MSBlast.exe virus & LovSan Web Worm

[Guest StarwoodMen]

Hi Guys! I received this step by step guide from my ISP. I want to share it with those who might need some assistance in protecting your computer from the virus. It comes with screen prints and if you need those please email me and I will forward the original email to you. Hope that it might help.

 

IMPORTANT: Immediate action required to safeguard your computer from Phase Two of the MSBlast.exe virus

 

Dear Comcast Customer,

 

Have you taken the necessary steps to help ensure that your computer is clean and protected from the second phase of the MSBlast.exe virus or LovSan Web Worm? If not, we recommend that you immediately follow our suggested steps below.

 

The MSBlast.exe virus or LovSan Web Worm may enter your computer through a vulnerability in your computer's Microsoft Windows®-based operating system. According to current reports, this virus or worm is designed to cause computers to launch an electronic attack against Microsoft's Windows® help web site on August 16, 2003.

 

If you are using one of the following Microsoft Operating Systems, we recommend that you follow the instructions below to remove or safeguard your computer from the MSBlast.exe virus or LovSan Web Worm. Even if your computer isn't affected now, it could be in the future.

 

Microsoft Windows® NT 4.0

Microsoft Windows® NT 4.0 Terminal Services Edition

Microsoft Windows® 2000

Microsoft Windows® XP

Microsoft Windows® Server 2003

 

Please take the time to print out follow the steps outlined below to help ensure that your computer is safe and clear of the MSBlast.exe virus or LovSan Web Worm. (This and other related information can also be found on our web site at http://www.comcast.net.)

 

Close all open programs and press and hold down the following keys simultaneously: Ctrl (Control), Alt and Delete

Click the Task Manager button

Select the Processes tab

 

 

Click the Image Name column to sort the list in alphabetical order

 

 

Select the msblast.exe file by clicking on it once. Then, click the End Process button. If you do not see msblast.exe in the list of running tasks, please proceed to Step 6 as you should still check your system for the Worm and apply the Microsoft patch. (Some operating systems require that you log in as Owner/Administrator in order to install this patch)

 

 

Now you can close the Windows® Task Manager screen by clicking the X in the upper right hand corner.

Next, determine which operating system you are using. Since Microsoft has different patches to protect each operating system, you will need to know which operating system you have on your computer.

Click on the Start button, go up to Run. Type winver and press the Enter key. The window displayed will indicate which operating system is being used (Windows® 2000, Windows® XP, etc.)

Once you have determined your operating system, go to http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp and click on the link for your operating system.

 

 

Click Download on the right side of the page.

 

 

Choose Run or Open from this location.

 

 

Confirm security warning pop-up by clicking Yes.

Follow pop-up instructions.

Once your computer has finished go to http://securityresponse.symantec.com/avcenter/FixBlast.exe, when prompted click Open.

When it has finished, you will have successfully checked your system for the MSBlast Worm and installed the patch.

Please note: If done incorrectly, some of the steps in this FAQ can cause problems with your Operating System. You should carefully review all terms, policies, and instructions on any of the websites that you visit while following these steps. Please note that while Comcast is providing this information to help you remove the MSBlast.exe virus and LovSan Web Worm, Comcast is not responsible for any damage done to your computer from any source to remove this worm.

[+ deej]

I don't normally get behind these things but two savvy computer professionals told me today they'd been hit by this worm yesterday. It isn't an email virus. It attacks if you have any form of internet connection (and if you can read this, you do have some form of internet connection).

 

Prevention is simple.

 

To make sure you have the right fix, go to Settings | Control Panel | Add/Remove Software then scroll down to the long list of fixes. Look for one labeled with the number 823980 - that's the fix you need.

 

If you have installed the Windows Update #823980 (released some time ago) you are not vulnerable.

 

If you need to find out what Windows updates you need, open Internet Explorer and go to Tools->Windows Update. It'll analyze your system and offer to install needed updates. INSTALL 823980 AT LEAST!

 

This one is going to be a whopper.

[axebahia]

Having spent most of the last 2 days dealing with the effects of blaster, it ain't that simple.

 

Despite what Microsoft initially said you can get the worm while downloading the patch. To avoid that, go to Start, Help and Network Connections and engage the Internet Firewall before downloading the patch.

 

As for Norton virus protection, if your settings are set to repair and quarantine the virus, it will still get through although you'll get a message saying that Norton deleted it from the system. You need to change the settings to "deny accesss to the file".

