OT - Ding Dong, the Wicked Worm is dead...
 

Last night my computer started acting very strange. I'd log-on to my dial-up ISP, but within 2-5 minutes I'd get an error message saying "Windows XP will shut down in 1 minute due to a Remote Procedure Call failure". The computer then shuts down and restarts after 1 minute.

I have not downloaded any viruses to my knowledge. I do not use Microsoft Office for any e-mail or other things. I tried looking this error up in Google and got nowhere.

Any suggestions?

[ August 14, 2003, 02:52: Message edited by: General Woundwort ]

Re: OT - Ding Dong, the Wicked Worm is dead...
 

General, the symptom you describe has been reported elsewhere as a worm that's infecting Microsoft systems lately. Let me find some specific links for you however, meanwhile:

1). Mcafee and Norton have updates to detect the worm, others may have it soon. Update and scan your system.

2). Microsoft had an update against the exploit available in July, download it to prevent further attacks.

[EDIT]
Ah yes, here's a slashdot story, full of technie info -- /. {link} someone mentions in the comments that the worm has problems infecting XP

[ August 12, 2003, 12:03: Message edited by: Arkcon ]

Re: OT - Ding Dong, the Wicked Worm is dead...
 

To be honest I would rebuild your system at this point, there is no telling how many secondary packages it has dropped off.

At my full time job we have been lucky so far, but some of our other business units screwed up big time. Our exchange team is still having email problems this morning.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Re... build... system...

http://forum.shrapnelgames.com/images/icons/shock.gif

Uh, how do I do that?

What happens to all my SE stuff in my hard drive?

Would it be more cost effective to get a new PC?

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Burn all your important files to CD.
Savegames, mods, etc.
Documents, bookmarks, desktop stuff.

Anything you don't have on CD.

Then, format your harddrive and reinstall windows, copy all your stuff back down, and reinstall your programs.

A new, good system (that I would buy) will run you only $500 Canadian if you put it together yourself.
Rebuilding your system as above will cost you $0, and no more than about 4 hours unless you've got tons of files you need to backup.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif">So with this virus you can burn what needed files you want without getting infected files copied as well? The more I look into this virus the more it seems to be that way being the type of virus it is as it isn't really effecting any actual files such as .gam, .jpg, .bmp, .mp3, etc. Correct? A co-worker of mine has this virus at home and he is wondering if it is safe to burn his files to CD then reformat without getting the virus once again once he copies his files from CD back to his PC.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Pictures don't get run, so there would be little point in a virus infecting one of them.
Mostly system files or newly created files that look like system files. Or programs like iexplore.exe so the virus is activated when you browse the internet.

All you really need to do is install your antivirus software first, and make sure its updated. It will then scan the files you copy back. You can scan your CD first if you feel like it.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

I'm probably going to be getting a new system anyways...

if only because the current system (the infected one) does NOT have a CD-RW - just a stinking 100MB zipdrive. http://forum.shrapnelgames.com/images/icons/icon9.gif

At least I can salvage the text and image files for SEIV, and my school work...

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Is this the same virus that would be affecting
Copy / Paste and Linking on our Win2k systems?

Re: OT - Ding Dong, the Wicked Worm is dead...
 

You can run anti-virus and try to pick up known things, and of course go to windowsupdate and download all security packages.

It's just been my observation that almost everytime a worm like this hits it has secondary and tertiary payloads that are worse then the first one, and well hidden. Code Red, Code Red II, and Nimda showed that.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Heads up ...

Cert {link}

Long story short, get the patch before August 15th, the worm will launch a Denial Of Service attack against the Windows update webpage after that date.

Nice.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Is this the same virus that would be affecting
Copy / Paste and Linking on our Win2k systems?

Re: OT - Ding Dong, the Wicked Worm is dead...
 

I suggest that you read the info on the virus and apply the patches and update your virus/os patches etc...

If your lucky that is all you will have to do.

But you must follow the instructions exactly.

Then you should look at automaticly updating your virus software daily and automaticly updating your windows software.

I know it is not very proactive. But at least you will be doing something.

Rebuild is a Last resort.

I am recommending you to follow this approach. This is the current approach I use at work.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif">CD-RW drives are actually quite cheap these days. $40-$60 is all you should spend on one.

BTW, unless your computer is very old, its probably not worth getting a new one.
500Mhz is overkill for any everyday task, and meets the requirements for Starfury.

