My computer picked up the MS-Blaster worm several months ago. I had been using exclusively a firewalled connection, then I tried an non-firewalled connection so I could use ICQ chat and AIM talk. The worm hit me about twenty minutes after I connected. So I loaded the Stinger anti-virus program (version 1.9.9.1, updated January of 2004) and the Microsoft update package RPC Fix. I ran both, no problem. The worm was gone.

I have since used both the firewalled and the non-firewalled connections frequently without incident. Then, today, I tried the non-firewalled connection, and the worm showed up again, only now the "System Shutting Down" window was preceeded by a window that announced, "SPC Shell (Export Version) has caused errors and must shut down."

I've run Stinger and RPC Fix, but the worm is still there. Is there a more updated version of one or the other that I need, or perhaps another package altogether? I'm kinda sick of this thing.

whoa. old school virii

Very.

A quick google search turned this up as a first hit.
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

I've never had any problems with symantec advice, but maybe someone like Morgan will tell you different.

Symantec's advice is almost always sound. Also, why is your computer not 100% up to date? O_o

That'd be my fault. I had thought the patch I ran last time would have brought it up to date, however. I'm working on implementing Symantec's instructions.

Incidentally, to your knowledge, would the firewall have prevented an infection? I had been under the impression that people were getting MS-Blaster regardless of whether they had a firewall, but it really seems that this only popped up while I wasn't using mine.

Originally posted by Morgan Evanar
Symantec's advice is almost always sound. Also, why is your computer not 100% up to date? O_o

Seconded. Haven't you got your patches done to fix it?

Its not even the issue of MSblaster. Your version of windows should be up to date. Hit windows update at least once a month, it makes things work better.

Originally posted by Morgan Evanar
Also, why is your computer not 100% up to date? O_o

I'd ask the same question.

Removing the virus and running a firewall isn't enough to prevent it from cropping up again. It's absolutely critical to make sure your OS is up-to-date. Run Windows Update every couple of weeks and look for critical updates. Seriously. Make it a habit. The most common reason virii propogate is that so many systems aren't patched when new exploits are discovered.


What are you using for a firewall, out of curiosity?

Well, you might still have gotten the virus if you'd done something stupid like open and run the virus from an e-mail attachment. But, generally firewalls do protect important programs from infection by preventing the computer from downloading anything that comes from a source you haven't marked as trustworthy. Once the virus is on your computer, however, it becomes a different issue, as you are now aware.

Well, it's not MS-Blaster after all; it's Sasser, a relatively new worm that looks a lot like it, and here's ([url=http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html) Symantec's report on it. I downloaded the removal tool and the Windows patch and ran them both, and my computer is a lot happier.

Incidentally, I've been using a non-firewalled connection so I could use ICQ chat and AIM talk, which are blocked by the firewall that comes with Windows. These programs use Peer-to-Peer connections. Is there a way to tailor the firewall to allow Peer-to-Peer without sacrificing protection?

It's probably staring me right in the face, but I can't find the Windows patch

http://www.microsoft.com/security/incident/sasser.asp

Here's Microsoft's report on Sasser.

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Here's the Microsoft Security Bulletin, complete with patch downloads for all the affected OS.

Originally posted by Kale
Incidentally, I've been using a non-firewalled connection so I could use ICQ chat and AIM talk, which are blocked by the firewall that comes with Windows. These programs use Peer-to-Peer connections. Is there a way to tailor the firewall to allow Peer-to-Peer without sacrificing protection?


Ahh... there's the problem. The "firewall" built into Windows XP isn't really a firewall. It's pretty much useless. Make sure it's turned off, and go download a decent software firewall. I'd recommend ZoneAlarm (www.zonelabs.com). The free version does a pretty good job, and it has good program control, so you can select what has access to the 'net and what doesn't.

The next step up from that would be to get a NAT-enabled router.

Microsoft has said that XP Service Pack 2 will come with a replacement for the XP firewall that actually works. We'll see. I'll probably still stick with my ZoneAlarm/Linksys combo.

Thanks, Fig, I'll try that out.

The next couple of days are going to be nuts for all network Admins!

Make sure you get your system up to date, and protected by either Windows internal ICF or Zone Labs.

Not much else to say since most things have been said though.

However the removal tool fits perfectly on a floppy.

But have you turned off the System restore? You could clean the virus off only to have it return when next you power on your computer!

Odd. I stuck the windows update for this on a week or so ago, and I got hit by this today. Just installed it all again, plus the patch, and set up ZoneAlarm again. :grumble

Originally posted by Firebird1
The next couple of days are going to be nuts for all network Admins!


If those Network Admins were any damn good, they wouldnt be worried in the slightest. The right tools and techniques have existed for years and frankly, it's the MCSE's who push a few buttons and think they know it all who should be booted out.

There's just no excuse in a properly run network for Sasser to hit your machines. It's a worm and worms are relatively trivial to defeat.

It's the home users whom worry me. They dont have the skill. It's pretty much pay time for me with this latest mess with home users screeching in horror as their machines get toasted.

Firewalls are annoying, but since I've never been infected with a virus, I suppose they're worth it. I'm running Norton Internet Security...

...although I can never tell if it's doing anything or not.^_^;

Hope you make many dollars, Marcus, fixing poor, horrified people with broken computers. :lol