 

Then search your computer for any files from the last week TFTP*.*.exe and delete them.

 

It's scary because though it does no serious harm, this thing could be fatal!

[Steven_Draker]

Warning

 

Nothing to do with the LovSan, I've got this email from a friend.

It's a warning about a new virus :

 

"During the next several weeks be VERY cautious about opening or launching any e-mails that refer to the World Trade Center or 9/11 in

any way, regardless of who sent it. PLEASE FORWARD TO ALL YOUR FRIENDS AND FAMILY. FOR THOSE WHO DON'T KNOW, "WTC" STANDS FOR THE WORLD TRADE CENTER. REALLY DANGEROUS BECAUSE PEOPLE WILL OPEN IT RIGHT AWAY, THINKING IT’S A STORY RELATING TO 9/11!

 

BIGGGG TROUBLE !!!! DO NOT OPEN "WTC Survivor" It is a virus that will erase your whole "C" drive. It will come to you in the form of

an E-Mail from a familiar person. I repeat, a friend sent it to me, but called and warned me before I opened it. He was not so lucky and

now he can't even start his computer!

 

Forward this to everyone in your address book. I would rather

receive this 25 times than not at all. So, if you receive an email

called "WTC Survivor", do not open it. Delete it right away! This virus removes all dynamic link libraries (.dll files) from your

computer"

[OneFinger]

RE: Warning

 

STEVEN,

 

Unfortunately, WTC Survivor e-mail scare appears to be a hoax. I believe its only intent is to clog up the e-mail system. For more information see:

 

http://www.symantec.com/avcenter/venc/data/wtc.survivor.hoax.html

[OneFinger]

>Despite what Microsoft initially said you can get the worm while downloading the patch. To avoid that, go to Start, Help and Network Connections and engage the Internet Firewall before downloading the patch.

 

You are 100% correct! I was helping my friends download critical updates from Microsoft and they go infected with the "Orbitexplorer" bug. (Perhaps that statement isn't totally correct. I'm not sure if the download contained the bug or only activated something that was already on their system.)

 

For those that aren't aware, there is a series of programs that fall under the general category of spyware. With the Orbitexplorer problem, their Internet Explorer was literally hijacked. No matter what they put in the address bar (or when trying to use "Favorites") they were always redirected to http://www.orbitexplorer.com. They literally couldn't use their PC to go anywhere on the Internet.

 

I got the problem solved last night by running Ad-aware 6.0 and Spybot (both are free programs that I downloaded from my PC onto a CD for their machine). It took running both programs multiple times to find all the little bugs in their registry. What makes matters worse is that they have virus protection running on their machine and are behind a firewall.

 

Apparently it's not enough to practice safe sex. Now we have to do safe surfing also. :+

[DaninWA]

Deej,

 

Thanks for the info. Turns out I had already installed that update. Saved me alot of time.

 

Dan

[+ deej]

>Apparently it's not enough to practice safe sex. Now we have

>to do safe surfing also. :+

 

The latter is commonly known as practicing safe HEX. ;-)

[+ deej]

>Despite what Microsoft initially said you can get the worm

>while downloading the patch. To avoid that, go to Start, Help

>and Network Connections and engage the Internet Firewall

>before downloading the patch.

 

You're mixing apples and oranges a bit. If you did not install the update I listed above when it was released, yes you are vulnerable and that includes while downloading the update. You're not protected until the update is installed.

 

A friend got hit by MSBlast. He'd just installed a brand new fresh copy of Windows on his wife's computer. While he was going to the Windows update site, Blaster snuck in. This bugger is *determined*.

 

Having said that, anyone who ISN'T running some form of firewall is crazy in this day and age. This exploit may not make it through, but the next one likely will.

[axebahia]

>Having said that, anyone who ISN'T running some form of

>firewall is crazy in this day and age. This exploit may not

>make it through, but the next one likely will.

 

Point well taken, but I do run Norton and regularly update my virus protections. I normally take all Windows updates, but some recent ones disabled my popupstopper program so I stopped taking the updates automatically. As for the Windows firewall, for some computer remote linking it needs to be shut off. At any rate, I am protected now, but Microsoft could have saved me a lot of time if they had warned about enabling the firewall before downloading the patchn on their site rather than on the BBC!

[VaHawk]

>The latter is commonly known as practicing safe HEX. ;-)

 

That was so cute! I'll have to remember that one and use it at work, but I get the feeling that a lot of posters here don't know what you mean.