if your Getting
"svchost.exe" errors with RPC messeges and reboots
OR
"NT Authority...shut down in 1 min"
Soundslike youve got the "Blaster Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
This is the hole it exploits
Your computer is being accessed. Download the MS03-026 patch from Microsoft.
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
Fixes Available here
http://support.microsoft.com/?kbid=823980
More Links
http://www.cert.org/advisories/CA-2003-19.html
Automatically Remove the Virus with
http://www.sophos.com/misc/blastsfx.exe
Download and run it, it will create a directory called SOPHTEMP
From Command line type
C:\SOPHTEMP\RESOLVE.COM -DF=BLASTERA.DAT -NOC
How do I remove W32/Blaster-A manually?
To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:
ensure you have installed Microsoft patch MS03-026 and implemented as many of the steps mentioned above as is feasible.
press Ctrl+Alt+Del
in Windows NT/2000/XP click Task Manager and select the Processes tab
look for a process named msblast.exe in the list
click the process to highlight it
click the 'End Process' (in Windows 95/98/Me 'End Task') button
close Task Manager.
Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.
In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
in the righthand pane select
windows auto update = msblast.exe
and delete it if it exists.
Close the registry editor.
You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.
Which systems are affected?
Windows 95/98/Me and Windows NT/2000/XP are potentially affected
Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A
If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.
How did my computer become infected?
W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.
My computer is continuously rebooting, how can I download RESOLVE?
Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.
On Windows XP you may be able to prevent the computer from rebooting by turning on the inbuilt firewall.
To do this:
go to Network Connections
click on your internet connection (LAN or dial-up)
on the lefthand window click 'Change settings of this connection'
click Advanced
click 'Protect my computer.....'
you will probably then be able to download the files you need.
Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.
If you cannot download on another computer, disable Distributed COM to prevent this rebooting.
Windows XP
Select Start|Run and type
dcomcnfg.exe.
Select Console Root|Component services.
Open the Computers subfolder.
Right-click on My Computer|Properties.
Click the Default Properties tab.
Deselect 'Enable distributed COM', click Apply then click OK.
Restart the computer.
Set the options back to normal after applying relevant patches
Windows NT/2000
Select Start|Run and type
dcomcnfg.exe.
Select the Default Properties tab.
Deselect 'Enable distributed COM on this computer', click Apply then click OK.
Restart the computer.i
Set the options back to normal after applying relevant patches
Safe Computing (-:
No comments:
Post a Comment