Re-infected with Blaster worm???

Hi Tedh...

Thanks for your response.  I know that she downloaded the patch from Microsoft and didn't do any of the tools that are out there but I will pass along your information to her.  Hopefully this is just a fluke on her computer, and isn't part of a possible varient.

Thanks for taking the time to help me/us out.  I really appreciate it.

Heather

Is it possible that she downloaded a tool that finds a removes the worm and thought she had just patched her system for the worm? 

If she used a tool (such as Symantic offers for free - FixBlast.EXE) which works real good to remove the worm, but there is still a patch that needs to be installed so you can not get infected again.

With FixBlast.exe you run it twice to be sure that it does a thorough job of removing the W2.Blaster.Worm and then when it has successfully removed the worm from the computer, a pop up window askes "Would you like to read about the W2.Blaster.Worm patch", or something like that.  If you select Yes or OK (can't remember which one is says) it will link her to a site where she can  download the patch for her computer.  Once the patch is installed she will not be infected with this particular worm again.

Note:  Yes, the possibility of a variant of this worm could already be out but I have not read anything about it, so I think she probably just didn't get it removed and patched effectively. 

I would also suggest she also installs a firewall as this worm came through port 135 which by default is open and a security hole for XP and Windows 2000.  Windows XP comes with a firewall component on it but it must be enabled.  Here are the instructions on how to enable the (ICF- Internet Connection Firewall):

1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
4. If you want to enable (turn back on) the use of some applications and services through the firewall, you need to enable them by clicking the Settings
button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.

 

 

Message Edited by tedh10000 on 08-14-2003 02:40 PM

The patch does not remove the virus, just prevents it. You have to follow the procedures to remove it. Read: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

You should also get a firewall like the free version of Zone Alarm.

Hi Mary,

She downloaded the patch, and then removed it with McAfee, and did a full system scan, which showed no viruses.   Then, 36 hours later, she received a notice from McAfee that her computer had just been infected with Blaster, and was just removed.

Other than the firewall, is there something else that she should have done?

Thanks for your assistance.

Heather

Sorry for jumping in here, but you say "she removed it with McAfee", do you mean she used her regular McAfee Anti-Virus program to remove it or did she use a tool provided by McAfee to remove it?

If she used her regular McAfee Anti-Virus program it never got removed.  It takes a specially written to (utility) or if you want to remove it manually, a special set of stetp (instructions) to remove it.  After it has been successfully removed in either of these ways, then the patch can be applied.  Then it can not re-infect in it's original form again. 

Please let me know if you need a link (URL) to the tool and further instructions.

Hi Tedh...

You pose a good point.  I know she scanned her computer with McAfee, McAfee found it and claimed it removed the worm, so she did nothing else to her computer. 

If you think she should use the written tool, and could provide me the link, it would be a great help.

THANKS  :-)

Here is the link:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Here is some help to go with that link...

Print the section from Obtaining and running the tool up to the section Digital signature

The she needs to download the FixBlast.exe file to her desktop and run it. The problem here is that this worm will only let her stay online for about 60 seconds before it reboots here computer.  What I did was to download it to a floppy disk using a computer that either isn't infected or a computer running Windows 98 or Me (the worm does not infect these operating systems).  Then put the floppy disk into her computer and copy the file to her desktop and run it. 

BTW, you won't need to do step 3 from the link page above, but do make sure she disables System Restore before she runs the FixFlast.exe file.  

Of course all this won't work if you aren't close enough to her to do it this way (location wise). 

If you can't do it with coping it to a floppy like I have suggested above, she can do this: 

To stop the the countdown that Blaster launche do this:

1. Go to the command line interface by clicking on the Start button and selecting Run. Type "command" (without quotes) and click OK.
2. At the command prompt, type shutdown -a and press Enter.  This effectively orders the computer to abort shutdown.
3. Now she can go to the link I provided above and download the tool herself.   BTW, the command above shutdown -a does NOT have to be reversed when she is done.

Note: do make sure she does step 9 in the instructions provided in the link above and she should run the tool once, then restart her computer and then run it again to make sure she cleaned it off real good.  Also, do not skip the step below, first thing.

When the tool has finished running, you will see a message indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:

Total number of the scanned files (some number here)
Number of deleted files (some number here)
Number of terminated viral processes ( usually 1 here)
Number of fixed registry entries (usually 1 here)

Then a popup window will open asking Would you like to see information on the Patch (something like this, not sure the exact wording). Click Yes or OK and it will take her to a URL that she can download the actual patch so she doesn't get it back.  She sould download the patch and run it again.

That should do it... sounds daunting but follow these instructions and those given in the link and she should be fine.

Thanks for all of your input and time, Tedh..  I really appreciate it.  :-)

Heather

Another important thing to remember is to disable the system restore on ME/XP before running the removal tools.

The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable  (if not properly patched), the worm is not coded to replicate to those systems.

The Windows Me Operating Systems are NOT affected by the W2.Blaster.Worm.

Boy, Everyone is so great on this board...

Thanks for your input, Jwee....

Heather

How did things work out for your sister with the worm removal and patch?

Heather03,

I got this email today from Adelphia about another possible attack tomorrow.

1. MSBlast.exe Virus Information:

As you may have heard, a significant virus known as MSBlast.exe (also known as the LovSan Web Worm) spread across the Internet over the past week. Unfortunately, many of you were affected. Those of you who have not taken action to protect your computer from this virus are still open to attack.

According to some reports, the MSBlast.exe virus may resume its attack on Saturday August 16th, 2003. The virus is programmed to launch a distributed denial-of-service attack on windowsupdate.com. This may severely impact access to the Microsoft website used to distribute security fixes against viruses. Each computer that begins to run the worm on or after 8/16/2003 (either from new infection or after a computer restart) will engage an attack on windowsupdate.com. Customers who have already downloaded the update from Microsoft should not be affected because this is the same worm attack from August 12th - the worm is just time released in this case.

If you have not downloaded the update from Microsoft, you will not be able to go to windowsupdate.com if the worm resumes its attack on 8/16/2003. To stop the virus from infecting your computer, we recommend that you take immediate action to update the security patch located at:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Customers who run firewalls are encouraged to block access to TCP port 69, 135, 4444 at the firewall level.

Finally, you can go to www.adelphiapowerpage.com for links to the removal tools and security updates. Customers using Windows 2000 or Windows XP are strongly encouraged to do so no later than 12:00PM EDT August 15th, 2003.

2. NETGEAR 4-port Home Networking Router Information:

Product Information: Model RP614 4-Port Cable/DSL Router with 10/100 Mbps Switch

An issue has been identified with NETGEAR routers and integrated cable modem/routers. The NETGEAR equipment generates IP broadcasts to other Internet users, which causes a degraded Internet experience.

The NETGEAR web site offers a solution for customers that have this product:

http://www.netgear.com/support/support_details.asp?dnldID=377#
Please Note:
Adelphia is providing this information to help you protect yourself from the MSBlast.exe virus and to prevent any NETGEAR equipment you may own from impacting other Internet users. Adelphia is not responsible for any damage to your computer from any source used to protect against this virus.

The patch does not prevent the virus from infecting your system, it only prevents it from using your system to to preform other functions.  The virus removal tool does not protect your computer from reinfection. After you remove the virus and patch the OS, you should update your virus software to get the latest virus definition file.  Depending on the software and the virus, this may prevent the virus from reinfecting your computer, but you should still run virus scans regularly.  I run mine once a day at night after I am finished using the computer.