-
August 12th, 2003, 12:21 AM
#21
A_Person,
How are you trying to remove the worm? By running a virus scan on it?
If so, that wont work as the worm is to new for the virus detection to know how to detect.
Delete the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Auto Update
Reboot. OPen up my computer, c: drive, winnt (or windows), system32, look for msblast.exe. Right click on it, uncheck read only, and then press ok. then delete. Currently thats how you get rid of it.
Hope this helps.
-
August 12th, 2003, 12:53 AM
#22
Grinler, If i have previously disabled Microsoft Auto Update, Am i still exposed
to this threat? All help appreciated.
Thanks TidaL.
-
August 12th, 2003, 01:13 AM
#23
Depends how you had auto update set up and when you disabled it. By default auto update downloads the updates for you, but does not apply them for you. THough you can change that in the settings in control panel.
Just to be sure, goto www.windowsupdate.com and update your machine.
Grinler
-
August 12th, 2003, 01:52 AM
#24
Member
the thing is i can't delete it, i unchecked read only and i still can't delete it, thers like no way to get rid of it!
-
August 12th, 2003, 02:08 AM
#25
Member
Hi!
Some tip 2 remove & prevent msblast worm...
* Block tcp port 135 at your firewall.
* Delete the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "windows auto update"="msblast.exe"
* Search ANY file with this md5 checksum: 5ae700c1dffb00cef492844a4db6cd69 (6176 Bytes)
I think that stop the damage, but I recommend reinstall the compromised PC (desconect the network first), install a firewall, patch the PC cross your fingers and pray...
Or better: save your data and install Linux or xxxBSD...
I post more info about this worm in http://www.antionline.com/showthread...226#post652127
See u!!
PS excuse my english, please...
-
August 12th, 2003, 03:39 AM
#26
It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.
Hit it!
-
August 12th, 2003, 04:02 AM
#27
Originally posted here by TidaLphasE23
Grinler, If i have previously disabled Microsoft Auto Update, Am i still exposed
to this threat? All help appreciated.
Thanks TidaL.
Anyone feel free to correct me if I am wrong, but Windows Update doesn't really have anything to do with this worm - however, I'd advise against disabling Windows Update - ideally you are going to want to stay fully patched with updates as Microsoft releases them, using Windows Update. Microsoft has released a patch for this vulnerability and I would advise you strongly to apply it. The patch is available here: http://support.microsoft.com/?kbid=823980
The firewall on my network at work is receiving an extremely large amount of incoming traffic destined for port 135, but all traffic is being denied. As mentioned, port 135 should be blocked at your perimeter.
EDIT: There does appear to be a relation to Windows Update (in a way, I guess) - it seems that machines that are infected by this worm may try to flood the Windows Update site on the 16th of August...
-
August 12th, 2003, 04:09 AM
#28
Member
I'm agree w Maverick811. Windows Update dont have any relation w this worm...
-
August 12th, 2003, 05:06 AM
#29
I think the best solution would to reinstall the compromised system and make sure all the patches are applied, firewall is installed and configured correctly, anti virus is installed and updated.
If that is not an option then the following link might be helpful.http://securityresponse.symantec.com...ster.worm.html
its best to leave the autoupdate function on if u dont have the time to monitor and install updates all the time. u can set it to run automatically and that will save you the hassle butit might patch things that may cause other progams to not work well. so I dont recommend this if ur office uses software that is not the regular ones most people use as it woud be better if u tested the patches before applying them.
-
August 12th, 2003, 05:10 AM
#30
Originally posted here by r8devil
I think the best solution would to reinstall the compromised system and make sure all the patches are applied, firewall is installed and configured correctly, anti virus is installed and updated.
I have to agree/disagree here - I don't think that this deserves a full format and reinstall of the system - this thing can be cleaned from what I am reading - I have to say what others have already said, format and reinstall may be overkill..
I do agree that a compromised system, once clean, must be fully patched, firewall properly configured, and AV up-to-date just as you stated. But let's not get overboard with the format and reinstalls.
Of course, we should always keep up with patches and such anyway as to try to prevent worms like this, but we all know that always up-to-date, fully patched systems on the Internet is a distant dream...
Just my thoughts for the evening...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|