There have been wide spread attacks caused by the W32.Blaster.Worm in the last few hours. This alert is to inform you of the worm and to offer you resources to patch the exploit on your system or to repair it if you have already been struck.
One of our members, Alereon, has very kindly put together the following:
Subject: Critical Windows Remote Procedure Call Exploit: Protecting and Repairing Your Computer
A new Critical Exploit for Microsoft Windows allows a remote user to gain administrator access on your computer. If you are exploited in this manner, an “NT AUTHORITY” error window will pop up, saying that the Remote Procedure Call service has terminated. Your computer will shutdown 60 seconds after this error displays.
YOU are vulnerable if:
-You are running Microsoft Windows NT [4.0+)
-You are running Microsoft Windows 2000 [All versions]
-You are running Microsoft Windows XP [All versions]
-You are running Microsoft Windows Server 2003 [All versions]
Microsoft Windows 95, 98, 98SE, and ME are not vulnerable.
Using this vulnerability, a remote user can install viruses or trojans of their choice, view or delete your files, install file servers on your computer hosting illegal content including but not limited to child pornography or pirated software, capture your passwords and credit card details, and use your computer to attack other systems.
To abort a shutdown in progress: Go to start, run, and type in “shutdown /a”, without the quotes, and press Enter.
To fix this Critical Exploit:
Go to http://www.microsoft.com/technet/security/bulletin/MS03-026.asp and download the patch for your operating system. If you are running Windows XP, you have the 32-bit version, not the 64-bit version. If you have firewall software or a router, you should block access to port 135 for all computers.
To remove viruses or trojans:
The msblaster.exe worm is the most common infection. After you have installed the patch for this exploit from microsoft, go to Start, run, and type in “msconfig”, without quotes, and press Enter. Go to the startup tab and UNCHECK “msblaster.exe”. Restart the computer, and enter Safe mode by pressing the F8 key before the “starting windows” screen appears. A startup menu will appear, choose Safe Mode. Once there, delete msblaster.exe.
WARNING: msblaster is only one of many viruses or trojans that could have been installed. Just because you do not find or successfully remove it, do not assume that your computer is safe. File servers hosting illegal content, keyloggers, or other viruses may still remain. Virus scanners may not detect such infections.
For more information:
Please see the Microsoft Technet article, available at:
Note: Futzing around in msconfig and deleting files in safe mode can be dangerous. If you don’t know what you’re doing, please contact a professional. Neither the author of this post nor the Chicago Reader shall be held liable for damage resulting from errors or omissions in this post.
Operator, United Networks #help on EFnet
One of our moderators, David B, adds:
Here are a couple more links with info. Symantec just upgraded this virus in
terms of severity:
People can find out more about this at http://zdnet.com.com/2100-1105_2-5062524.html
From there, you can click on the “reader resources” link near to the right
of the second paragraph.
You may discuss further fixes, patches and resources in this thread. Please keep general discussion about the attack outside of this thread.