Immediately after I noticed I had this problem, I went ahead and installed the patches WinXP has been loading for me over the last few weeks.
But I still have the problem–when I connect to the internet, I get a warning that my computer will be shut down “by NT Authority/System” (or something like that) and sixty seconds later, it shuts down.
I don’t have a broadband connection–perhaps my computer hasn’t had time to download the patch in question?
-FrL
BTW, this affects only NT systems? I am still running Win98SE.
I just downloaded the patch using another computer and will now install it on my own computer, and delete msblast as per instructions on this thread.
I so do not want to reformat my hard drive. Is there any way I can figure out whether I really need to do so?
If I really have to reformat my drive, I apologize for the silly question, but, well, how do I do that?
(sorry…)
-FrL-
My company lost 4000 XP PCs to this today. Mine was safe, because I was one of the only people who had a firewall, blocking all incoming ports.
I am not convinced that this impacts NT. Not a single NT machine of the dozens we have had any vulnerabilities. I have two NT servers under my domain, and none of them seemed to be impacted in the least. All of our XP and 2000 machines were, execpt for mine.
The way we cleaned it was the following:
We verified at work that the XP ICF will block this, contrary to popular FUD. We also verified that ZoneAlarm will block it, if configured properly. So will a 3Com, Netgear, and a Linksys router/firewall, so long as the firewall is working.
It seemed to work on the 20 or so PCs I fixed. Do NOT listen to people advocating that you “reformat your hard drive” or “reinstall XP”. I ask that a Moderator step in and Warn people about making comments like that.
Interesting sidebar: the reason that the XP machines reboot themselves is that the “standard” install seems to make the “recovery” procedure for a failed RPC “Restart the computer”. If you really want to be daring, you can go into your services, and change the default “recovery” procedure to “take no action”, and stop that in the future.
Hey, I’m with you, Frylock. I really don’t know how…luckily I have some nerdy Systems guys as friends 
Okay, I downloaded the patch but now I can’t copy it to a CD. The computers I am using here at work seem to be screwed up in this regard… (No floppies on hand either…)
So here is my question. Am I right to gather from what I have read that if I turn the WinXP firewall on, then I will be able to connect to the internet safely and for long enough (on my 52k connection) to download the patch?
Does the “shutdown -a” command really work as someone here suggested it does?
-FrL-
The XP Firewall seems to protect from it, based on testing and packet sniffing we did at work. Follow the steps in my post above, including applying the firewall after you have removed the trojan, and you should be able to download the patch without worry of being re-infected.
Anthracite and Alearon have given two very different procedures for getting rid of MSBlast.exe. Will either of their methods work effectively, or is one to be preferred?
-FrL-
What version of NT? According to all of the information I’ve seen (including MS themselves), the vulnurability is present in NT 4.0, Windows 2000, XP, and Windows Server 2003. Apparently NT versions 3.51 and prior are not affected.
Well, I’ve learned a valuble lesson today. Always install the MS patches, and never EVER turn off Zone Alarm. The thing that pisses me off is I was at the windows update site, and I didn’t feel like Downloading the patches.
This might be a stupid question, but, I did a system restore to the other day, and I’m downloading the patch as I type. There is now no sign of the msblaster.exe fie, so does this mean I’m safe? I really hate to reformat now, 'cause I’m broke, and I don’t have enough CDs to back everything up. I might try DarrenS’s suggestion about installing XP in a new folder, but I need to do a little research on how to do it. (I’m only a music geek…I’m still learning how to become a computer geek )
Jon
If it’s already been said…I apologize. I’m bone weary from all the emails and calls on this one today.
Please people… do your critical windows updates!!!
It’s rampant.
My method works for XP. It requires that you have Admin rights. Other than that, there are no tricks. I would imagine that it would work in a similar fashion for 2000, but will not say that, because I have not actually done it. I would also imagine that it works for NT, but I did not have any infected NT machines, so I did not try it.
I strongly object to the recommendation that people “reformat” their hard drive or “reinstall” their operating system over an alleged “possibility” that a child porn server has somehow been installed as a result of this Trojan. I think the time for panic is long past, and it’s time for thinking rationally. This just isn’t that bad, people!
neutron star: NT 4.0. I agree with you that they could be vulnerable, but somehow, they, the only machines on the network with no software or hardware firewalls (or any patches in the last year) are simply not getting infected. I’ve scanned their drives multiple times, and found nothing. It’s possible that they aren’t running RPC at all (they are heavily customized installations)…but I’ve already shut them down and am home now, so I can’t check.
I have been infected. I am waiting to hear from my company’s tech support before installing the patch. While farting around trying to fix the problem though I may have done something inadvertently. I can’t open any link that would normally open another browser window. Is this an effect of the virus? Or did I mess something up trying to fix the virus?
Well, I haven’t been infected myself, but I do run Windows 2000. I can tell you that there’s no prefetch in Win2k, so users can ignore your step #4. Also, the \Windows\ directory will be \WINNT\ in Win2k’s case, of course.
Ditto. Don’t reformat. Everything will be okay if you just patch and remove according to the directions, everyone.
Ah, I see. We only have one NT box (out of ~40 machines) on my work network. None of our computers were affected at all, though, so I have yet to encounter this little demon myself. The pricey little Sonicwall firewall I picked out did its job nicely.
McAfee has a little one-shot, single-purpose cleaner that will take care of this worm: http://vil.nai.com/vil/stinger/. As far as I can tell, this is a freebie, and it’s small enough that you could actually download it someone else’s machine and copy it to a floppy (!) to take to your own PC.
Just pay careful attention to the instructions, particularly about shutting down System Restore before scanning.
Full removal instrucitons from McAfee, using their regular AV product, are here: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
Finally, Norton’s removal instructions begin about half-way down this page: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
No need for a panicky format and reload. This is just another virus, one that can be cleaned off an infected system without submitting yourself to hours of work.
Well I finally got the patch downloaded as well as a firewall. Thanks to everyone for posting information.
Once again, this board proves itself to be the only website that matters. Thanks everybody.
Jon
Wow - I just got hit by this thing today, but with the advice on this post I was able to clear it out. Thanks everyone. (And now I will leave ZoneAlarm on)
Anthracite: The payload for some common variants of the RPC exploit includes the automatic activation of an FTP server, which can be used to host whatever illegal content the kiddie owning your system wants. While it is true that this is most likely to be run-of-the-mill warez, if the server is used at all, it’s still quite possible that it could be hosting child porn. More importantly, it gets the attention of users, which is what needs to happen. I’ll also remind you that we have no way of knowing what ELSE is being installed along with the MS Blaster worm.
Dang! Now this explains a lot.
The SDMB to the rescue once again.