Hi guys,

It really feels good to be posting here after so much time. It is a pity I had to left ASM programming, because of lack of time. I am having little free time, and I have not coded for almost a year. :(
Maybe I will return some day to the joy of this language, but for the moment I am too busy with my admission to the university.

But now I am having some problems in my PC, and I think this is the correct place to ask for help.
I dunno why but when I turn it on it works perfectly. However, after 5 or 10 minutes (I have not measured it) a message is displayed, saying there is an error. After this message is displayed, the computer does not work properly. The function "find" of windows does not work, some files cannot be opened (such as bmp or jpg), the funcion "copy - paste" does not work, neither in a text editor nor when copying files, and java pages do not work. What could the problem be? May it be an error or some kind of virus?

Thanks for your help. And sorry for my long abscence here, I hope to be able to come here more frequently after some months.

Thanks again in advance.
Posted on 2003-08-13 15:25:50 by CodeLover
look in your processes to see if you have something like msblast.exe running

if you do, you're infected by a new worm, to solve it:

1) kill msblast.exe via your processmanager (CTRL-ALT-DEL)
2) hop over to windows update (while you still can) and get the security patches.
3) install the patches.
4) open regedit or regedt32 whatever you like best and go to
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
once there look for "windows auto update" with value "msblast.exe" and delete that key if you can.
5) delete msblast from <%SYSTEM_DIR%>\system32\ (should be there, if not do a disksearch for msblast.exe)
6) reboot.



for those not infected yet but not patched that have a firewall: shield TCP 135, 139, 445 or 593, DENY/DROP everything from the outside world on that.
for those without firewall as a final resort disable RPC as long as you're not patched


tips from MS
in case windows update fails, you can try to download the patches from MS http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-026.asp bottom of the page

I put the win2K and winXP patches on the server here in case any of you can't get it (this worm will DoS windowsupdate soon :P )
http://www.win32asmcommunity.net/download/blaster/ please only use these if you can't get them via official means :)
Posted on 2003-08-13 16:48:12 by Hiroshimator
Thanks Hiro. I was thinking on that msblast.exe, and I also deleted it from the registry but then I thought it was a system file or something (What a stupid I am), and put it again.

Anyways, thanks Hiro.
Posted on 2003-08-13 18:24:38 by CodeLover
You should also block incoming connections on local port 4444, as that's supposedly the port the worm uses for remote administration.
Posted on 2003-08-13 20:09:21 by iblis
On my Win2K system, i had to log in with a startup disk and delete the msblast.exe file manually.
Posted on 2003-08-13 22:00:31 by sluggy
Hmm... guess there is something to be said with my Win98SE... from what i read for MS' page the OS is immune to it...

However, i did the update OS page just to be safe, and to my surprise, after the scan of my OS was finished, it still wanted to patch my OS specifically for the worm anyways!!...

Wondering if M$ can get any of there facts straight...
:NaN:
Posted on 2003-08-13 22:11:56 by NaN
if you installed MDAC on a 98 then you also have DCOM98, which, if I understand the vulnerability correctly opens you up as well since it requires RPC functionality to be installed :/
Posted on 2003-08-14 01:52:48 by Hiroshimator