Microsoft dosen't need your money for a new tweak of windows.

Harddrives are dirt cheap ($1 per gigabyte) and easy to add. Memory and CD drives too.

[ August 12, 2003, 18:09: Message edited by: Suicide Junkie ]

Re: OT - Ding Dong, the Wicked Worm is dead...
 

We had this at my work yesterday - it only infected computers with XP as the OS!

Re: OT - Ding Dong, the Wicked Worm is dead...
 

So if I download this patch, will it reverse the damage? I want to be able to play PBW when it comes back Online!!!

Re: OT - Ding Dong, the Wicked Worm is dead...
 

you should ... as it will clean the system.

moral.

do not open attachments unless you know exactly what they are

Re: OT - Ding Dong, the Wicked Worm is dead...
 

at least i know what all the 'tech managers' will be going on about at work today.

Can we say firedrill.

We automatically update all the windows software every day.

But they will still want us to go out and verify.

Why because they do not understand computers and the computer industy. But for some strange reason they manage it.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Well, I think it's quite obvious by now what happened. I got the BLaster worm.

I've downloaded the patches and such onto a zipdisc at work, and I'm going to begin treating the patient this evening. WAL, I'll be back up and running by tonight.

Thanks to all who replied.

I may get a new computer anyways, but if I can lick this thing I'll probably settle for an external CD-RW (I desperately need some real backup power - this much has become obvious).

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Yes that will fix this known issue, but I always advise my clients to rebuild. Why? Because almost every worm has other payloads attached to it that people don't find out for quite a bit later. Plus there are usually other exploits that sneak in the exploited system that are also not picked up until later.

It's up to you, but in my experience once a box is infected it's best to start over to be sure.

Just my 2 cents worth, from doing security consulting for some time now.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif">maybe you should make that more clear.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

for this virus, you just need to install the microsoft patch, and preferably update your virus definitions. that's all case closed. no need to rebuilt the system.
you might want to install a firewall system as well for instance i use zonealarm. the basic Version is free.
next check once for spyware. 2 great free products: adaware and spybot.
next, relax and drink a beer http://forum.shrapnelgames.com/images/icons/icon7.gif

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Don't reload your system, the worm is easy to kill. First you kill it then you lock it out.

Here is how to kill it:



--------------------------------------------------------------------------------


If your system is continually rebooting (randomly powering off) please follow the steps outlined below

Please execute the following steps to start your system in safe mode:

Shut down your computer. Turn it back on again, and hold down the F8 key while your system starts.

When prompted, select Safe Mode and press enter (do not select Safe Mode With Networking)

If prompted, select the Operating System displayed (default Operating System should be highlighted).

Next, determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which one you have.

Click on the Start button, go up to Settings and select Control Panel. From there, double-click the System icon.

The window displayed will indicate which system is being used (Windows 2000, Windows XP, etc.)

Please execute the following steps to disable the worm from starting:

Click on the Start button and select Run

In the Run prompt, type regedit and press enter

Click on the plus sign (+) next to HKEY_LOCAL_MACHINE. Then, click on the plus sign next to Software. Click on the plus sign next to Microsoft. Again, click on the plus sign next to Windows. Click on the plus sign next to CurrentVersion. In the CurrentVersion list, click on the word Run.

Look for msbLast.exe, so that it is highlighted, and hit the delete key on your keyboard.

Select Yes to confirm deletion choice.

Exit the Registry editor (click the X in the upper right hand corner).

Restart your computer (but this time in "normal" mode - not Safe Mode).

Click this link and save the file to your desktop.

After the file has saved to your desktop, select Open on the Download Complete window. This will launch the Symantec W32.BLaster.Worm.Fix Tool

Click the Start button displayed on the Symantec W32.BLaster.Worm.Fix Tool. The tool will begin analyzing your files and folders for the worm and may take several minutes to complete.

When it has finished, you will be prompted with a window to install a patch that will protect your system from this and similar vulnerabilities. Click Yes to go to the Microsoft site directly.

Download the Microsoft patch

If not automatically redirected, please navigate to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp"

Click on the link for your installed Operating System

Click download on the right side of the page

Choose Run from this location

Confirm security warning pop-up by clicking Yes

Follow pop-up instructions and reboot by clicking Finish

--------------------------------------------------------------------------------


If your system is not currently rebooting, however you believe you have the worm, please follow these steps:

First you need to determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which one you have.

