Purging Blaster.worm
Hi, Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable? thanx, ---
RE: Purging Blaster.worm
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Is it not possible to create another worm or modify this worm to actually patch the machines? :) Looking at the Symantec removal tool there is a silent mode.. A few days back I was on the Microsoft site and I also saw an option for a non interaction install for the RPC patch but looking through the site now I cannot find it :( The "fixing worm" could scan for 2 hours then purge itself? Just a thought Stu - -Original Message- From: Andreas Rothlauf [mailto:[EMAIL PROTECTED] Sent: 13 August 2003 21:25 To: [EMAIL PROTECTED] Subject: Re: Purging Blaster.worm Hi, JG> Has anyone successfully purged the MSBlaster worm. There is a tool out JG> there that can do it but is it reliable? Symantec has made a tool available: http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.to ol.html A friend told me that it works. greetZ //AndY - -- - - - -- - -- -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQIVAwUBPzq4K5MRMj30dWmZAQIOCBAAy73WqYpzZSyjKb530Gefx+cJ3vhV73RN aiFGkEtN+zaGio14/TWNNgFEDpY3DxNtbQF5GPAtw7OBV61qTsg9NOOxAJioyZV/ qftWulRdv9P7AmJ96c50ge9Gb5bVb2u6w0xIgS8pk5ButD5/z5QOOQ4mK0BRboyP Du4EdphbMQNd6DI1cdWnQV6tX++jtMh2BnUwFSIj7WTwXIpUg4/H9PzJ/TZYx5Ro swymEnfAusWUFWCljBG0PwTdNqFwmy4LWaCHJEIH/2MJ8ZdMlvUza6nX79yn12j6 OmavfnW0uUEX5bp3w4qF9C1b/6C7ajRlzBmqX4gG5iY28fGC+BlPAJgwhndbsJaz id9Za7LhaErG5r3gpJiPL+Xv6nv7PCwBM0p+WhX19d1Z3JUIfmbCHekifLydmwm6 bYnG5tK9oH2K3IgzmM9m5oZYOD4sf/gUrqEGI0oK5md393xdfqv/ce/mS+VvShEk 59yuldmgV6pG8Yg5FF+bKI2lf1f35J4iWRknHEa114i3+PveJgSOtMdR71h7Rrnk 8j829JAtN66Z8Ndf14U2mtMmKlIIkoiq6lnc5kvq5tjKjJFTODlR70VPWfT/fu7+ C+MZulc55R2ZBp4cDe0ZriNtv9rEqWykQfc2GgIxTYvYYK1M3/861cnsoPCHudVS 37cjHXHGHds= =eKYz -END PGP SIGNATURE- ---
Re: Purging Blaster.worm
All the tools do what they say they will, but most people's argument is, "If your box was compromised, how do you know what all was done to it while it was compromised?". In other words, I find your box and I put a homemade .exe on there that sends me files, etc. You run the cleanup and it cleans up all the known issues. But it doesn't know to remove my file, so I sit there all day and screw with you. If it got compromised, the best answer (security-wise) is to always rebuild. JayW >>> "Jose Guevarra" <[EMAIL PROTECTED]> 08/12/03 07:06PM >>> Hi, Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable? thanx, --- ---
Re: Purging Blaster.worm
The tool is working out fine as far as I can say. Tested it in different environments (W2K, W2K SP3, XP, XP SP1). Sometimes it might be helpful to kill the msblast.exe process (XP) and rebooting the system after removing the windows auto update = msblast.exe key. Removing the worm manually (registry, files) works out as well. Please notice, that MS's hotfix requires at least SP2 for W2K. On Wednesday 13 August 2003 22:24, Andreas Rothlauf wrote: > Hi, > > JG> Has anyone successfully purged the MSBlaster worm. There is a tool out > JG> there that can do it but is it reliable? > > Symantec has made a tool available: > http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.ht >ml > > A friend told me that it works. > > greetZ //AndY > > > > --- > --- >- -- straightLiners IT Consulting & Services Sebastian Schneider Metzer Str. 12 13595 Berlin Germany Phone: +49-30-3510-6168 Fax: +49-30-3510-6169 ---
RE: Purging Blaster.worm
Should you not apply the patch first and then go about the task of removing the worm. The point being that the time between you removing the worm and you patching means that the host can get infected again. There are automatic removal tools aswell as you may have missed a step in the removal process. removel tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html cheers, Rory On Wed, 13 Aug 2003, Preston, Tony wrote: > I manually got rid of it on my work PC with the following steps: > > 1) kill msblast.exe process > 2) delete msblast.exe from windows/system32 > 3) delete msblast.exe*.pf from windows/prefetch > 4) delete all registry keys with msblast in them > 5) The patch from Microsoft was applied, but the next > day I was re-infected after doing steps 1, 2, and 4. > I repeated these steps today after adding #3 and it is > not back (althought my firewall blocks port 135 hits > trying to re-infect). > > -Original Message- > From: Jose Guevarra > To: [EMAIL PROTECTED] > Sent: 8/12/2003 8:06 PM > Subject: Purging Blaster.worm > > Hi, > > Has anyone successfully purged the MSBlaster worm. There is a tool out > there that can do it but is it reliable? > > thanx, > > > > > > --- > > > > --- > > ---
