I got a svchost.exe error the other day on the PC I’m currently using (at home with a dialup), which I believe to be the first sign that you’ve picked up the Blaster.Worm. Then IE started going haywire, so I went straight to the Symantec site, downloaded the virus removal tool, and then the Microsoft patch, then unplugged from the internet. I ran the patch and then the tool, and it told me my machine isn’t infected. Then everything started behaving properly again.
Anyway, to be safe® I installed ZoneAlarm, and it’s now logging intrusion attempt after intrusion attempt, all with IP addresses from the first two blocks of my ISP. According to Symantec, the worm listens on port 4444, as do the variants B and C. Yet these intrusion attempt reports are all on different ports - seemingly random. E.g. 1289, 4736, 4758. I’ve logged 15 such intrusions in 15 minutes now. Anyone know what might be going on? Is this a mutation, or is a new virus causing this?
You’re experiencing what I got. The attempt at infection is causing the svchost to crash, but it’s failing to infect. So no virus to remove. I’d have thought that the patch would prevent the crash though. However, ZoneAlarm stops it happening .
There are already copy-cat versions of the virus out. If there’s anything lamer than a virus script-kiddy, it’s a virus script kiddy who copies another’s efforts, with a few pathetic and unimportant additions.
But the other port accesses you’re seeing could be anything. The internet is full of seemingly random, but mostly harmless, chatter. You just don’t notice it until a firewall like ZoneAlarm points it out. Check where the stuff’s coming from. It may be innocent stuff from your ISP’s servers.
Ah, I didn’t realise there were non-infective attempts happening. Well whew, and I am an idiot for not protecting my computer sooner. If my PC were a stable, the door would be shut but the horse would be out running around the fields.
Cheers for the info. And strangely all those intrusions have stopped for the last hour.
Yesterday, I got a bit of a scare. A couple of things were acting funky, in particular SkyBot would stop responding when I attempted to download updates. A bit later while I had a few IE windows open a full screen “error message” popped up. It initially looked like one of those annoying ads that covers up the entire desktop and the taskbar. But the screen just had a small window that said something about an RPC error and a 60 second countdown saying the system would shut down. There was also some kind of button which said something like “fix problem”.
The error message window didn’t look quite like a legit windows error but that little countdown clock did manage to freak me out for a moment even though I have ZoneAlarm. I used task manager to shut down the “error message” which has not recurred since.
As it turns out, I am not infected and I have come to the conclusion that what I experienced was indeed just an ad that relies on people’s fear to get them to click the “fix problem” button to take them to some website. I wonder what would have happened if I had let the counter reach 00:00? Probably some message saying something like “Just Kidding!”. :rolleyes:
I continue to be amazed by the lows advertisers will stoop to lure people to their site.
rsa, I got that same message. I asked about it in the thread asking what the alert actually looks like. Sorry, I don’t know how to link to it. It pissed me off, too. I downloaded the patch when Microsoft sent it out, so I kind of figured it was a scam. Especially when I compared it to what the window actually looks like before it shuts down if you’ve got the worm. I got rid of it before the the timer ran down, so I don’t know the answer to that, though.
rsa, hermann, I just got that stupid popup, or something very like it. here’s the URL for it, though when you get it it’s in that weird full-page mode that doesn’t have any navigation. If you let the countdown reach zero, it takes you to a page advertising antivirus software. You can close out of it when it pops up to full-page by using ALT-4. Honestly, I’d never buy anything to do with security off scumbags who use such underhand marketing methods.
I’m stunned. This is worse than the “You have mail” fake popup. Complain to the site that served the advert. But make sure first of all that you don’t have any Adware that’s slimed it’s way onto your computer and is responsible for it.
The really depressing thing is that it will probably be a very effective way of reeling in suckers and making money.
?, I think you were right the first time.
OK, regarding this virus…
Ive had my Win 98 machine packed in a box at the new home for a couple of weeks now. Ive been so busy at work here and at home moving and unpacking, that I havent had time to set up the PC at the new house. I also havent had time to research this virus thing. What should I do to protect the machine from being attacked when I eventually get the PC set up and connected to the NET?
Well, I tried to find out more on “zendmedia.com” and came across something at “http://www.computing.net/security/wwwboard/forum/5886.html”. Quite a discussion going on there concerning this popup. It’s been narrowed down as coming from someplace called “discountbob.com”, using zendmedia to spread the word. Oh, and the “Alt-F4” hint is there, too.
FTR, there is also an anti-virus-virus doing the rounds now which exploits the same holes, but forces your computer to patch, and then disinfects your system.
Doh, meant to add that I read that there are a few variants including, penis32.exe and teekids.exe apparantly doing the round. The same patch techniques keep them out, penis32 is just a rename it seems and teekids adds a backdoor. This according to Symantec.