MSBlast, also known as Lovsan, is an Internet worm that exploits a known vulnerability in Windows 2000, NT, and XP. The worm takes advantage of the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, which was patched in MS03-026, on 17 July, 2003. Because many people have yet to patch their systems, the worm is very active. MSBlast spreads quickly via the Internet and could damage infected system files, therefore, this worm rates a 7 on the ZDNet Virus Meter.
How it works
MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.
At this time, antivirus vendors are still analyzing what msblast.exe does.
MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.
Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill
Prevention
Users who have not yet patched their Windows 2000, NT, and XP systems should do so.
Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition
Windows Server 2003 32-bit Edition
Windows Server 2003 64-bit Edition
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Symantec, and Trend Micro.
Talkback
help - i am running windows 2000 and when I clik on your patch - nothing happens.
It appears that my computer may have already been infected by this virus. Has there been any steps identified to rid a system of it once infected?
Thanks in advance for the help.
When I try to run the XP 32 bit patch it tells me that I have an error KB823980 setup error. I can go no further. It wants to know if I have "cryptographic service running on this computer". What gives???
schowiak@wireco.net
need an e-mail answer
Since microsoft update doesn't work, why doesn't microsoft release their patch elsewhere like on Symantec's site or Mcaffee's?
Is it the case that MSBlast does not affect systems running Win 98, or is it just that MicroSoft won't support Win 98 by issuing a patch?
this worm is the first bug/virus that i have! it was really annoying at first and ithought it was just xp malfunctioning, so i ran a virus check through it and this auto matically deleted most of my software files!!! so now i am having to reset my computer all together!!! thank god i found the security patch... i was about rteady to smash the thing up!!! that would have stopped it ;)
I believe the person or persons who do this ought to be prosecuted to the full extent of the law. They are guilty of stealing and destroying many computers, that alone is enough for 50 years if I had anything to do with it. Computers are too valuable and too costly to replace , not to mention valuable info. that people lose when this happens!
wat if u have windows MILLENIUM
What is MSBLAST.EXE-09FF84F2.pf
it is in my C:\WINDOWS\Prefetch file. I have cleaned up the worm but this is still on my computer in this file. I don't know if i should delete it or not.
Further to comment by Dick Lawrence, I have Win 98, so does this mean I am OK and do not have to take any action? Can someone advise?!!
i have the worm virus on my computer and i have found the file msblast.exe on my hard drive. the virus won't let me copy, past, cut etc, and it will not allow me to access some programs on my computer and the worst part of all is that i cannot click on many links such as the link to get the patch on this site. when i click on the link, nothing happens at all.
I had the virus MSBLAST. Norton Antivirus 2002 was setup with auto updates...but it missed the MSBLAST virus!! Symptons were PC kept rebooting after a few minutes of being connected to the net. However, I connected via my backup isp AOL, and I was able to remain connected all the time! So therefore I was able to down load the patch from Microsoft and also the removal tool from Symantic.
Read the instructions carefully though.
Namely turn off System restore 1st of all.
Install the MS patch
Then remove the beasty with Symantic's removal tool.
Turn on System retsore when done
Best to do all of this in safe mode is my advice!
Its worked in any case and the virus is gone!!
Good luck all!!
Windows ME is not affected. It is only NT based systems, mainly Windows XP and Windows 2000.
It won't you fetch updates from Mirosoft site (and that's the purpose of this worm).
Please terminate the process msblast.exe from taskmanager. and then try to delete this file.
Otherwise boot in safe mode and then delete this file.
It's a bit difficult to download the patch once infected though don't you think? Home users should first activate their firewall, and the disinfect the computer. Then download the patch. Little advice telling you how to do this...
I am having trouble downloading the firewall from the link provided. i get to the connecting to 3rd party connection and no further action...Any suggestions ??????
www.grisoft.com the free AVG software caught and stopped this puppy yesterday when there wasn't ANY information about it. I HIGHLY reccomend AVG. The curious part for me is that my computers are using NAT and so I do not understand how the worm got "back" into my NAT'ed computers. Unless it did some intelligent guessing, or if something else is being used as an accomplice to trigger it.
I have Windows ME and it is not on your list for protection so what can I do to protect my Computer?
If you previously had the virus before you patched your pc, will it help it a lot. And what does it protect it from?
i cant remove the blast worm with any tool or antivirus and i cant find it in the rgestiry although it keeps on restarting my computer
We are also experiencing a lot of SVCHOST.EXE errors, even on uninfected machines. Is this related to MSBLAST and can it be addressed?
I'm unable to stay online long enough to download the patch. What advice could you provide me? I running off a work PC now. Should I try downloading it to a CD/floppy? If so, I'm not sure what the correct patch download is.
I'd love an e-mail response. Thanks.
MS Blast is cleaned off my hard drive, but this variant seems to have created an F drive on my system. Nothing I read has mentioned this problem. What is this drive, and how do I remove it?
Please Post Reply
what was the registry edit under hkey local machine. i cannot find it
When you see the pop up window that is telling you the computer will shut down in 60 seconds, Do this -
Click on the START button, which brings up a menu.
