Attached Link: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

Patch early. patch often ladies and germs, those of you with Windows Me and below are not affected.

Just because this one doesn't affect WinMe & lower doesn't mean those users can sit back. Keep patched & use AV & firewall software at all times when online whatever version of windows you use.

From what I have been able to discover the hole uses old NT code, It also affects server 2003 as well. I would check the site to be sure.

Attached Link: http://www.renderosity.com/messages.ez?ForumID=12377&Form.ShowMessage=1378432

Someone has already taken advantage of this hole.:( http://story.news.yahoo.com/news?tmpl=story&cid=569&ncid=578&e=8&u=/nm/20030812/tc_nm/tech_windows_worm_dc It even attacked me on dial-up!

Although this is excellent news and is a benefit to Windows users, why is this message in the Poser Forum? What does it have to do with Poser?

This kind of info is important to all of us (Windows users), so an extra message in here is fine in my book.

I sure appreciate hearing about it! Thanks for the heads up. Marque

I checked and I have the patch installed. (823980) Got it with the automatic windows update. Please peoples, if you have XP don't disable the automatic updates. They'll save your behind.

Thanks Spit! I checked and I also have it from automatic update...wouldn't have known that though because I can never wade through all that bulletin jargon...I really don't know if I have XP 34 bit or 64??? where on earth would you find that out! Thank God for automatic updates! :) Irene

Both my machines are patched. I hate automatic update as it sometimes tries to add updates that I know would screw up my system, so I have it set to notify before downloading and installing. A worm became active yesterday that's playing havoc with networks all over the place through the internet. My friend who works at Comcast called me yesterday and alerted me to the problem, but with no specifics. Just said to make sure that I'm up-to-date on the updates. He's still at work (all nighter). Curious Labs website is down. Kuroyume

C makes it easy to shoot yourself in the foot. C++ makes it harder, but when you do, you blow your whole leg off.

 -- Bjarne Stroustrup

Contact Me | Kuroyume's DevelopmentZone

Does anyone know how this worm is delivered?

Attached Link: http://msnbc-cnet.com.com/2100-1002_3-5062477.html?part=msnbc-cnet&tag=alert&form=feed&subj=cnetnew

From C-Net news: "The worm attacks Windows computers via a flaw in a component of the operating system that allows other computers to ask Windows systems to perform an action or service. Microsoft warned about the flaw July 16. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources. MSBlast installs the TFTP server and runs the program to download the MSBlast code to the compromised server. But the way the worm causes a compromised computer to download the file is very inefficient, Maiffret said. Moreover, although MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check. Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. Because the scanning process is not completely random, the worm will likely cause a lot of excess traffic on the network. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted."

What we do in life, echoes in eternity.

E-mail | Renderosity Homepage | Renderosity Store | RDNA Store

It turns out I was unfected and didn't even know it! I patched XP as soon as the trouble started yesterday, but it was apparently too late. I updated Norton again this morning, ran it again, and there it was. Norton couldn't delete it, I had to go to Symantec and download a special removal tool. Seems to have worked, though I'm going to run Norton AGAIN just to make 100% sure. But again, since I patched everything seemed fine, but it was there and I didn't even know it. It was there. And I'm on dial-up for god's sake! I've always been good about protecting my machine and keeping up with updates, but from now on I'm going to be positively anal.;)

DAMN! Looks like I caught the infernal thing! Odd thing is, if I leave my cable modem disconnected, the system will continue to run, but within 5 minutes of reconnecting the cable, I'll get the shutdown message. 60 seconds later, poof! What burns me is that I received my latest Norton files Thursday and my system ran its virus check the next day. Sincerely, Bill

Tempt the Hand of Fate and it'll give you the "finger"!

stung me to damn thing, got it then the next day norton dloaded the latest files and told me i had it, bit late though, got the system cleaned and patched but i'm formatting anway.....kinda lost my confidence with norton now :o(..Steve, on the laptop

Attached Link: Windows XP Home and Professional Service Configurations by Black Viper

another big reason to disable file & print sharing, check out the link for a list of services to shutdown. Also go to https://grc.com/x/ne.dll?bh0bkyd2 (Shields up) to check if your firewall is really shielding you from hackers attention.

