Another damn virus

[xluryan]

to the question "One should be safe if there's no msblast.exe, right?"

yes, if it is not on your hd, then you're not infected. i read that off of MS's website.

you know what's funny, no matter how popular or famous this worm gets, it will still infect thousands of computers. here's an interesting fact... about 10,000 computers are still being infected by Code Red every month.

(Edited by xluryan at 12:13 am on Aug. 14, 2003)

[Iris]

yes, Blaster, that's the one that's wreaking havoc on our company servers now. Code Red? no.

[D Dude]

Can someone just tell me where to go to check the registry? I really can't find it anywhere. I have not really needed to check it before.

[Iris]

you can use the regedit.exe or regedit32.exe for checking your registry. go to Start, Run, type 'regedit' or 'regedit32' then press Enter.

as a word of caution, if you're not sure of what you're doing, don't even think about messing. changing even just 1 value in the registry can totally screw up your system. so, since you don't even know how to view your own registry, i assume you wouldn't know what to do when you see it. so i warn you: SEE, BUT NOT TOUCH.

[D Dude]

Ok thanks. I just wanted to check to see if the patch had installed. I wouldn't have messed with anything.

[EDIT]
It had been installed.

(Edited by D Dude at 11:58 am on Aug. 14, 2003)

[Iris]

but do you know what registry entry to look for? make sure you have the procedures with you, D Dude. i wouldn't want to miss you in the forums because you screwed up your system's registry.

[D Dude]

Yeah I knew what to look for. It was on the micrsoft site with the patch.

[Liquid Data]

Don't just look for msblast.exe - the two variants of the worm use different filenames. Variant .B comes as "penis32.exe" (WTF...? O_o), variant .C is namend "teekids.exe" and drops a backdoor with the filename "root32.exe".

[sir hackalot]

just a little note to those who think that only downlading from trusted sites etc etc will keep you safe, emmm no. The worm itself carries the coding to scan a set number of IP's to detect systems that are not pacthed or vulnerable and then exploits them and then installs itself. You do not need to downlaod it or access it in anyway whatsoever.

As for the person who wants to know what registry entry.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run and runservices.

Look for anything that is not neccesary or you do not recognise it, i.e. msblast.

[7h0m4z]

I was wondering why my RPC suddenly screwed up so much. I even reinstalled XP (planning to do that anyway). But it took me less than no time to get rid of blaster manualy.

BTW, did you read what the reg key says? Something about a guy called bill IIRC. It's funny. I cant read it now, cos i deeted the key but still. I had Penis32 ánd blaster btw. (maybe I should get a firewall, god i hate those things!)

(Edited by 7h0m4z at 12:16 pm on Aug. 15, 2003)

[BiG FaT SpErM]

there is apprently a message to bill gates in it and its suppose to hit microsoft machines at 00:00 GMT tonight

[Liquid Data]

The DDoS attack performed by the worm is completely pointless. It's hitting windowsupdate.com now, and M$ has already taken the DNS offline, but windowsupdate.microsoft.com - the correct address for Windows Update - is still operational and not affected by the attack in any way. Nevertheless some 3rd party companies are now allowed to mirror the RPC vulnerability patches (a German publisher for IT magazines got authorized to mirror the files on it's own FTP, for example).

Finally, Goliath's mistakes have to be cleaned up by David.

(Edited by Liquid Data at 12:13 am on Aug. 16, 2003)

[sir hackalot]

aparently the worm opens up a browser displaying this:

"come on billy gates, sort out your software" or some rendition of that

[Synetech]

 I did not even know it existed until I saw this post.  That's a good thing right?  :)

[Adriac]

Try this on for size.