RE: Purging Blaster.worm
I have not needed to clean any system here (all clean), but Symantec website has a scanner that is built to do this. Note though the addition to the Windows XP process. Regards, Mark Harris Principal Security Consultant ASPACE Solutions - Leading Business Minds T: +44 (0)20 7744 6248 M: +44 (0)7867 526 808 Website www.aspacesolutions.com Three Tuns House 109 Borough High Street London SE1 1NL -Original Message- From: Jose Guevarra [mailto:[EMAIL PROTECTED] Sent: 13 August 2003 01:07 To: [EMAIL PROTECTED] Subject: Purging Blaster.worm Hi, Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable? thanx, --- ---
Re: Purging Blaster.worm
On Tue, 12 Aug 2003 17:06:38 -0700 "Jose Guevarra" <[EMAIL PROTECTED]> wrote: > Hi, > > Has anyone successfully purged the MSBlaster worm. There is a tool > out > there that can do it but is it reliable? > > thanx, My friend just called me to help him purge it. I don't know about a tool, but here is what I've done: First, I've killed msblast.exe task in task manager, than I removed msbalst.exe and scan registry for "msblast". There was a only one item "windows update" in registry and I simply removed it. Next I set up firewall at-guard and disabled inbound trafic to ports 135-139 and 445. Since I've done it, I may go on-line safely. IMHO it was very difficult to find and download a patch from microsoft's site, but I did it. That's all, I hope the worm was purged. -- Martchukov Anton aka VH E-mail: [EMAIL PROTECTED] ICQ: 155279978 Registered Linux User #323324 ---
RE: Purging Blaster.worm
I manually got rid of it on my work PC with the following steps: 1) kill msblast.exe process 2) delete msblast.exe from windows/system32 3) delete msblast.exe*.pf from windows/prefetch 4) delete all registry keys with msblast in them 5) The patch from Microsoft was applied, but the next day I was re-infected after doing steps 1, 2, and 4. I repeated these steps today after adding #3 and it is not back (althought my firewall blocks port 135 hits trying to re-infect). -Original Message- From: Jose Guevarra To: [EMAIL PROTECTED] Sent: 8/12/2003 8:06 PM Subject: Purging Blaster.worm Hi, Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable? thanx, --- ---
Re: Purging Blaster.worm
Hi, JG> Has anyone successfully purged the MSBlaster worm. There is a tool out JG> there that can do it but is it reliable? Symantec has made a tool available: http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html A friend told me that it works. greetZ //AndY ---
RE: Purging Blaster.worm
I used the tool Symantec provides (available at their homepage) and afterwards could not find any traces of the worm left on my computer. so it propably works mit freundlichen Grüßen / with regards johannes lemmerer > > -Original Message- > From: Jose Guevarra [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 13, 2003 2:07 AM > To: [EMAIL PROTECTED] > > Hi, > > Has anyone successfully purged the MSBlaster worm. There is > a tool out there that can do it but is it reliable? > > thanx, > > > > > -- > - > -- > -- > > ---
RE: Purging Blaster.worm
Hi, I was successful in using the tool from the Symantec website. I had to change settings in the Remote Procedure Call Service (RPC) in Windows XP before downloading and running the tool. I changed the failure settings on the recovery tab to 'Take No Action'. Walter Parolini Workload Development Programmer Ministry of Provincial Revenue Consumer Taxation Branch Phone: 604 775-0654Fax: 604 775-0731 -Original Message- From: Mark Harris [mailto:[EMAIL PROTECTED] Sent: August 13, 2003 8:59 AM To: 'Jose Guevarra'; [EMAIL PROTECTED] Subject: RE: Purging Blaster.worm I have not needed to clean any system here (all clean), but Symantec website has a scanner that is built to do this. Note though the addition to the Windows XP process. Regards, Mark Harris Principal Security Consultant ASPACE Solutions - Leading Business Minds T: +44 (0)20 7744 6248 M: +44 (0)7867 526 808 Website www.aspacesolutions.com Three Tuns House 109 Borough High Street London SE1 1NL -Original Message- From: Jose Guevarra [mailto:[EMAIL PROTECTED] Sent: 13 August 2003 01:07 To: [EMAIL PROTECTED] Subject: Purging Blaster.worm Hi, Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable? thanx, --- --- ---