Symantec (http://www.symantec.com/) and Pandasoft (http://www.pandasoftware.com/download/utilities/) both have free cleaners out for those that are intersted.....

What we do in life, echoes in eternity.

E-mail | Renderosity Homepage | Renderosity Store | RDNA Store

My ADSL provider (Sweden's biggest phone co) got hit, hard. Almost all their servers went down, including customer services, so they couldn't even inform about it except thru media! All went down last night (17 hours ago). My router and HW firewall crashed, needed a factory reset. My SW firewall (PC-Cillin) recorded about 75 hits in a half hour when I connected using an old phone modem this morning... yuck. But I didn't get infected. It's worth having all that protection. The Blaster worm (this outbreak) hits XP and 2000 PCs thru ports 135 and 137. Close them down. And get the MS fix. Get it before the 16th. That is when all the world's infected PCs will hit the MS site (the whole point of the virus). Apparently each infected PC will poll the MS update site every 20 milliseconds, totally overloading it. It's going to be fun, (not). Hope MS is working on it! :] Fish

Well, the removal program from Symantec did the trick, Norton came up clean this time. It's targeted at XP and 2000, so I guess there's no way x2000 was going to escape unscathed, huh?;)

My company got hit yesterday with something like this.. it sucked, then the power went out and we all had to go home.

This may be a stupid question but, first off, I went to Shields Up! (thanks for that link - have certainly added it to my Favourites) and found I still have 3 ports open...what I would like to know is: 1. How do I close a Port? 2. If I close all ports, does this mean, automatic updates from both Norton and Windows can not get through? Thanks. :) Irene

Irish, you have XP. Enable the firewall. Control Panel Network Connections Right-click your internet connection Select Properties Click the 'Advanced' tab Put a checkmark next to "Internet Connection Firewall" This is done for each network separately, so if you have more than one (I have a dialup connection and cable) do it for both. This will put you in Stealth mode and you'll be happy the next time you visit Shields Up! :) No, it does NOT interfere with Norton or MS and autoupdates...those will still work fine.

I actually instaled the patch, but it appears to have killed the interdrive NFS stuff that allows me to mount the UNIX system onto my PC, rolling back with the restore stuff in XP doesn't help. I doubt it will affect you, but beware it loks like it closes part of the DCOM protocol that other apps may rely on. later jb

Irish having a firewall close those ports shouldn't stop Norton or Windows from updating, all the ports on my machine come up on shields up as stealth but I can still get the updates without any trouble. I did have problems with the XP firewall conflicting with Zonealarm but that's probably my fault so I shut it off. It seems like this new monster uses file&print sharing to start it's dirty work so unless you really need it disabling it is a very good idea.

praxis when I installed the patch in july I'm pretty sure there was a message attached saying it can't be uninstalled, but don't qoute me on that as I'm not 100% sure.

Forgot to add that XP's firewall only blocks incoming, not outgoing. That's sufficient as long as you protect yourself from virii and trojans with Norton or something and check with Adaware or the like.

Irish, you have XP. Enable the firewall. Control Panel Network Connections Right-click your internet connection Select Properties Click the 'Advanced' tab Put a checkmark next to "Internet Connection Firewall" This is done for each network separately, so if you have more than one (I have a dialup connection and cable) do it for both. This will put you in Stealth mode and you'll be happy the next time you visit Shields Up! :) No, it does NOT interfere with Norton or MS and autoupdates...those will still work fine.

That's weird. I wrote message 27 before 26! LOL

27 is also 22 so it is before :)

I think I hiccupped! Sorry about that. If XP's Firewall didn't interfere with Zone Alarm I'd be worried. Their functions overlap so stepping on each others toes would be normal I guess.

