IMPORTANT! Blaster Viurus Notice!
This is a copy of an email I am sending to all my friends, neighbors, and my clients who are aware of how to security patch. For those who do not, virus removal first, then patch 2000 or XP. 89 and Me are not affected. I cannot get to Short-Media at this time, either they are fixing, power is still out in Detroit, or they are working on site servers or Comcast on my end has disabled the routing to Short-Media or Comcast DNS to Short-Media is broken. This word can be spread, and the dedicated tool can be used by anyone with the virus.
Symantec has a virus removal tool to remove Blaster, Blaster.B, and
Blaster.C for NT 4.0, 2000, and XP. It also removes errroneous registry entries.
It is a Symantec security product. It is tiny. MS03-026 patch still needed.
URL to Symantec article on virus here (updated about midnight on August
15 (just into Aug 15 by 43 minutes UDT\Zulu\GMT):
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Down below the ports info in article at above URL, there is a link to
more details and then another for a removal tool which should be about
140K in size. That virus removal article I would suggest printing.
0
Comments
First, the DDOS against Microsoft's windowsupdate.com was set to trigger TODAY for full scale attack, and daily after. If things get slower for a few days then expect it is partly DDOS and spreading of worm and another IRCBOT routed viral thing.
Second, the Blaster is no longer one virus per se-- Symantec names three variants now and thhey are as follows by Symantec:
w32.blaster.worm
w32.blaster.b.worm
w32.blaster.c.worm
The Symantec fixer works on all three. Some folks have defined a trojan variant that is a hybrid package-- Blaster plus known trojans in one unit.
This is not named, and the virus killing software sold commerially will kill the worm and trojan with it seperately (the Blaster killer kills the Blaster part).
If any of you have not used XP or 2000 but do you use or have used recently an IRC Client, scan your computer with updated definitions manually LiveUpdated and make sure you do not have w32.randex.e which is actually a multivector virus:
Initial spread is via IRC, via BOT. Virus then loads and listens on UDP port 69 for a request. If it gets one, it sends its package and adds autorun instructions to the sent packet.
This randex.e thing uses an RPC DCOM exploit that is close to the same as that used for the blaster
variant family to infect computers, as a result when Microsft wrote KB article 826955 they included a link to Symantec's site and within that to an entry in its virus encyclopedia. Note that KB 826955 is that now the replacement HowTo for disabling the virus, killing it,THEN patching. Trying to patch RPC with the Microsoft patch before killing the Blaster or Randex.e WILL cause problems in some windows boxes, and it is not recommended.
Now, unfortunately there is worse news: randex.e
uses an RPC DCOM exploit that is in Windows machines from Windows 95 up through XP, with the exception of Microsft IIS (Internet Information Server). It has been known to attack and infect Windows 98 and up through XP, ATM.
It has been shown that you can manually remove it, the instructions are in the virus encyclopedia at Symantec. I do not know much about it, it would appear to be primarily an IRC spread worm with spreading also on ports used by chats (IRC, Internet Relay Chat). I have not yet seen an autoremover for it as a stand-alone tool, but House Call ( http://www.antivirus.com ) by Trend Micro can kill it. Norton can find it.
Given that this thread has become about Blaster and relatives, I will introduce close relatives to it here. Good GRIEF, Bill Gates, fix the holes you said were fixed for ALL Windows!
It was fixed a month ago if people would actually take the time to use Windows Update.
NS
si o no?
If it did then it wouldn't make much sence as they do quite a bit more than just write once to the registry. I think its more a metaphorical name raather than an abbreviation or initial.
NS