Click on the Startbutton, go up to Settings and select Control Panel. From there, double-click the System icon.

The window displayed will indicate which system is being used (Windows 2000, Windows XP, etc.)

Next, you need to identify and terminate the worm running on your system. To do this,

Press and hold down the following keys: Control, Alt and Delete

Click the Task Manager button

Select the Processes tab

Click the Image Name column to sort the list in alphabetical order

Look for msbLast.exe under the Image Name column

Select the msbLast.exe file by clicking on itonce. Then, click the End Process button.

Now you can close the Windows Task Manager screen by clicking the X in the upper right hand corner.

Click this link and save the file to your desktop.

After the file has saved to your desktop, select Open on the Download Complete window. This will launch the Symantec W32.BLaster.Worm.Fix Tool

Click the Start button displayed on the Symantec W32.BLaster.Worm.Fix Tool. The tool will begin analyzing your files and folders for the worm and may take several minutes to complete.

When it has finished, you will be prompted with a window to install a patch that will protect your system from this and similar vulnerabilitys. Click Yes to go to the Microsoft site directly.

Download the Microsoft patch

If not automatically redirected, please Navigate to http://www.microsoft.com/technet/tre...n/MS03-026.asp

Click on the link for your installed Operating System

Click download on the right side of the page

Choose Run from this location

Confirm security warning pop-up by clicking Yes

Follow pop-up instructions and reboot by clicking Finish

Please note: Editing your system registry can cause problems with your Operating System if done incorrectly. While Comcast is providing this information to help repair the MSBLast Worm, Comcast is not responsible for any damage that the contents of this document may cause to your computer.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Hm..Symantec link didn't work. Here it is in plain text.

http://securityresponse.symantec.com...r/FixBLast.exe

Re: OT - Ding Dong, the Wicked Worm is dead...
 

The evil worm is slain (or so it appears so far).

I had to run the remover twice (I forgot to set the machine to safe mode the first time), but I got the sucker. http://forum.shrapnelgames.com/images/icons/icon6.gif

I also downloaded all the available security patches from Windows Update... while there was still time... http://forum.shrapnelgames.com/images/icons/icon12.gif

Tomorrow, I will get Norton AntiVirus, and an external CD-RW, so that I will have some beefier protection against this sort of nonsense, and some real back-up capacity.

I also downloaded DirectX9, in anticipation of Starfury... http://forum.shrapnelgames.com/images/icons/icon10.gif

Re: OT - Ding Dong, the Wicked Worm is dead...
 

You won't need DX9. It works fine with 8.0a and 8.1 in our experience. (Good thing too... DX 9 is so HUGE!)

Re: OT - Ding Dong, the Wicked Worm is dead...
 

&#1 http://forum.shrapnelgames.com/images/icons/shock.gif Taz had worms!!! http://forum.shrapnelgames.com/images/icons/shock.gif &#1

Yep! Taz HAD the BLaster Worm but after going to Doc. Microsoft he is OK now!!! http://forum.shrapnelgames.com/images/icons/icon12.gif

Seriously, this worm is aggravating - it shuts down your computer every 5 - 10 minutes. At least if you are Online.

To tell if you have it, check for a process running that is named msbLast.exe

The easiset way to do that on a Windows XP machine is to press: Control-Alt-Delete
This will bring up a screen showing the running applications.
Press the processes Tab.
Look for the msbLast process; if it is there highlight and press end process button.
Then either run the Symantic program mentioned before to remove the worm or do a complete search on all drives for msbLast.exe (I found mine in C:\windows\system32 folder)
Delete all occurances.

One thing I should mention is the System Restore function on Windows XP machines - this MIGHT bring the worm back in certain cases.

To prevent this...
Again on Windows XP machines:
Right click on My Computer
Click on properties
click on system restore tab
Select (check) the Turn Off System Restore box
click apply

This will erase all system restore points on the computer.

Then go back again and uncheck the Turn Off System Restore box
and Click apply

Now there is no way system restore can 'resurrect' the bLaster worm. http://forum.shrapnelgames.com/images/icons/icon7.gif

You have now killed the worm... now goto the microsoft update site and make sure no other ones crawl in!!! http://forum.shrapnelgames.com/images/icons/icon6.gif

P.S. I hope you have more than the 56K Modem that Taz has - It took me 2 (TWO) HOURS to download all patches (30 Meg download). http://forum.shrapnelgames.com/images/icons/icon9.gif

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Are you immune to this worm if you're using Windows 98?

