W32 Blaster (luvsan) Worm Virus

[Bosco]

A new big bad worm is out! The worm, dubbed LoveSan, Blaster, or MSBlaster, exploits a vulnerability in the Distributed Component Object service that is hosted by a Remote Procedure Call feature in Windows 2000 and Windows XP. Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself. Then, it scans the Internet for other vulnerable machines and attacks them. In some cases, the worm crashes the victim machine, but does not infect it. The worm also appears to instruct the computer to launch a distributed denial of service (DDOS) attack on August 16 against a Microsoft Web site.

 

 

About the worm:

Infected computer has key "windows auto update" in ..\CurrentVersion\Run in registry, which points to MSBLAST.EXE file (6176 bytes).

Worm contains some texts:

I just want to say LOVE YOU SAN!!

billy gates why do you make this possible? Stop making money and fix your software

 

 

How do you fix this?

First, patch your system so you don't get the virus again!

 

Patches:

Windows XP

Windows 2000

Windows NT 4.0

 

More information on this patch, at: http://www.microsoft.com/technet/treeview/...in/MS03-026.asp

 

 

Removing the virus:

Download and run "FIXBLAST".exe to remove the MSBLAST.exe file, terminate the process and remove added registry keys by the worm.

Reboot your pc.

 

If you DO have the virus, and the virus tries to shutdown your computer you may get a dialog that says your system is going to shut down in 60 sec. If that happens type: "shutdown /a" without the quotes at the run command and that will abort the shutdown.

 

Firewall Protection

Here are some ports you can block on your router or firewall to quickly protect your machines:

TCP Port 135 "DCOM RPC Port" -- Used to access the RPC exploit

UDP Port 69 "TFTP" -- Used to Spread msblast.exe

TCP Port 4444 -- The worm uses this port to perform Denial of Service attacks against other computers.

[justinal]

thanxs for the heads up lp

[xboarder]

about 3 PM Mt. time it hit every XP machine in the Labs where I work....even got my brand new laptop...i hope there's a fix SOON!

[justinal]

could you explain what you were talking about like checking your registry im checking it out but im trying to find it is it obvious?

[Bosco]

Go to: \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 

On the right side of the page, look for the "windows auto update" entry. If it's there.. you should see it

[justinal]

ok thanxs then i dont have the virus

[DevilMB3017]

Man, I donwloaded Zone Alarm after my formatting, and this thing has been going crazy all night with TCP attacks, prolly from the Worm. At least 6 this hour alone.

[william488]

i have it on my computer dang, thanks linux for the link to this thread, i am running it all right now trying to fix it, getting off the net untell i fix it so i don't help spread it, got to fix 3 of my computer on my network now.....

[LobbDogg]

about every 10 minutes we have had people bring in their computers with this virus to get fixed, I ended up getting pulled off the sales floor to help with the overflowing amount of computers in the tech room. Definitely one of the worst worms lately for sure.

[william488]

done, only had 2 files that the fixit program had to del. installed the patch, everything running good now. but still my virus scanner will not work now even re-installed it 2 times.

[sYstEmATiC]

yeah most of my niebors with cable/dsl internet have it, but fortunatly me and my dad didnt get it.

im tired of helping neighbors/dads frieds/my friends fix it....its getting to my head very fast.

[LobbDogg]

especially if they don't pay you, that sucks. Feels like you are just giving information and services away. I have done it way too many times and I think people started to take advantage that I would just do it for free everytime they had a computer problem. You end up having no free time and no money to boot either.