My mom's laptop got it, and she's on dial-up, only accesses the internet a few times a week. However, mom hasn't been the best about keeping her anti-virus updates. Her son has just written her a long e-mail advising of the wisdom of weekly A/V updates and firewall software. :-) As a far heavier 'net user, I think what may have helped this time is that I have both Windows and Norton set to automatically update. It's easy to forget to do so manually, and of course Norton and McAffee respond very quickly to reports of new threats. I suggest that my Renderosity compatriots set their A/V software to automatically update, especially if you're a download nut like me. I agree that this isn't fully on topic, and won't mind if the thread gets moved, but we in the Poser community are hugely reliant on the 'net for so much that it doesn't seem grossly off-topic.

I got this thing last week took forever for me to figure out how to get rid of it. I did find out that you really need to disable the port it attacks. Since i don't use that port anyway I did To see if that port is closed or hidden Grc read the article or scroll down to the bottom of the first table.

My laptop got hit twice and my son't PC got it several times, (both are on dialup) but now I've got all 4 of my computers patched and updated. My main PC was spared because my daughter updated everything yesterday before it hit.

---

Jeff

Renderosity Senior Moderator

Hablo español

Ich spreche Deutsch

Je parle français

Mi parolas Esperanton. Ĉu vi?

I didn't have the virus, but I do now have the updates. :)

Coppula eam se non posit acceptera jocularum.

My Store

My Gallery

wipes some of the sweat off of her brow I already had the patch, plus when I went to ShieldsUP!, I apparently don't exist on the internet. LMAO. So that's a very good thing. I have Norton 2003, plus AdAware, plus Sygate Personal Firewall (which is free and REALLY GOOD, I highly recommend it) plus the normal XP firewall up. I'd rather be paranoid than reformatting. hehe

"when I went to ShieldsUP!, I apparently don't exist on the internet. LMAO. So that's a very good thing." Me too. :)

Coppula eam se non posit acceptera jocularum.

My Store

My Gallery

Attached Link: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

http://slashdot.org/articles/03/08/12/1326237.shtml?tid=185&tid=190&tid=201 The one above is the link to the slashdot thread about the spreead of the virus as well as some usefull advice about how to get around some of the problems. The top link is for the removal tool. I say this baecasue allegedly the patch doesn't work for all people, so "watch your back" later jb

Attached Link: http://www.securityfocus.com/archive/75/332694/2003-08-09/2003-08-15/0

This is the "my patch didn't work" link later jb

apparently this virus is set to go off again on August 16th & it's been using Microsoft's update pages to spread itself

No c1rc, it's the other way round - it's programmed to hit the MS pages from all sides on the 16th. And every day after that. :] Fish

Yea..I got slamed with it yesterday. By chance I got the latest updates from Norton over the weekend...but it still wasn't detected.I found and deleted the msblast.exe,but as soon as I got online to get the patch...got it again(less than a min...with XP firewall on). So can't get the patch without getting online...and can't get online without getting the worm,and getting shutdown....talk about Catch22. Pulled out my old puter with Win98(uneffected by msblast)...got online..got the patch,now up and running.....but I'm still going to reformat,just to be safe. BTW..none of my friends that use AOL,got hurt by it for some reason. SWAMP

frakbats! I was hit by this.. and went through hoops trying to track down what on my system was going wrong... only just recovered from screwing up my network subsystem! LOL thanks for the heads up.. making sure I'm clear and updated now... Kai

I am SO not a technical person.... I was infected as well (currently I am not on my PC). I found the msblast.exe and deleted it, and also deleted it from the regestry. Still no go, so I downloaded the removal tool, and obviously it couldn't scan because the computer kept shutting down. So I opened it in safe mode. Now it could scan. At the end of the scan it said that this worm was not on my computer. Ok, I restart the computer, and guess what - I got the same error and "system will shut down in one minute" or however it's phrased. Any ideas what I can do, other than reformat the computer?....

security holes are built in so the government can check up on what your doing, it's part of the homeland security act.

you guys keep saying, "I got it", but HOW did you get it?

