Latest Alert
Other Alerts
Virus Tips
|
Welcome to the PCHelper Virus Alert site. Here, information about the latest virus threats affecting Windows-based desktop and server computer systems, is made available. The rapid rate that new viruses are now infecting computers worldwide has warranted users and IT administrators to redouble their security efforts. The PCHelper VA provides news, tips, and solutions to combat the worst viruses.
Latest Virus Alert: W32.Blaster Worm
| Warning Level: | Medium-High (on watch) |
| Discovered: | August 11, 2003 |
| Other Aliases: | Lovesan, msblast.exe, tftp, W32.Blaster.Worm (Symantec), W32/Lovsan.worm , Win32.Poza (CA), WORM_MSBLAST.A (Trend) |
| Vulnerable Systems: | Windows XP Home, XP Professional, 2000 Professional, 2000 Server, NT |
| File Size: | 6,176 bytes |
| Type: | Virus-Worm |
| Targets: | This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any user action. The worm also creates a remote access point, allowing an attacker to run system commands at will.
When run, it scans a random Class-C subnet IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to download the worm from the infected host system [TFTP UDP port 69].
|
| Symptoms: |
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing
- Unattended system rebooting
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522)
- inability to cut/paste
- inability to move icons
- Add/Remove Programs list empty
- dll errors in most Microsoft Office programs
- generally slow, or unresponsive system performance
|
| Solution: | There are six steps to remove this worm:
- Disconnect from the Internet: If your computer is rebooting repeatedly, disconnect from the Internet. To disconnect your computer from the Internet, either unplug the phone cable that connects your PC to the phone line, or the network cable that connects the infected computer to a network appliance such as a hub, router or modem.
- Terminate the virus execution: This virus starts when Windows boots and runs hidden from the user. To end its activity:
- Windows NT/XP/2000 users: Right-click on the clock at the bottom-right corner of the screen. Select "Task Manager...". Switch to the "Processes" tab. Locate the MSBlast.exe file name under "Image Name" and select it. Click "End Process".
- Windows 9x/ME users: Hold down CTRL and ALT, and press DELETE to bring up the Task Manager screen. Locate the MSBlast.exe file name and select it. Click "End Task".
- Prevent it from reloading: NOTE: THIS STEP INVOLVES MODIFYING THE REGISTRY AND MAY CAUSE DAMAGE TO YOUR SYSTEM! A BACKUP OF THE REGISTRY IS RECOMMENDED.
- Click the "Start" button, select "Run" and enter REGEDIT in the text box. Press "OK"
- Navigate to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run" key.
- Delete the "windows auto update" value.
- Install or start a firewall: Windows XP and 2003 Server users can enable Internet Connection Firewall which is included with Windows. All other system users must install a third-party firewall/security system available from such publishers as McAfee, Symantec/Norton, Tiny Software, Agnitum, ISS, and Kerio Technologies. OMIT also sells Norton and McAfee internet security software at low prices.
- Install the Microsoft Patch Update: If you have disconnected from the Internet, reboot and reconnect to the Internet before continuing. Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from Windows Update.
- Use and update your anti-virus software: If you already have an anti-virus program installed, visit the application publisher to obtain the latest signature updates and/or specific virus removal tools such as Stinger or FixBlast
If you do not have an anti-virus program, downloading or purchasing one is imperative for safe Internet use.
|
Other Alerts & Fixes
W32.Welchia worm: Infects Windows XP/2000/2003/NT computers similar to the LovSan/W32.Blaster worm. View details.
W32.SobigF@mm virus: Meaner and faster than W32.Blaster worm. details.
Anti-Virus Tips
Preventing most virus infections begins with vigilance and common-sense. Here is a list of somethings to consider when surfing or emailing:
- Purchase and install a firewall program. A firewall provides first-line security to a computer or network. It does this by filtering specific IP addresses, subnet masks, or access ports. The W32.Blaster worm makes use of a vulnerability in a Windows port. This hole could be secured with a firewall.
- Purchase and install a recognised anti-virus program. Coupled with a good firewall program, an anti-virus utility stands watch for viruses, worms, Trojan Horses or other malicious files that might cause damage to your computer system.
- Keep both your firewall and anti-virus program updated. Owning and running them is not effective if they become aged. Most security programs have built in update tools.
- Do not open emails with suspicious subject lines or body text (the textual content of an email, not to be confused with attachments.) Many viruses and worms are installed in .scr, .vbs, .doc, .pif or other attachments that are transmitted via emails with obscure subjects such as "Your application", "Virus patch available" or "Re: Re: New software". Better yet, if the email does not have any body text or comes from an unknown sender, delete it!
- Big note! No anti-virus program maker will email signature file updates. And Microsoft does not send out copies of the Windows Patch. If an email professes to have the solution and requires that you install an attachment or download a file, disregard immediately.
- Empty your Recycle Bin, Temporary Internet Files folder and any temp folders frequently. Viruses love to sit in these locations. It's like having garbage lying around your living room. This tip is made even simpler if you employ the Scheduled Task tool or select "Empty Temporary Internet Files folder when browser is closed" option under "Advanced" in the Internet Options menu in Internet Explorer.
- Purchase a network router which acts like a hardware firewall for a local area network.
|
OM Group:
Monetcorp |
S² Software |
Sygnit |
Caduceus MMS |
Teknidome Gaming Center
All prices listed are in US Dollars and are subject to change without notice.
OMIT is not responsible for typographical errors found on this site.
Shipping, handling and taxes are extra where applicable.
All sales are subject to our Refund and Return Policy and General Terms and Conditions.
Promotional offers and prices are available for a limited time.
PCHelper is a trademark of OMIT, Inc.
All OMIT personal computers use genuine Microsoft® Windows® or Linux® Operating Systems
www.microsoft.com/piracy/howtotell
* The information presented by this configurator is for your convenience only.
If there is a discrepancy between the price generated by this web page and the price
confirmed by OMIT, the latter shall prevail.
Tytannia, Titan, GranIT, and Mica are official trademarks of OMIT, Inc.
All company/brand logos are trademarks of their respective owners.
Copyright © 1998. Office Mate International Technologies, Inc.
All rights reserved.
       
|
