Whats going on....?

[joshwa]

Originally posted by Ben Rogers
MSBlast doesn't do anything to harm your PC and it's very easy to work around to say the least.

If you don't want to know if you have MSBlast simply goto the control pannel, administrative tools, component services then right click on remote procedure call (rpc) properties, recovery and set all three failures to 'take no action'.

Now your PC won't reboot due to the MSBlast virus, I've done this on all my 2k/xp boxes after I got the virus, not suprising really considering I don't have a firewall/antivirus, but it works a treat.

That's the best way of stopping it doing a thing without having to download crap from M$.

did you patch your pc with the MS patch? if not your pc can still be infected, and your "RPC" service can still be crashed. the "crap" from MS is actually patches to try and make your PC more secure and less prone to attack from this worm or other worms that come out...

On Windows XP, it's the RPC Service crashing that causes the PC to reboot, as in the properties of it, it is set to reboot the PC when the RPC service crashes, on Windows 2000 as a default, if the RPC service crashes it is set to do nothing.

Hundreds of Windows 2000 PCs have been infected at work, first with the Blast worm, and secondly with the Welchia worm, simply because none of them were patched. It is really important that people patch their PCs otherwise you are leaving your PC open to all the junk from the internet and worms, which is much worse than having to install stuff from MS in my opinion.

Running your PC without patches and anti-virus software is simply naive. I would also say that when using a broadband connection connected directly to your PC, it is a must to have a firewall setup. The network is most of the time simply left wide open.

Sygate personal firewall is meant to be good - so you could try that.

[Richie]

Originally posted by Agent
Strange, i read different, i dont know which is right now.
Ill go and check when i have a spare min.

I just had a look myself when you said it didnt flood requests and it appears that noone is yet wrong as there ar currently (that I know of) 3 MSBlaster variants out there

W32.Blaster.Worm
W32.Blaster.B.Worm
W32.Blaster.C.Worm

They all basically do the same thing with minor diffrences on how they do it - either flooding requests or malformed requests...... Either way they all have the same end result in shutting down your PC


Ben - nice way to get around it Nothing to say it wont work so will bear it in mind if anyone else I come across is infected. I am just wondering tho if, due to not solving the root cause of the problem, the system can be left open to other forms of attack that this solution may not solve i.e. as Agent says, it could be used to wipe your HDD rather than shut down so telling your PC to not reboot wont solve this problem......

This is just my speculation tho so it may not be right

[TomWilko]

Well my PC still seems a little 'ill' this morning Pages aren't loading quite as fast. I suppose this is my fault mainly, i havn't got an up-to-date virus checker because my free updates ran out recently!

Is it definate then i have a worm or virus or something? Surely if it was something like that the PC would be messing up from the inside? Not a 1000 I.P addresses pinging me in one hour??

[TomWilko]

...Also, do you think i need to take this issue up with ntl??

[Agent]

AHh, i just did some reading aswell.
It appears that if you try to visit the MS update site to patch your machine, it issues the shutdown command regardless of if it has caused a access violation - makes more sence now

[joshwa]

get avg anti-virus software from www.grisoft.com it's free with unlimited free updates!

do it now pc slow down makes it sound like you could be infected. also re-install your firewall, i suspect you've probably been infected by welchia.worm , get the removal tool from symantec.

is your pc patched with the latest ms patches?

[Ben Rogers]

Originally posted by www.josh.org.uk
did you patch your pc with the MS patch? if not your pc can still be infected, and your "RPC" service can still be crashed. the "crap" from MS is actually patches to try and make your PC more secure and less prone to attack from this worm or other worms that come out...

On Windows XP, it's the RPC Service crashing that causes the PC to reboot, as in the properties of it, it is set to reboot the PC when the RPC service crashes, on Windows 2000 as a default, if the RPC service crashes it is set to do nothing.

Hundreds of Windows 2000 PCs have been infected at work, first with the Blast worm, and secondly with the Welchia worm, simply because none of them were patched. It is really important that people patch their PCs otherwise you are leaving your PC open to all the junk from the internet and worms, which is much worse than having to install stuff from MS in my opinion.

Running your PC without patches and anti-virus software is simply naive. I would also say that when using a broadband connection connected directly to your PC, it is a must to have a firewall setup. The network is most of the time simply left wide open.

Sygate personal firewall is meant to be good - so you could try that.