Did you get the patch, too? You have to install the patch whether you removed the virus or not, or else you just keep getting attacked (and infected). It's the attack that keeps causing your computer to restart, the patch should correct that. The worm itself doesn't seem to be doing anything yet that I could see, I didn't even realize I had it until Norton spotted it.

I just don't know how to get that patch and install it if my PC keeps shutting down. Where is the patch? The link in the first post of this thread? (like I said - I'm not much of a technical person) :)

The worm attacks any vulnerable systems. Supposedly, the restarting thing meant that the attack was unsuccessful (and it will keep attacking over and over and make your computer restart over and over, which is crippling computers worldwide). Apparently, that's not true, even if your computer restarts, the worm still may have gotten through, it did on mine.

Yep A_, the link in the first post has the download. As far as how to get it... My advice is to get someone to download the EXE for you and put it on disc so you can install it without accessing the internet. That's what I did, downloaded it on my old spare 98SE computer and put it on disc.

Dizzie, one gets it straight off the web. Other infected PCs, any PC anywhere, goes out and looks for unprotected PCs to hit. If you don't have a firewall or a good antivirus app, you're at risk - every time you get onto the web. It doesn't come via Outlook, the usual path these days, neither does it need for a file to be opened. It uses a security breach in Win2000 that was discovered last month to go straight into your Windows system. Then your PC becomes one of those trying to spread to everyone else.... anyone else. Hundreds of thousands of machines including a helluva lot of servers have been hit all over the world. Whole corporations... Example: X takes his/her laptop home over the weekend. Gets on the web, drops into Rosity etc. While surfing, the PC gets hit. It just behaves a bit oddly, but nothing special. On Manday he/she takes the laptop back to work, connects it to the intranet there and (now inside the company firewall!!!) instantly the virus infects every XP or Win2K PC on the corporate intranet. Boom.... :] Fish

"Gets on the web, drops into Rosity etc." Funny you should mention that, since this is where I was when I first got hit.:/

found out how it got on mine.. I have to lower my firewall to get into my FTP (bloody Zonealarm!) .. it got me then....

Weird. I got a 60-sec shutdown message a week ago. First for a long time. I d/ld and ran the patch today, ran the worm killer, which said I didn't have the worm. and chaecked at ShieldsUp. Apparently I'm in total stealth mode and protected. No open posts, nuttin'. So why'd I get a shutdown a week ago? Oh well, I'll run the blastfix thingy again just to make sure. mac PS This meassage belongs in this forum and then some! I'd never have known about it if praxis hadn't posted here. A big 'Thank you!', praxis.

x2000 - I have a feeling it's just that you spend a lot of time here lol.... after all, you don't have to be anywhere special to get it. Even a PC standing unused (but connected) is vulnerable. :] Fish

FishNose - Guilty as charged.;) No, it doesn't matter where you go. In fact, when my second restart hit, I was still connected but not actually on the net, IE was closed. Maclean - Read the link I posted in the Hardware/Technical forum thread. This guy got hit a week ago, too, so I guess it started then, it's only that it's kicked into high gear now, probably because more and more people got infected and kept infecting more... 2, then 4, then 16, etc, you know? As far as detecting the worm, I don't think it had been identified until yesterday. I checked Norton updates yesterday and I was fully updated, a scan showed no sign of anything. But then there was a new update this morning, and with that installed, another new scan spotted the little bugger. So everyone, check your virus scanner updates today, even if you did it yesterday.

Oh, and if the wormkiller app shows nothing, then I guess you're clean. The restart thing doesn't necessarily mean you were infected, but contrary to some beliefs, it doesn't mean you weren't, either.

AOL uses proxies to cache visited websites and then calls up the proxy to serve you the files faster. You don't have a direct connection to the web most of the time, the proxy has a connection and you're connected to it, as are thousands of other users. This causes endless grief to AOL users that want to use chat services, as the proxy often kicks in and kicks them off. so that can explain why a great deal of AOL people didn't get hit.

