W32/Lovsan.worm Blaster/MSBlaster - Remote Procedure Call - Repeatedly re-booting

[The Tool]

W32/Lovsan.worm is a Medium-On-Watch Internet Worm. Also known as "Blaster" or "MSBlaster", Lovsan has quickly infected computers throughout the Internet. The worm takes advantage of a flaw in Windows NT, 2000 and XP operating systems to drop a malicious program on your computer.
Unlike typical computer viruses, which usually arrive as email attachments, Internet worms attack open communication ports on vulnerable systems, often without the operator's knowledge. By taking advantage of a vulnerability in Windows, the worm is able to spread without requiring any action on the part of the user.

How do you know if you've been infected?
Generally, the Lovsan worm causes your system to repeatedly re-boot itself every few minutes. Windows NT 4.0 and Windows 2000 systems may become unresponsive. Also, the file msblast.exe appears in the WINDOWS SYSTEM32 directory.

How do you clean your system if it’s already infected?
Download McAfee Stinger

How do you prevent future attacks?
1. Update Windows
2. Update your anti-virus software. Always ensure your virus definition DAT files are current.
3. Firewall - This secure barrier fortifies your Internet defenses against malicious cyber code and hackers, helping block Internet worms like Lovsan before they invade your system.

More @ Microsoft: http://www.microsoft.com/security/incident/blast.asp

[Fraz]

Thanks, nice post.

[baronsaemdi]

thanks good info keep up the good work

[Firebrand]

Cheers in abundance!

[jd_surat]

hi,
I am geting the same trouble you indicated above. But as i m getting througf it i am finding some other viruses. I got this problem when i upgrade my windows XP Home To Windows XP Pro.
I got problem while i connected to inetrnet. First it says that there is a problem in SVCHost.exe. Then A message window pop up. It says that it is from NT AUTHORITY / SYSTEM & i have to shut system in 1 min. Also timer displayed on that window. Also i cant get rid of that window. I (forcibly)have to restart system.
Then i format my Harddisk & install Fresh Windows XP Pro. After that i connected to net first time & same problem presisted.
So, when i searched i found that it is W32.Welchia.Worm. Now This Worm do the above things as per symantec says. Also it tries to remove MSblast virus. But i found W32.WElchia.Worm when i sacnned first time & removed that. Then when i run Virus Scanning (with fully updated Virus Definations) i found MSBlast.
So, the problem is i am not getting rid of this viruses. They are poping up after i remove them.
Please Help me.
Thanks in advance.

[sami]

First, virus Velchia can not be removed by scan, u must download a fix tool for that, and for Blaster virus too. Since u say u have blaster, and as we saw in first post the ways he behaves, first thing u should do is to stop the process that starts it. Then execute the fixtool that u can download at www.symantec.com in the section of virus removal tools. Then u can say u have removed them from the computer. As u say that these viruses keep rolling over in your computer, i wonder if u r connected on LAN with other users, because Velchia spreads itself like that too in nonprotected computers.
hope this will help u

[ESALADUANE]

I does little good to remove the virus if you're still vulnerable to re-infection as soon as you reconnect to the internet. You need a firewall that blocks the relevant ports and you need to download the patch. You must do these things before using the removal tool.



This is from Microsoft:

Step 1: Enable your firewall (the native XP one if you don't have another one).

Step 2: Download the patch from Microsoft (this patch replaces 823980).
http://support.microsoft.com/default.aspx?kbid=824146

Step3: Install or update your anti-virus program

Step 4: Download the worm removal tool for W32.Blaster.Worm
http://securityresponse.symantec.com...oval.tool.html



If you have Windows 2000, which doesn't have a firewall, follow these steps for Step 1.

--Select "Network and Dial-up Connections" in the control panel.
--Right-click the interface you use to access the Internet, and then click "Properties".
--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:

TCP Ports
UDP Ports
IP Protocols

--In each column, you must select the "Permit Only" option.
--Click OK.

[techsupport]

well reinstalling windows XP after formatting the HDD wont be of much help because the virus hits the computer again. All you need to do is that after running fixblast.exe from Microsoft and als there is a security patch that needs to be downloaded. This will resolve the issue. Also have the latest Antivirus installed on your computer which has all the latest security updates.

[ZeB]

Everyone should also note that this is a DCOM RPC security exploit, and DCOM should be disabled to prevent further infection.

From Microsoft:

"The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable, secure, and efficient manner."

Yeah right!

To diable DCOM, open a RUN dialogue box and type 'dcomcnfg'. Expand 'Component Services', then 'Computers'. Right-click on 'My Computer' and choose 'Properties'. Click on the 'Default Properties' tab, and uncheck the 'Enable Distributed COM on this computer'. Click 'Ok', and then restart your system.

Doing this along with the other steps outlined in this thread will help prevent further infection against all Blaster variations and the Nachi worm as well.

Ciao!

[ZeuSueZ]

If you are having problems with the RPC showing while working the fix, simpley press the start button -> run -> type : 'shutdown -a' --- without '

This command will terminate the current application trying to shutdown Windows, and you can do it over and over again, until the repair process is completed.

//Z