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif">Not immune, rather uneffected.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

how about M.E.?

Re: OT - Ding Dong, the Wicked Worm is dead...
 

I had the worm too. It was preventing me from accessing the MS update site, so I copied all important files to my 2nd partition, then re-ghosted windoze from my laptop's install CDs.

Set mt ISP back up and guess what..? As soon as I went Online it started all over again. Either it had infected something on my D: drive or the worm was being puched onto my PC from the internet as soon as I looged on.

Anyway, used the shutdown -a command to keep my pc awake long enough to download zonealarm, then cut the sucker off. Then I ran the symantec gizmo and am now in the painful process of re-installing all the XP security patches over 56k http://forum.shrapnelgames.com/image...s/rolleyes.gif

The moral of the story? Never play poker with a man whose first name is a city.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Dogscoff -

This worm buries itself into your system restore files, so that if you remove it without being in "safe" mode, it just reloads itself. I ran the remover program, removed the worm, then restarted in safe mode and ran the remove program again - and got the "buried" copy of the worm. FYI.

[ August 14, 2003, 11:30: Message edited by: General Woundwort ]

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif"></font><hr /></blockquote><font size="2" face="Verdana, Helvetica, sans-serif">Unfortunately, that kind of comment is made every time this kinda' thing happens. Remember the Slammer worm? People were saying the same thing after that happened.

A month after this "event" dies down, most will become complacent again and many won't bother patching for the next 'big threat'.

IMO Thermodyne has it right (EDIT:See the other post reguarding BLaster) - it's all about money and resources. Most companies have thinned their budgets down so much that most IT departments run in purley "reactive mode" and don't have time to be proactive.

Another aspect is that MS's patches / hotfixes / service packs frequently cause more problems then they fix. (Nothing against MS here, just a fact.) People are scared to apply them!

It's sad but true .....

[ August 14, 2003, 15:41: Message edited by: rdouglass ]

Re: OT - Ding Dong, the Wicked Worm is dead...
 

Thanks GW- I remembered to switch off system restore before applying the fix. My system is now clean=-)

Re: OT - Ding Dong, the Wicked Worm is dead...
 

We recieved a notice today saying basicaly "that it is a major opperation to distribute a patch across 15,000 systems and requires thorough testing before it is done. Were were working on it but the worm struk first".
I guess I can belive that.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif"></font><hr /></blockquote><font size="2" face="Verdana, Helvetica, sans-serif">Unfortunately, that kind of comment is made every time this kinda' thing happens. Remember the Slammer worm? People were saying the same thing after that happened.

A month after this "event" dies down, most will become complacent again and many won't bother patching for the next 'big threat'.

IMO Thermodyne has it right (EDIT:See the other post reguarding BLaster) - it's all about money and resources. Most companies have thinned their budgets down so much that most IT departments run in purley "reactive mode" and don't have time to be proactive.

Another aspect is that MS's patches / hotfixes / service packs frequently cause more problems then they fix. (Nothing against MS here, just a fact.) People are scared to apply them!

It's sad but true .....</font><hr /></blockquote><font size="2" face="Verdana, Helvetica, sans-serif">As did this one. RRAS is refusing conections yesterday morning. At least MS got right on it and put up a new patch.

Re: OT - Ding Dong, the Wicked Worm is dead...
 

<font size="2" face="Verdana, Helvetica, sans-serif">Symantec has the answer

Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me, Windows NT

Re: OT - Ding Dong, the Wicked Worm is dead...
 

The good? news?

I don't know if I just got lucky or if the BLasted BLaster could not find our xp system since our ME system sits between it and the web. It is now patched.

Link below is to an artical that puts one sorta bright note on this worm.
http://www.pcworld.com/news/article/...081303X,00.asp
Caution: There are popups at the above link.

<font size="2" face="Verdana, Helvetica, sans-serif">

[ August 14, 2003, 12:11: Message edited by: Gryphin ]

Re: OT - Ding Dong, the Wicked Worm is dead...
 

MY XP System was CLEAN!!!!!! http://forum.shrapnelgames.com/images/icons/icon7.gif http://forum.shrapnelgames.com/images/icons/icon10.gif http://forum.shrapnelgames.com/images/icons/icon7.gif
(I guess I got lucky!)