Click on RUN
Type shutdown -a (exactly at it appears here including the space!!)
Press ENTER
This should then stop the countdown allowing you more time to try and download the patch. Goodluck.
Kevin
PS E-mail me and let me know how you got on
well u all better watch it, i no a gang of guys that got a cd of windows codes 3 years ago they have been rewirting it the got it done, the r going to sell them this is how they will get in and u wont c them, they fhide in files they stack, they got this thing down alott of work went into rewriting this baby, look deep in your files to c if any shareware is checked, if so the r in your pc waiting to steal your cc# or what ever they want files games movies, they got into my c 3 timess iin a mo. now i can get them out i try to reinstall ME and just there window will load up ? how do i get them out aand keep them out ?
I would like to know the phone number to call
if you cannot get online to install the patch.
I have another computer which seems to be infected with possible haqckers and dial up servers. Each time I get rid of these, the next time I boot up they just re-appear.
My other computer seems to be okay, hence I am writing this email from there
Was able to get through to the Microsoft sight yesterday- but not now 9.00am on Friday. Cannot even get www.microsoft.com.
I need to get the separate fix from Microsoft for Windows NT 4. I have the fixes for Win XP and Win 2000.
Any suggestions?
WATCH IT GUYS some guys called VG got a code copy of windows in 2000 they have been rewwriting it now for 3 years, and useing me as there gin-e-pig its my bro-in-law the 1 who hooked ne up to the internet, all i can say is if they get in u WONT no it inless u look deep in your files they stack them LOOK to c if and shareware is open they go in and hide they got into my pc 3 time in the mo of july now i cant get them out ? I copyed a cd of the 1 they rewote and r going to sell, man what a way to make a buck hacking lol i called micro. feds lol no 1 will hear me out, SO iam telling u all c if this means anything to u guys 1 of the files i got the script cracked, microsoft VBI codec made 9/24/97 u pdate 1/26/99 converted to swenuum fixed 7/28/00 to dx8 downlevel install class guid = 4d36e96c-e325-11ce-bfc1-08002belo318 driver v. 7/1/2001=5.1,2535.0 destination destDir=12 control flags exclude from select * defaultininstall addreg. ccecode-run once.add reg micrsoft%ccdecode.devic%=ccdecode,SW\{562370a8-f8dd-11d2-bc64-00a0c95ec22e ccdecode.copyfiles1 ccdecode.sys,,,copyFLG_NO_version_dlalog ccdecode.interface.install addreg=ccdecode.interfaace.addres destinationdirs uptions.Win=49001,%defalt explorer path %uptions NTx86=49001,%def. exp. ptions nt alpha 49001 % def exp. sys dri copy=11;11 copies to sys directory any help guys i want my pc back from these hackers!!!!!!!! PS dont reply to any e-mail and use windows auto update to patch they have mirc. updates they will send you if u use it they will get in
He doesn't want to worry about the virus. He should spend more time on his English or alternatively get a propr keyboard.
i have XP and the instructions are to complicated. Can you give me an idiot guide to follow.
This particualr file can be deleted without a problem. It is recommended that you do a search for any files that have MSBlast as part of the file name and delete them.
HELP!I have XP and i cant tell if im 32-bit or 64-bit! Help!
I used Windows 98 computer to download XP security patch to transfer to computer using XP without having to go online with it. After download to XP computer how does the file install?
Help: I want to load the patch against Mblast but I am asked about 32 or 64bit XP, how do find out which one I use?
How do you know if you have 32 or 64 bit XP.
Do i need to download if i am using windows ME???? Can someone plz reply??? Thanks
hi i am using windows 98 so do i need to run the msblast am i at risk also? please email and let me know
is ms blast the same as peopsystem or joesustem that launches ist self when i boot up. i also get proxy build when i boot up, why?
Avg sucks use Norton Its the best just keep it updated. It caught the msblast worm, I used Avg updated to the current date and while avg was scaning for viruses Norton was finding them.
go into the control panel and into display. look in the settings tab - it should show if you're using 32-bit or 64-bit colour. hope this helps.
Please could you advise me where I can get the patch from? I dont know too much about computers, and am unsure which one to dowload. I am running Windows 98, but dont know much else.
hi i was wondering how do i find out how my pc has a virus like MSBLAST because my programs keeps coming up a white screen everytime i open them and switches on and off by its self if anyone knows why please email me
here is a direct link to the windows xp 32bit patch 4 the blaster worm: http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
contact me if any problems occur
here is a direct link to microsoft website 4 the blaster worm 4 the windows xp 32bit edition (home edition) http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
contact me if any problems occur
windows xp home edition is 32bit and windows xp pro is 64bit
This new virrus does not attack Windows 98 so there is no need to worry.
i have windows xp but how do i know if i have the 32 bit or the 64 bit?
I downloaded the e-mailed instructions dated 88/15/03 "Urgent: Phase 2 Virus Attack."
I couldn't get beyond step 8 (page 3). When I displayed the screen identifying my operating system and clicked on OK, my desk top screen appeared. How do I get to the link in step 9?