I had my system restart several times when I was downloading from DAZ. I have run the Symantec wormkiller twice and come up clean twice. I have also installed the patch. The sad part was I had spent about six hours the previous day backing up and verifying my system onto tape. I suppose the tape is clean but the operating system on tape lacks the patch. If I do restore it for some reason, I need to run the patch again. I could backup again (another day shot) but I still am uneasy about the worm being on my system.

I just run a check and the worm could not be found on my PC..I also downloaded the patch and run Norton again. Hehehe my puter seems to invisible for Shields Up. Gosh I'm very paranoid if it comes to things like that and my updates are always up to date :)

Strength Is Life, Weakness Is Death

I never got hit by it either, never had a spurious restart. But got concerned as I saw this situation develop. Just went through with Norton and all clean... whew. I always let Windows update do its thing automatically but I downloaded the patch and installed it just in case.

I am glad I use my old Win/ Me for Internet connection only for first time!! best solution to protect your work use 2 compu one not Online.. no more viruses or worms that never sleep and waiting for damage your poser stuff you spare for years..lol I heard in the radio that 200.000 computers was plat today thanks to this worm... what a drama

Catherine, I usually surf only from my 2nd computer - an old 166Mhz with win 98. It's a junkheap, but the reason I keep it is for net use only. Problem is, lately I've used my main one a lot because it's so much hassle to keep transferring files. I guess I'll go back to the junkheap again. In fact, I'm on it now. It's the best virus protection ever. mac

I went to the avg website and found that ther are actually three worms. The big one is LoveSan not MSBlaster. The site tells where these worms reside - You mighr check it out. A google using "AVG +virus" should produce a link to AVG 6 and 7. If you don't have an AV program there is or was a free version of AVG6 on the site.

Thanks Fish!! I've always liked ME but for once it's a GOOD thing to use Win ME!

Hi All, I was hit by this virus also. It is called W32 Blaster worm or Lovsan worm and infects your system threw your internet connection at port 135 on window based systems such as ME, NT, Win 2000 and XP. It is a global virus that was launched yesterday and has effected thousands and has invaded many ISPs. You will get these error window messages: "Generic Host Process for WIn32 Services has encountered a problem and needs to close". "This shutdown was iniatiated by the NT AUTHORITY/SYSTEM windows must restart now because the Remote Procedure Call(rpc) serivice terminated unexpectingly". This virus causes your machine to crash and reboot over and over until the virus is removed and you have downloaded and installed the latest security patch from Mircosoft. Here are some links which may help: You can download the latest security patch here: http://www.microsoft.com/security/incident/blast.asp This site has a very good removal tool for this blaster worm virus: http://securityresponse.symantec.co...aster.worm.html http://us.mcafee.com/virusInfo/default.asp?id=lovsan If you use any removal tools please remeber that the System restore option must be turned off in WinXP before you run the removal tool. If not the virus will no be removed and will continue each time you boot up. Also, getting the patch is very recommended Zone Alarm does effectively block port 135 (if you keep it enabled). If you would like to test that port, to be sure, go to GRC.com and run the ShieldsUp program. Hope this helps and best of luck! Miche

My Facebook Page

the http://securityresponse.symantec.co i down get server error.. :(

ok.. another problem.. I downloaded the pach and when I tried to install it , it said it couldnt cause my system windows files are i another language.. so.. does anyone have a patch for windows in portuguese? I would appreciate it! hugs Ilona

Attached Link: http://securityresponse.symantec.com/avcenter/venc/data/w32.femot.worm.removal.tool.html

Try this url Cath :) [Symantec](http://securityresponse.symantec.com/avcenter/venc/data/w32.femot.worm.removal.tool.html)

Strength Is Life, Weakness Is Death

" security holes are built in so the government can check up on what your doing, it's part of the homeland security act." Mesh magic, that is ten tons of pure bull droppings! The real reason is plain sloppy code writing not any sort of conspiricy on part of any government.