Nope, didn't patch any PC's, just did what I said above and haven't had a single problem since.

As for Windows 2000 RPC properties that's false, it's by default set to reboot if the RPC service crashes. All three failures are set to reboot PC just like on XP. This is why I set them to 'take no action' so if the service crashes it doens't reboot

I've always ran PC's without anti virus/firewall software, use too much system resources IMHO.

[TomWilko]

Originally posted by www.josh.org.uk
get avg anti-virus software from www.grisoft.com it's free with unlimited free updates!

do it now pc slow down makes it sound like you could be infected. also re-install your firewall, i suspect you've probably been infected by welchia.worm , get the removal tool from symantec.

is your pc patched with the latest ms patches?

Ok i will take a look at this now PC is fully patched it just appears the D/Load light and U/Load light r going crazy all the time

[joshwa]

Originally posted by TomWilko
Ok i will take a look at this now PC is fully patched it just appears the D/Load light and U/Load light r going crazy all the time

got a/v software on, and updated? i recommend it.
it does sound like you are infected.

[joshwa]

Originally posted by Ben Rogers
Nope, didn't patch any PC's, just did what I said above and haven't had a single problem since.

As for Windows 2000 RPC properties that's false, it's by default set to reboot if the RPC service crashes. All three failures are set to reboot PC just like on XP. This is why I set them to 'take no action' so if the service crashes it doens't reboot

I've always ran PC's without anti virus/firewall software, use too much system resources IMHO.

hi, don't mean to argue or anything, but, speaking from my own personal experience, all the 100s+ windows 2000 pcs at work that have *been* (and haven't been) infected with these worms have had the RPC service crash - and the settings have been on all of the to "take no action" - none of the pcs have been automatically shutting down either. on my 2 windows 2000 pcs at home, the RPC service is set to "take no action" and and i have not changed them... - perhaps on unpatched pcs, it is set to reboot, but from all the documents (symantec.com etc) i've read about these new worms, on windows 2000, the rpc service is set to take no action.

also, if you don't run anti-virus software, how are you supposed to tell if you have a virus or not? having a pc riddled with viruses is going to use more system resources than running some anti-virus software. hence why symptoms of having a virus is that the system slows down. - is your pc connected to the internet ever? - if yes then you are open to viruses unless you have a firewall or anti-virus software, it is as simple as that.

there are on-line virus scanners that you can use if you don't want to install / run anti-virus software.

you can check if you have the welchia worm with this removal tool : http://securityresponse.symantec.com...oval.tool.html

or the blast worm with this one:
http://securityresponse.symantec.com...oval.tool.html

I suspect TomWilko, you may have one of these - but up to date a/v software should find these as well if you have the latest updates.

[TomWilko]

Originally posted by www.josh.org.uk
got a/v software on, and updated? i recommend it.
it does sound like you are infected.

I am running W32.Welchia.Worm Fix Tool from Symantec at the moment. I will wait and see what happens. I have downloaded that virus checker from www.grisoft.com so that will be next on list if this returns nothing.

[TomWilko]

!!TIME FOR A BIG THANKYOU!!

To www.josh.org.uk!! With you help m8 i have found that the actual Worm on the computer was the Welchia and it has now been removed using Symantec's remove tool. Just thankyou again m8, cos i have no idea how it got on the machine (prolly my brother ) But its gone now and i am just glad!

[joshwa]

Originally posted by TomWilko
!!TIME FOR A BIG THANKYOU!!

To www.josh.org.uk!! With you help m8 i have found that the actual Worm on the computer was the Welchia and it has now been removed using Symantec's remove tool. Just thankyou again m8, cos i have no idea how it got on the machine (prolly my brother ) But its gone now and i am just glad!

cool it's not like other viruses that use email etc. this one just goes around the network, eg, someone's machine get's infected, it then pings the entire network it's on to see which machines it can infect, if finds yours, sees you aren't patched, then crashes your RPC service in order to infect your PC... hence all the 1000's of pings etc going in and out of your pc. broadband networks are normally WIDE open so it is REALLY important to run a firewall / av software / patches

Josh

[[GSV]Trig]

Yes big thanks to Josh there even tho I mentioned it as about the 6th reply to the thread

[TomWilko]

...I was in denial about a virus until i realised the whole PC was still running slow despite a defrag and clearing up so much space on my HD!