Results 1 to 8 of 8

Thread: New variant of the Blaster Worm

  1. #1
    Banned
    Join Date
    Dec 2003
    Posts
    138

    New variant of the Blaster Worm

    Hi there.I've been receiving emails from people that tell me that their computer restarts after some time.They get the same error message that blaster worm infected people get.However when they look up in the processes of their computer,they get none of the processes the already detected variants of B.Worm use.Also,some people are running Windows ME but they still get the worm.What do you think about all this?Any comments,etc?

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Well there is also the W32.Welchia.Worm (aka Win32.Nachi).. this family infect in a similar manor.. but wait there's more... besides the regular RPC-DCOM vul.. it uses a couple of extra.. now as for infecting WINME.. then you have a different family of virii.. ..
    How do you know it is a Blaster Varient? Just because the computer restarts isn't cause enought to name it the same. What have you done to investigate this.. what are the active files on the machines? Find some code and post it for some others to analyse it..

    .. My Tv isn't working.. last time it did this it was a blowen fuse.. Ok I will put in another fuse and see what happens..
    Blast.. it still isn't working.. must be a different type of blown fuse.. I'll keep blaming the fuse..
    (I hope this gets my point across)

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Let's start by having the actual processes posted here which you feel are associated with the virus/worm that your "friend" has. Next, please tell us if they have an AV solution of any kind on the box and if it has the latest definitions. After that, tell us the patch level of the machine.

    I know you have been a member of this site long enough to know the proper format when asking for help. Please don't be like the endless army of nitwits who ask questions like, "My computer is doing wierd things. What is wrong with it?"

    Once you give us some meat, I'm sure we can help you out.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    Hey Und3ertak3r,

    Not poking fun or anything - Just FYI - The Nachi variants were coded to delete themselves when the system clock reached 1 Jan 2004, so that would rule out the Nachi worm as a general infection problem, if what ali1 says has merit that is.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm

    I can't see how this can be a Blaster "variant"? if it hits the NT family AND Me, it must be a substantial re-write IMHO.

    And if it hits Me.............what about the rest of the 9x family?

    just my £0.02 worth

  6. #6
    Banned
    Join Date
    Dec 2003
    Posts
    138
    Hi all.
    Well the 1st client scanned his PC using PC Cillin...and PC Cillin detected that his pc was infected with the Blaster Worm.However he uses Windows ME on his computer....
    And the second client got the exact same 'restarting in _ seconds" box that Blaster Worm infected people get.However she doesn't have any of those processes.
    Please tell me what otyher details do you want?
    Thanks.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Was the second one also running WIN Me?

    Was the first computer actually infected, or did it just have an infected file on it? You can get an infected document on a system that won't support the particular virus, and the AV will still detect it?

    Which files did the AV say were infected?

    Have you sent a sample to the AV companies for analysis?

    It sounds like a new one with similar payload to Blaster, rather than a variant? because as you rightly observe, the processes aren't there to support Blaster. That leaves me thinking that it is a substantial re-write, or maybe another virus with the blaster payload added to it.....sometimes the AV detects on payload rather than process.

    Cheers

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    The Nachi variants were coded to delete themselves when the system clock reached 1 Jan 2004,
    yep tru forgot that.. I will do a bit of research.. have had it on boxes at work in the last week..

    Ali.. While it is possable for some one to have the virus on their machine.. What folder was it in? The question is what was the delivery method..

    While I am seriously watching for you information, I feel it is some code that spreads via email/Sneakernet, not one that is spread via the RPC/DCOM Vulnerability.. If the Admin service shutdown window comes up on a Win9x machine.. Well the code for that came With the Virus.. Because as you Know Ali.. the Shutdown problem was as a result of the RPC Service failing As a result of the attack through the various ports.. The Message comes from the NT Kernal..
    I feel your "Clients" had two Virii, one was the lovely one that shutdown their machine, the other Was the Blaster but it was dorment ie not active..

    Now that the subject has been brought up.. I will Find a Win9x box and put a copy of blaser on it and set it running and see what it does..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •