| Discovered it this morning... I got hit by this worm this morning. My roomate was playing project IGI 2 when I saw for a brief second the message informing you that the system will shut down in 60 seconds. I told him to save the game and quit. Sure enough as soon as he exited out of the game it rebooted.
When my computer came back up (XP PRO SP1) I noticed that the activity lights on my router were going nuts. I enabled the firewall packaged with XP and checked the log. Sure enough my computer was scanning class A networks in the 19.xx.xx.xx range on port 135. I checked my task manager and started killing things until the network traffic died. As soon as I killed MSBLAST.EXE my network traffic stopped. I did a search on my C drive and found 2 files - MSBLAST.EXE and MSBLAST.EXE-09FF84F2.pf a prefetch file.
I moved msblast.exe to my desktop and changed the extension from .exe to .txt
subsequent running of the program prompted more network traffic which was confirmed by my firewall logs.
so YES GET YOUR FIREWALLS UP!!
and do a search on your hard drive for 'msblast' to see if you have been infected. and delete it quickly.
I did a search on msblast.exe in all search engines and came up with nothing. I must have been one of the first hit by this worm. It is very small only 8K and the prefetch file is only 16K so it is easily propagated even on dialup. |
|
|
|
| you sound like ya smart do this be safe don't just patch it... This is your puter not your driveway people..
goto computermanagement and password the administrator account you didn't make then delete all accounts that you didn't make then send a note to M$ saying how much you appriciate there leaving open doors in your os and not telling you... |
|
 alanhdslPremium
join:1999-10-09
Phoenix, AZ | Changing the administrator password won't help in this case. This worm works by hijacking a process (DCOM server) that's already running as administrator. Once it's running in place of the DCOM code, can do whatever it wants, no password required. |
|
| reply to GigahertZ420
as i said you must remove the file But if you do not close the administrator password then they will just keep rerooting your computer trust me i know how this worm as you call it is passed..
it is not a worm it is a trojan designed to serve MIRC it is designed to root new hosts etc but it also serves movies games and what ever else its master wants it to serve. if you remove the reg key and you delete the files close the admin account it will stop the bot... i have post other responces with very percise insturctions as to how to stop these intrutions... |
|
 museheartPremium
join:2002-08-11
Hazel Green, AL | reply to crazylike
Re: you sound like ya smart do this be safe How do you disable prefetch? I mean you don't really need it, do you?
Peace, |
|
