Broadband Tech > Security > Security > Blaster worm remover and source code ...

Blaster worm remover and source code ...

anti_blaster.zip 14,175 bytes Anti-Blaster plus source code

Hi, I think it was a bad ideal to publish your source code, I download your program, read the source code, and was able to fool your program.

Your program only looks for the name MSBLAST.Exe, rename the virus your program will miss it, rename any file MSBLAST.Exe place it in system directory your program, will claim the pc's infected and delete the file.

You of course can see how this would be dangerous, all someone would have to do is name important files MSBLAST.Exe, then your program would delete them.
--
TrojanHunter Stands For Privacy!!!!!!!

reply to Andreas Haak
I have used Symantec's tool to remove the worm on two infected systems. No, Not Mine!

»securityresponse.symantec.com/av···ool.html

What the tool does:

Terminates the W32.Blaster.Worm viral processes.
Deletes the W32.Blaster.Worm files.
Deletes the dropped files.
Deletes the registry values that the worm added

Taken from Neowin:

1. Patch Your System with the appropriate MS03-026 Patch
2. After Installation of the Patch, Reboot your system.
3. Download and run "FIXBLAST".exe to remove the MSBLAST.exe file, terminate the process and remove added registry keys by the worm.
4. Reboot your pc one last time.
5. Visit WindowsUpdate.com more often and take note of our repeated warnings to keep your system updated.

UPDATE: If your having problems installing the patch within the 60 sec, when you see the window pop up telling you 60 sec, Go to Start, Run and type in shutdown -a. This will cancel the shutdown attempt.
[text was edited by author 2003-08-12 20:42:59]

reply to Vampirefo
>publish your source code, I download your program, read the
>source code, and was able to fool your program.

Well ... and in fact I am able to fool every AV or AT program available simply by placing the signatures they use into a file. So its a problem in general.

>Your program only looks for the name MSBLAST.Exe, rename
>the virus your program will miss it, rename any file
>MSBLAST.Exe place it in system directory your program, will
>claim the pc's infected and delete the file.

The virus in fact won't rename itself. So you try to hide it. Of course you can make every worm or virus undetectable if you know how the detection works and of course if you want you can trigger false positives as many you want. But its a general problem. I can add a MD5 checksum of the file but than its enough to change a single byte to make the worm undetectable. And of course I can do a signature scanning. But again its only a single byte that have to be changed. Its easy to fool every program.

>You of course can see how this would be dangerous, all
>someone would have to do is name important files
>MSBLAST.Exe, then your program would delete them.

Do you know a good reason why a normal user should put a file named MSBLAST.EXE into his system directory?
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .
[text was edited by author 2003-08-12 22:04:20]

said by Andreas Haak:

---

Do you know a good reason why a normal user should put a file named MSBLAST.EXE into his system directory?

---

>Hi, Not a normal user, a script kiddie could use a batch
>renamer, to name an important files to MSBLAST.EXE, then
>place the batch on a victims machine, the victim could use
>your program, your program would unknowingly disable their
>pc.

Well ... If you renamed a system file it will take less then 1 second until the SFP restored it. And even if you rename it using a batch file how would you make sure the system is functional? You have to replace it (what is in fact nearly impossible) with an EXE file that loads the old EXE, too. But in this case why using a batch?

In fact as long as the cleaner is open source you can fool it. I can add as many "signatures" as I want. If I add the filesize as a criteria you just add a byte and the cleaner is fooled. If I use some kind of checksum (like other cleaners) just add a byte and its fooled. If I use a real signature you can look what I am looking for and patch the file. So we would never come to an end.

Well of course I can stop publishing the source. But why should I? Its nothing special. I never claimed that .

>post, sorry to bother you, I was under the impression, you
>wanted to know of bugs, and such.

There is a diffrence between a bug report and a posting like ... "Haha, I can fool your program." . In fact you can fool every program. It detects Blaster in its spread variant. Thats exactly what it should do and what it does .

BTW:
Symantec uses the name of the file, too . Same with Panda and some others I tested.
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .

reply to bodop
>Terminates the W32.Blaster.Worm viral processes.

Done by Anti-Blaster, too.

>Deletes the W32.Blaster.Worm files.

Done by Anti-Blaster, too.

>Deletes the dropped files.

Done by Anti-Blaster, too.

>Deletes the registry values that the worm added

Done by Anti-Blaster, too.

Filesize of Symantec Cleaner is more than 100kb (120 as far as I remember). Filesize of the Anti-Blaster is less than 12 kb and in fact the programs do nearly the same. But well ... I won't force anyone to use a certain cleaner. There is only one important thing:
Your system has to be clean after using the cleaner.

