nakona
Stick your W2K or XP disk in your CD drive and restart.

During the startup process, before windows itself begins to load, there will be a message at the bottom of the screen regarding hitting any key to boot from CD.

Do that.

Then follow the instructions for a new/fresh install.


You mention W2K and XP. The pic shows....... NT Authority/System.
Does this just apply to those OS's ????? What about W98SE ????

what about this. I think it came from another thread. Is a reformat really necessary with this removal tool?

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Try this before a re-format!! I accept no responsibility for this suggestion.

I think these are the final steps

We are looking into whether disabling dcom will have any negative effects on other programs





Step 1:

If you are not behind a router please enable the Windows XP Firewall.

a. Start, Control Panel, Network Connections

b. Click the Properties button.

c. Select the Advanced tab.

d. Check the Internet Connection Firewall box.



Step 2:

End task on msblast.exe

a. Hold down Ctrl+Alt+Delete (if Task manager does not appear click on the Task Manager button)

b. Under the processes tab right click msblast.exe and End Process Tree.

c. Repeat step b for all instances of msblast.exe



Step 3:

Disable DCOM

a. Run Dcomcnfg.exe.

b. Click on the Component Services node under Console Root.

c. Open the Computers sub-folder.

d. For the local computer, right click on My Computer and choose Properties.

e. For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.

f. Choose the Default Properties tab.

g. Clear the Enable Distributed COM on this Computer check box.

h. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.



Step 4:

Delete the related registry key.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.



For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).



A. Click Start, and then click Run. (The Run dialog box appears.)

b. Type (without quotes) "regedit", Then click OK. (The Registry Editor opens.)

c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run

d. In the right pane, right click and delete the value:

"windows auto update"="msblast.exe"

e. Exit the Registry Editor.



Step 5:

Apply the Security Patch

A. Go to: http://support.microsoft.com/?kbid=823980

B. Download and apply the patch.



Step 6:

Search and delete files called msblast.exe

1. Go to Start, search and Choose for files and folders.

2. Search for files called (without the quotations) "msblast.exe"

3. Look in the Hard Drive. (Usually it's "c:") Make sure that you have selected Search Hidden files and folders under the More Advanced Options.

4. Click on Search.

5. When the Find results are displayed, right click on the file name of the file that it has found.

6. Choose Delete. Do so with every file called specifically msblast.exe

7. Empty your recycle bin.



Step 7:

Updated your Virus Scanning software and run a scan of your system.



Step 8:

Reboot the computer.



The best way to prevent such virus attacks in the future is to first always have your Anti-Virus software updated and second to regularly visit the windows update site and download any patches as the become available. For your convenience here is the link to the Windows Update site. www.windowsupdate.com

Originally posted by SanDiegoCJ



You mention W2K and XP. The pic shows....... NT Authority/System.
Does this just apply to those OS's ????? What about W98SE ????

The worm will RUN on win98, but it has to get there by different methods.

Originally posted by liquidkool
what about this. I think it came from another thread. Is a reformat really necessary with this removal tool?

Let me put it to you this way...

If MY machine got rooted, I would re-format and re-install.

Why?

Because if your machine was rooted by a trojan looking to install a simple payload and move on, that "fix" that's been published will work.

But if it was rooted by a human, or a trojan with a different payload, you have no idea what the hacker may have installed and neither does anyone else.


This is very simple...

Are you absolutely certain that you would want to trust your computer, which you most likely do credit card and banking transactions over, once a criminal has had ROOT ACCESS and could have installed any program he wanted to?

I've also been hit by this "virus". Damn thing Sucks until I figured out what it was!!!!!!!

btt :flipoff2:

What picture.. I see only a red X somebody please repost it I want to know what to look for!!!!!!!!! :confused:

I havent had that exact problem, but I have had 2 odd blue screens since this all started, I dont remember exactly what it said but I think I remember something about rpc and at the bottom was something like " physical memory dump" and a timer or something.

Happened twice, but I havent had any problems since then.

Does this sound like it might be part of the same thing?

I shut down the DCOM thing when you first posted this.

Originally posted by TPIJeep
What picture.. I see only a red X somebody please repost it I want to know what to look for!!!!!!!!! :confused:

This error:

IT is reworking every machine in the building (except my Mac of course:flipoff2: ). Must suck to be them... 5 guys, 250 computers.

My PC was getting an svchost.exe error. Don't know what it means, don't care... I got a Mac as backup!

DAMNIT is that what that damn thing is. I was on my bros computer and it kept doin it i was like what ever at first then just gave up and was not goin to deal with it. oh well looks like i got some wokr ahead of me.

Drew

BTT For all of those with computer troubles.

There is a fix available out there now, so ya'll won't need to be reformatting (hopefully)... if I come across the actual fix file, I will post a link..

-Matt

FIX without rebooting (http://download.com.com/3000-2092-10219754.html?tag=lst-0-1)

Worked for me!

Originally posted by mtadams
There is a fix available out there now, so ya'll won't need to be reformatting (hopefully)... if I come across the actual fix file, I will post a link..

-Matt

Actually if you look up a few posts you'll see my post with a fix. We successfully did this on 11 machines today.

im running the removal tool even though I have no evidence of the worm. thought it might be a good idea. :D

Originally posted by mtadams
There is a fix available out there now, so ya'll won't need to be reformatting (hopefully)... if I come across the actual fix file, I will post a link..

-Matt

*sigh* read nakona's post above.

Just because you got rid of THIS hack

DOES NOT mean someone DIDN'T leave another hole in to your computer.


Only 100% cure, reformat, reload.

I was at a friend's machine last night.

He did NOT have the blaster worm, but he still got rooted and was having the crash problems.

So a Blaster removal tool wasn't going to help him.

TOP!!!