OT - Ding Dong, the Wicked Worm is dead...

[tesco samoa]

I suggest that you read the info on the virus and apply the patches and update your virus/os patches etc...

If your lucky that is all you will have to do.

But you must follow the instructions exactly.

Then you should look at automaticly updating your virus software daily and automaticly updating your windows software.

I know it is not very proactive. But at least you will be doing something.

Rebuild is a Last resort.

I am recommending you to follow this approach. This is the current approach I use at work.

[Suicide Junkie]

Quote:

Originally posted by General Woundwort:
I'm probably going to be getting a new system anyways...

if only because the current system (the infected one) does NOT have a CD-RW - just a stinking 100MB zipdrive.

At least I can salvage the text and image files for SEIV, and my school work...

CD-RW drives are actually quite cheap these days. $40-$60 is all you should spend on one.

BTW, unless your computer is very old, its probably not worth getting a new one.
500Mhz is overkill for any everyday task, and meets the requirements for Starfury.

Microsoft dosen't need your money for a new tweak of windows.

Harddrives are dirt cheap ($1 per gigabyte) and easy to add. Memory and CD drives too.

[ August 12, 2003, 18:09: Message edited by: Suicide Junkie ]

[General Woundwort]

Well, I think it's quite obvious by now what happened. I got the BLaster worm.

I've downloaded the patches and such onto a zipdisc at work, and I'm going to begin treating the patient this evening. WAL, I'll be back up and running by tonight.

Thanks to all who replied.

I may get a new computer anyways, but if I can lick this thing I'll probably settle for an external CD-RW (I desperately need some real backup power - this much has become obvious).

[minipol]

for this virus, you just need to install the microsoft patch, and preferably update your virus definitions. that's all case closed. no need to rebuilt the system.
you might want to install a firewall system as well for instance i use zonealarm. the basic Version is free.
next check once for spyware. 2 great free products: adaware and spybot.
next, relax and drink a beer

[Thermodyne]

Don't reload your system, the worm is easy to kill. First you kill it then you lock it out.

Here is how to kill it:



--------------------------------------------------------------------------------


If your system is continually rebooting (randomly powering off) please follow the steps outlined below

Please execute the following steps to start your system in safe mode:

Shut down your computer. Turn it back on again, and hold down the F8 key while your system starts.

When prompted, select Safe Mode and press enter (do not select Safe Mode With Networking)

If prompted, select the Operating System displayed (default Operating System should be highlighted).

Next, determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which one you have.

Click on the Start button, go up to Settings and select Control Panel. From there, double-click the System icon.

The window displayed will indicate which system is being used (Windows 2000, Windows XP, etc.)

Please execute the following steps to disable the worm from starting:

Click on the Start button and select Run

In the Run prompt, type regedit and press enter

Click on the plus sign (+) next to HKEY_LOCAL_MACHINE. Then, click on the plus sign next to Software. Click on the plus sign next to Microsoft. Again, click on the plus sign next to Windows. Click on the plus sign next to CurrentVersion. In the CurrentVersion list, click on the word Run.

Look for msbLast.exe, so that it is highlighted, and hit the delete key on your keyboard.

Select Yes to confirm deletion choice.

Exit the Registry editor (click the X in the upper right hand corner).

Restart your computer (but this time in "normal" mode - not Safe Mode).

Click this link and save the file to your desktop.

After the file has saved to your desktop, select Open on the Download Complete window. This will launch the Symantec W32.BLaster.Worm.Fix Tool

Click the Start button displayed on the Symantec W32.BLaster.Worm.Fix Tool. The tool will begin analyzing your files and folders for the worm and may take several minutes to complete.

When it has finished, you will be prompted with a window to install a patch that will protect your system from this and similar vulnerabilities. Click Yes to go to the Microsoft site directly.

Download the Microsoft patch

If not automatically redirected, please navigate to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp"

Click on the link for your installed Operating System

Click download on the right side of the page

Choose Run from this location

Confirm security warning pop-up by clicking Yes

Follow pop-up instructions and reboot by clicking Finish

--------------------------------------------------------------------------------


If your system is not currently rebooting, however you believe you have the worm, please follow these steps:

First you need to determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which one you have.

Click on the Startbutton, go up to Settings and select Control Panel. From there, double-click the System icon.

The window displayed will indicate which system is being used (Windows 2000, Windows XP, etc.)

Next, you need to identify and terminate the worm running on your system. To do this,

Press and hold down the following keys: Control, Alt and Delete

Click the Task Manager button

Select the Processes tab

Click the Image Name column to sort the list in alphabetical order

Look for msbLast.exe under the Image Name column

Select the msbLast.exe file by clicking on itonce. Then, click the End Process button.

Now you can close the Windows Task Manager screen by clicking the X in the upper right hand corner.

Click this link and save the file to your desktop.

After the file has saved to your desktop, select Open on the Download Complete window. This will launch the Symantec W32.BLaster.Worm.Fix Tool

Click the Start button displayed on the Symantec W32.BLaster.Worm.Fix Tool. The tool will begin analyzing your files and folders for the worm and may take several minutes to complete.

When it has finished, you will be prompted with a window to install a patch that will protect your system from this and similar vulnerabilitys. Click Yes to go to the Microsoft site directly.

Download the Microsoft patch

If not automatically redirected, please Navigate to http://www.microsoft.com/technet/tre...n/MS03-026.asp

Click on the link for your installed Operating System

Click download on the right side of the page

Choose Run from this location

Confirm security warning pop-up by clicking Yes

Follow pop-up instructions and reboot by clicking Finish

Please note: Editing your system registry can cause problems with your Operating System if done incorrectly. While Comcast is providing this information to help repair the MSBLast Worm, Comcast is not responsible for any damage that the contents of this document may cause to your computer.

[Thermodyne]

Hm..Symantec link didn't work. Here it is in plain text.

http://securityresponse.symantec.com...r/FixBLast.exe

[Richard]

Yes that will fix this known issue, but I always advise my clients to rebuild. Why? Because almost every worm has other payloads attached to it that people don't find out for quite a bit later. Plus there are usually other exploits that sneak in the exploited system that are also not picked up until later.

It's up to you, but in my experience once a box is infected it's best to start over to be sure.

Just my 2 cents worth, from doing security consulting for some time now.