Its not important how some cleaner works. Its important THAT it works. Do we agree in that point?
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .

reply to Andreas Haak

FixBlast.zip 161,477 bytes

Andreas,
Thank you very much for the Tool, I am up to date with
NAV and MS but I do feel better knowing I can clean the
System if necessary, again thanks for the concern, hard
work and the Tool.

Be Well,
Ed

reply to Andreas Haak
Thanks for taking the time to put out the removal tool and your offer to help answer questions regarding both the tool and the source.
--
Write your questions down on the back of a $20 dollar bill and send them to me

reply to JERMaCIDE
So there JERM a CIDE, what is the source code on that symantec fixer upper you download from their site and then zipped up to troll this thread that is not even about it.

If you check the top of this DSLR forum you will see a link to download that tool. I see you have one How do I know the one you zipped is safe and not your own concoction???

reply to Andreas Haak
I would like to add that the anti_blaster.exe works about 100 times faster than the solution offered by Symantec. Just in case time is an issue for any of you folks. Thanks for the program!

I do notice that, after the program has run and ended, it still appears in the processes list as using 2,504K of memory and 0 CPU.

--
My punctuality is well known/
When the revolution takes place/
I'll be late/And
I'll be shot as a traitor
[text was edited by author 2003-08-13 08:50:34]

reply to Andreas Haak
Well ... thats in fact normal. The cleaner stays active to prevent future infections with the worm. Normally cleaning your PC works like this:

You run the cleaner and the cleaner desinfects your system. After the cleaner has finished it stays active to block further virus installations. Now you have enough time to install the DCOM patch that is offered by the tool without the danger of a reinfection.

If you don't want the infection prevention anymore you can simply uninstall it using Start, Settings, Software.

--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .
[text was edited by author 2003-08-13 08:59:28]

reply to Andreas Haak
Well again cause one asked via IM.

As I designed the cleaner I thought about usability and simplicity. I tried to offer a "one click solution". Thats why the cleaner does things that seems to be illogical. But well ... lets explain why it does all that things.

Normally you will first clean your system and than install the patch. That means after desinfecting you are still vulnerable. So you have high chance to get infected again.
I registered about every half minute a port access to 135. That means it would only take 30 seconds to get infected again. Well ... I guess its impossible to download and install the patch within 30 seconds. Thats why the cleaner stays active after cleaning. It prevents the worm from installing again. Quite simple - isn't it?

The cleaner also adds itself to the auto start so its started every time the system boots. That has 2 simple reasons:

1. If the download server of Microsoft is to busy you are still protected until you get the patch - even if you restart your computer.

2. Some of you will install the patch using Windows Update. In fact Windows Update will first install service packs etc. that need a reboot. To stay protected after the reboot the cleaner has to be loaded again. I guess many people will forget this step and while they download the updates they will get infected again. So I decided to let the cleaner start automatically until you uninstall it using the "Add/Remove software" function inside your "Control Panel".

I hoped I clarified that things now .
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .

reply to Andreas Haak

reply to Andreas Haak
Heya Vamp,

Both teekids.exe and penis32.exe are only 6,176 bytes you made up something that is 11 KB

What is that thing ??

I know you are having fun with this name thing..and you were interested to get back to this thread..but all the rest of the cleaners out there and many of the AV's are going to have to run real fast to keep up with the real world.

So I still can't figure out what you are trying to do..are you ready to do your own tool and cleaner?

It appears that there are 300K or more machines infect with mblaste.exe.

How many do you figure have these new namesakes?

reply to Vampirefo
>variant and as you can see your program does nothing to
>stop it,

Wrong. Simply wrong. The install protection for the worm still works. That means if you cleaned the PC in fact the worm won't infect the PC. Even in its new variants.

>Your claim the program wont rename itself didn't last, We
>both knew it would, or many MSblast variant's would be
>released.

The virus didn't rename it self. A script kiddie hex edited it. This can be done with every signature. Its a complete new variant. The Blaster.a worm is still detected. The Blaster.b worm, not.

>Just add signature for this exploit to your program, the

Even if I had added a signature it won't help. In fact the B variant used a diffrent EXE packer. So I have to add a second signature. Same as now (and in fact same as all other had to do).
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .

reply to Name Game

quote:

---

Heya Vamp,

Both teekids.exe and penis32.exe are only 6,176 bytes you made up something that is 11 KB

What is that thing ??

---

reply to Andreas Haak

reply to Vampirefo

said by Vampirefo:

---

quote:

---

Heya Vamp,

Both teekids.exe and penis32.exe are only 6,176 bytes you made up something that is 11 KB

What is that thing ??

---

I unpacked it. So, I could read the contents of the file.
--



[text was edited by author 2003-08-13 19:47:30]

---