SillyDog701

[DJGM]

Ok, this is a new installation of Windows 2000 Professional on my recently acquired "testbed" PC.
So far, everything seems to work, bar one thing. I can't cut/copy and paste anything with it at all.

While I wait for replies, I'll pop down Microsoft way, and trawl through the MS Knowledge Base!

EDIT:
Please read my second reply to this thread.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

[Ramona]

Hi Greg,

Just saw this poster with a problem similar to yours:

snews://secnews.netscape.com:563/bhb9ap$45q20@ripley.netscape.com

Have you done the MS Patch for W2K? I'm hoping this isn't your problem, and just a coincidence...

Ramona

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (CK-SillyDog)

[DJGM]

This is an OS issue. Netscape is not installed on this PC at the moment. I've
replaced Windows 2000, with a new installation Windows XP Pro and the
same cut/copy/paste problem is even in this newer version of Windows.

Funnily enough, the svchost.exe error mentioned in that newsgroup posting
kept popping up in Windows 2000 Pro, but hasn'tt yet appeared ar all in this
installation of Windows XP Pro. This is after I completely nuked the partition
containing Win2K to install XP afresh. I'll try that security patch from MS,
and report back if the problem continues . . .

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

[DJGM]

It seems this is all do with the latest internet worm doing the rounds, and causing serious problems
with NT based versions of Windows (NT/2K/xp). The worm is an executable file that's placed inside
your /SYSTEM32 folder called msblast.exe, and the worm's viral name is W32.Blaster.Worm . . .

This is a very serious issue, caused by a security vulnerability in the Windows RCP* service, that
can enable an attacker to take full control of your computer, and run any code of their choosing.

(*Remote Procedure Call (RPC) is a protocol used by the Windows operating system.
RPC provides an inter-process communication mechanism that allows a program
running on one computer to seamlessly execute code on a remote system. The
protocol itself is derived from the Open Software Foundation (OSF) RPC
protocol, but with the addition of some Microsoft specific extensions.)

Therefore, if anyone here is using Windows NT/2000/XP, and suffering the same problems that I
described in the opening message of this thread, you'll need to apply the critical patch released
by Microsoft. Go to the Microsoft Technet Security Bulletin here. To get the patch, you'll need
to scroll about two thirds down the page, and click on the link corresponding to your current
version of Windows. This will take you to a page where you can download the patch.

You'll need to reboot your PC after applying the patch.

After rebooting your PC, look inside your /SYSTEM32 folder. If you find the msblast.exe file is still
there, delete it straightaway, by hitting SHIFT and DELETE simultaneously, so it will be removed
completely, without going via the Recycle Bin.

Because of the extreme severity of this vuln, I'm upgrading this thread to "Announcement".

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1

[Gregor]

My Panda find it 3 times in two hours!
It does not spreading through e-mail, because infected computer scans IP adresses on the WEB and if find one (unprotected computer) use port 135 to infect it, so it is necessary to install security patch as DJGM suggested.

UserAgent: Opera/7.11 (Windows NT 5.0; U) [en]

[Ramona]

DJGM,

This is one time I am very sorry to have found the cause of a problem! At least you are on top of it now.

A friend just sent me this information about yet another worm/trojan that is so similar to this one: W32.Randex.E This one also uses the DLL to exploit the DCOM RPC vulnerability, as described in Microsoft Security Bulletin MS03-026

You can, however, disable DCOM with a minor Registry edit, as described here:
Disable Distributed Component Object Model (DCOM) (All Windows)
To be on the safe side, I have done the Registry edit.

FWIW,

Ramona

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (CK-SillyDog)

[Mandrake]

If you apply the patch you should be safe . . . of course no one knows if Windows 95 or 98 are effected by this, since they are no longer tested for security vunerabilites like newer versions of Windows.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a) Gecko/20020611

[profman]

Ramona and DJGM: Thanks for the info. I'll mention here that my son got this virus and had to deal with it. The MSBLAST worm appears to be not very destructive, just extremely annoying. Symantec has a nice section on this worm.

It seems that a good firewall should prevent this type of infection although I'm not absolutely sure about this since the worm uses a Windows component. I'm hoping that my LinkSys BEFSX41 Firewall Router (or ZoneAlarm, if I'm not using the router) will protect my various systems. Of course, be sure to apply current security patches.

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624

[Wellander]

Hi,
There is no patch for windows 9x or me just nt4.0 servers and 2000 and xp.

UserAgent: Mozilla/4.79 [en] (Windows NT 5.0; U)

[Mandrake]

Microsoft would have released a patch for Me, but it isn't effected by this vunerability . . . W2K3 Server has a patch too.

UserAgent: Mozilla/4.0 (compatible; MSIE 5.14; Mac_PowerPC)

[sparkydog]

Hi...SillyDog newbie here...

I too have had this virus. It manifested itself in MANY different ways. Some are:
1. I couldn't cut & paste
2. I couldn't drag & drop
3. The control panel icons were all jammed to the left side of the window
4. My Nero burner software would not work.
5. I lost MS Word as my default Outlook Email editor
6. Some apps would just not run
(This was Aug 13th)

The two main things that I did to clear up all of these problems:
1. Reloaded Windows2000 (Switched from Fat32 to NTFS in the process)
2. Reloaded the latest version of Internet Explorer

Then I went and got Blaster.A from norman.com, as well as a few other checkers (valla.2048 and Lovgate.F)

I then put a Linksys Router between my Cisco 678 and my Negtear Hub.
(Making sure all incoming ports are set to zero)

I will run the checkers and my Panda Titanium on my Winnt directory every day.

Its about all I can do...I think.

When did computing get so serious and difficult. As a retired process control engineer of 30 years, I am amazed at how much work it is just to keep up with security these daze!

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

[Gregor]

Hello Tom !

Since You use Panda as I you should be safe from Blaster worm. In any case on Panda`s web page a tiny program called PQREMOVE is available for registered users. It repairs all damage done.

UserAgent: Opera/7.11 (Windows NT 5.0; U) [en]

[Edward]

If you apply the patch you should be safe . . . of course no one knows if Windows 95 or 98 are effected by this, since they are no longer tested for security vunerabilites like newer versions of Windows.

According to the Symantec link Ramona provided regarding W32.Randex.E, it lists 95 and 98 as being affected.

UserAgent: Mozilla/5.0 (Linux 2.4.20-4GB i586; U) Opera 7.11 [en]

[profman]

Here is Microsoft's latest page on this worm: What You Should Know About the Blaster Worm and Its Variants.

They say, on that page:

Your computer is not vulnerable to the Blaster worm if either of these conditions apply to you:

If you are using Microsoft Windows 95, Windows 98, Windows 98 Second Edition (SE), or Windows Millennium (Windows Me).

If you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 (CK-profman)

[Edward]

Symantec says one thing, Microsoft says the opposite.

Typical Windows behavior...

UserAgent: Opera/7.11 (Linux 2.4.20-4GB i586; U) [en]