Why shouldn't speech be free? Very little of it is worth anything.

The words 'Microsoft' and 'Security' can not be used in the same sentence unless 'error', 'hole' or 'problem' is also included. MS has always created sloppy, bug ridden, security impared code. Everytime I see on the news or read about, yet ANOTHER bug or security problem with something from MS I just sneer in the direction of MS headquarters an go on my virus free way unburdned by multipule firewalls and virus checkers and don't even pay attention to security alerts and virus updates. BTW, I'm on a Mac :-)

Why shouldn't speech be free? Very little of it is worth anything.

The revered UNIX had way more security holes than Windows and it took literally DECADES to plug them. But this was before the web so nobody noticed.

the virus also travels as message.zip in emails...beware. Ive been protected from it:)

grrrrrrrrr- I got it too :( sniffles just spent the whole night getting rid of it I hope. symantec's removal thingy couldn't even see it- had to do it manualy. thank god the patch is kinda small.

I'm not sure if anyone is still having the problem but I thought I would share my expeirence with the virus. I'm not 100% positive where I got the actual virus from -- seeing as how I usually don't open shady emails, and can't recall opening a strange email but I can recall getting one that I threw away. It was from the "System Admin" and subject was "Delay in E-Mail" or something of that nature. I waited a day to trash it because I thought it was junk, not virus. And to my knowledge had no attachments. But, again, I'm not sure this was the source of the problem. Anyway, I shrugged off the first of the RPS errors feeling it was just computer problems. But after reading this post in the 5 minute interval I had before my computer shut down, it seemed as if I had the problem. I ran symantec (took a long time, had to search through a lot of files) and symantec caught nothing yet I still had the virus. I went to the Microsoft page noted in the first of posts and downloaded the patch. Then I went and checked my task manager, and sure enough "msblast.exe" was residing. I ended the process, deleted it from my C:/Windows/System folder. I also changed the values or whatever that was noted for me to do. I'll post the link I followed in a couple secs. So far, it seems ok. knock on wood :) Hope you get your systems cleaned.

“Our real discoveries come from chaos, from going to the place that looks wrong and stupid and foolish.” – Palahniuk

I've seem to have lost the link, sorry. Erg. Send me an IM if you need more detaield instructions on what I did.

“Our real discoveries come from chaos, from going to the place that looks wrong and stupid and foolish.” – Palahniuk

Well it looks like it just got us, the whole office got it at once, except moi of course, but I have other problems, ah well, that'll be somebody with a laptop then... later jb

Attached Link: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

i got that virus yesterday and i fix it very fast and easy... i used an aplication very light in weight but worked for me and i'm virus-free now, look the attached URL and good luck to everyone Paoli Cheers!

BTW download the patch from micr*soft too so you finished to protect your system, the URL it's inside the like on post 77. was very fast at deleting it like 20 secs or something, well bye

Are you guys just running a search for msblast.exe? I did and didn't find anything, but I'm running Windows ME and from what I've read, it doesn't effect ME (but you never know).

My idea of rebooting is kicking somebody in the butt twice!

hrm...for those that are wondering where it is from. Xp calls home...alot, this is where the virus sneaks in at according to symantec and microsoft. (considering every xp update contains the words "might take over your system" this does not suprise me and I'm surprised it took this long to happen) It activates when you get online. Broadband users who don't disconnect have the greatest threat. The biggest problem is that the virus is flawed(go fig) and sends screwed data causing your system to reboot or turn off. So when you hear of systems going down, large or small, this is what happened. As far as I know they are looking but they don't know where the remote cmd.exe's are opening and who or if can even use them if 1000's are opening at once(they probably crashed their own computer) I got protected and shut down the ports, I have to run the symantec tool tonight to get rid of everything else. I was bummed last night I had time to play and it all got taken by this stupid virus.

Tirjasdyn
http://michellejnorton.com

I hope people don't go and disable automatic updating because of this. It wouldn't help anyway. The patch fixes the buffer overrun. Even XP's firewall closes the port.