Remove MSBLAST.exe worm virus

[dompes]

The MSBLAST.A worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity. Depending on the system date it will start a Denial of Service attack against windowsupdate.com, this makes it difficult to download the needed patches and allow the worm to infect as many machines as it can before being disabled. However, as of August 15th, Microsoft decided to kill the windowsupdate.com domain to lessen the impact from this denial of service attack. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of memory errors, changes to Control Panel, inability to use functions in browser, and many more oddities.

Download the Windows patches for this vulnerability by clicking on the link below:
Security Update for Windows XP (KB823980)

LINK REMOVED - If anyone wants to download this patch, I suggest you go direct to the Microsoft Windows site for the patch and not use a third party one like this, to be on the safe side. - Kay

These Windows vulnerabilities are patched by using Windows Update to download all the critical updates for your system. However in some cases, people have reported getting an error 0x800A138F when trying to download updates. If you are receiving an error similar to this.

What is the DCOM Vulnerability?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft? Windows? and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

What are the Symptoms of the MSBLAST worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will read

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.



You can disable this shutdown by following the steps below during the countdown
Click on Start, Run
Type in CMD and press ENTER
Type in the following command and press Enter

SHUTDOWN -A

This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does MSBLAST Infect My Computer?
The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:

”windows auto update" = MSBLAST.EXE (variant A)
”windows auto update" = PENIS32.EXE (variant B)
”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
"Nonton Antivirus=mspatch.exe" (variant E)
"Windows Automation" = "mslaugh.exe" (variant F)
"www.hidro.4t.com"="enbiei.exe" (variant G)

to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
so that the worm runs when you start Windows.
Calculates the IP address, based on the following algorithm, 40% of the time:

Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value less than 20.
Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.

Calculates the IP address, based on many random numbers, 60% of the time:

A.B.C.D
set D equal to 0.
sets A, B, and C to random values between 0 and 255.

Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:

Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.

Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.
Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.

If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed