Windows virus "blaster" hits thailand

[george]

A new network worm spreads rapidly on the internet, and causes trouble for internet users. The virus, who has also spread to Thailand, causes trouble and causes Windows machines to boot.

More info here:

Windows virus wreaks global havoc

[exchange1973]

Hi there,

here are some special infos regarding to msblast:

The worm uses a malfunction within remote-procedure-calls-service (RPC-service) listening on port 135. The worm causes a bufferoverflow and starts a tftp-server and attacks other windowssystems over the internet. The tftp-serverstart based on a shell that is openend and listens on port 4444.

If the system is perfectly infected there is an open UDP-Port 69 (tftp-server) and some open TCP-Ports between 2500 and 2522.

Shutting down the RPC-service is not the best solution because other services on your computer use that service.

So download the patch from:

http://www.microsoft.com/technet....026.asp

Greetings from Berlin

exchange1973

[Zendesigner]

hi exchange,

is it protected by the internet firewall when it wants to open some ports ?

i'm sure most users can stop their rpc service if they are not in a network.

bart

[exchange1973]

Hi zendesigner,

yes, if you instruct the firewall to block port 135 the worm can't connect to rpc-service.

To stop RPC isn't a good choice. Many service, not only networkservices use RPCs. For example the printerqueue, the WindowsInstaller, the taskscheduler....

Best choice is to install the patch. But firewalling is always a good choice ;-)

So good night from Berlin!

exchange1973.

[ChiangMaiThai]

I'm not really a computer person. To download the patch, you have to choose XP 32 bit or XP 64 bit. Can anyone tell me how to find out which one I have? Thanks.

[exchange1973]

Hi ChiangMaiThai,

the diffenrence is the following:

The 64bit version of xp supports the Itanium 2 processor. with this version you can adress more memory (up to 16GB of RAM).

So if there is no Itanium 2 processor in your system, just download the patch for 32bit version. Pay attention to the language of the patch!

Hope this helps a little, regards and greetings from Berlin!

exchange1973

[jwildgrube]

For those of you that are non-computer users, you may want to just update your Windows OS by going to Microsoft's Update Site -- just look for all the patches under 'critical updates'

For a wealth of information about this virus, check out Symantec's (Norton Anti-virus)

Someone in my office has already been hit -- it does pay to protect yourself and at least keep updated on those critical updates

[Jeff1]

Hello, ( I have to type fast!!!!!!!!!)

I printed out your how to deal with this virus and I think I got everything but when it says remove the following registry value  hklm/ software................. auto /update

HOW ? and WHERE is this . As you can tell im not a computer person.

Thank you for all help , put simply.  

I also didnt know what patch to put on until I read your reply. So I downloaded both . Is that bad?? It hard to do all of this when your computer keeps shutting down !!

I would like to meet this guy  that made the worm and have a little talk with him !

Jeff

[george]

start --> run --> regedit ENTER

ctrl-f

[exchange1973]

Hi Jeff,

you can find the "key" you mentioned in the windows registry. The registry is a kind of "database" with thousands of settings relating to the operating system and all the other applications you have installed.

As George already told, you have to use the registryeditor "regedit".

You can search the registry using the + shortcut or you just browse the registry. The registry is constructed like a file-/foldersystem.

To delete a key, you "simply" have to browse to the keys location, leftclick on the key and hit ! That's all!

Chock dee and greetings from Berlin!

exchange1973.

[george]

Some info on the 'Sobig' Worm