posted
This weekend my internet did not work. After formatting and reinstalling and every conceivable bit of manuevering, it still didn't help. Then came monday, my friend who is a system network admin. at Pierce college came over with a new tool that he put together today.
Basically the blaster worm has a new variation, one that virus scanners won't catch, and which, at any point will stop all your programs from accessing the internet, while it downloads thousands of worthless temp files to your cache.
He told me that in addition to running the tool, the main place where the virus hides itself is in C:/windows/system32/wins/
and it is usually the only file there, called DLLHOST
I suggest that all of you delete this file if you have it, and if it tries to stop you claiming "access denied," restart windows in safe mode to delete it.
I have never had this much trouble with a computer before.
Posts: 622 | Registered: Dec 2001
| IP: Logged |
posted
I'll point out that NO virus scanner can catch this worm. If you're relying on virus scanning alone, you are almost certainly infected by now -- which is why EVERYONE should apply Windows Updates religiously.
The worm you're talking about is the Nachi worm, which is the one that gave my college a bit of trouble two weeks ago due to a bunch of students who didn't apply the appropriate patches. It's actually more harmful than Blaster, in some ways, due to increased traffic -- but it's pretty much identical.
Posts: 37449 | Registered: May 1999
| IP: Logged |
posted
Virus scanners can catch this worm, I've been on tech support calls where we hooked up the dsl and then the customer's virus scanner immediately finds the worm.
It doesn't directly harm your computer, but it does overwhelm your local network, sometimes literally destroying routers due to sheer volume of traffic.
I shall echo here: Patch your computer! Patch your computer! Patch your computer!
Posts: 15770 | Registered: Dec 2001
| IP: Logged |
posted
There is a variation called "welchi" which my comptuer guru friend told me no virus software could catch, even though they should be able to as its virulent script.
Posts: 622 | Registered: Dec 2001
| IP: Logged |
posted
What if you have dllhost and dllhst3g? They are both listed as applications, are compressed, and 4.50mb.
Posts: 9871 | Registered: Aug 2001
| IP: Logged |
posted
Got to go, so I can't do the research now, but there are places where you can find out exactly what those files are.
They are registered to microsoft on my computer. Their size and location, Morbo, also suggest they may be legit.
Posts: 3495 | Registered: Feb 2000
| IP: Logged |
posted
Yeah, I meant kb. So, technically, your's are bigger than mine. I even applied the patch and have a firewall and everything. My isp lost control last. First, it's anti-spam e-mail thingy died, so everyone got 100 e-mails for porn over a the course of a couple of days and then it decided that it was permanently closing port 135 (I didn't even know 135 was open!) Apparently that will mostly affect the local Uni., but honesly, I have no idea what they are even talking about. I like my magic box.
Posts: 9871 | Registered: Aug 2001
| IP: Logged |
quote:This worm is a variant of WORM_MSBLAST.A and usually arrives as DLLHOST.EXE (~10,240 bytes) on target systems. It also opens ports between port 666 to port 765 for its malicious routines.
(Note: There is a normal system file named DLLHOST.EXE that is 6 kilobytes.)
posted
www.sophos.com has an information page. But their extractor couldn't find the DLLHOST.exe files that the windows "find" function found readily!
Posts: 6316 | Registered: Jun 2003
| IP: Logged |
posted
Let me reiterate: no virus scanner can prevent an infection of Welchia, Blaster, Nachi (whatever you want to call it/them), or any variant that spreads using RPC calls.
The virus scanner can detect that your system has BEEN infected, once it is infected, and delete the files when they're accessed by memory in order to start infecting others. However, you will continue to be REINFECTED on a regular basis until you apply the RPC patch available on Microsoft's site. This does not, in my book, count as being "caught" by a virus scanner.
-----
AN IMPORTANT NOTE: Do not just go around deleting dllhost files. Some of them are quite important. If you have a virus scanner, and have updated definitions, let it find the files for you.
Note, however, that if you have a \WINNT\system32\wins or \WINDOWS\system32\wins folder, and that folder contains svchost and dllhost files, you are almost certainly infected, especially if your system folder also contains a number of files starting with TFTP.
Posts: 37449 | Registered: May 1999
| IP: Logged |
posted
I hope I don't need that file I deleted. But its size matched the profile. Oh, well. I patched at MS, they say Win 98 isn't vulnerable but they don't support it. I would upgrade to a later Windows but there are other upgrades that come first.
Posts: 6316 | Registered: Jun 2003
| IP: Logged |
quote:Steps to Protect Yourself from the Blaster Worm To protect yourself from the Blaster Worm and its variants, users of the following products: Microsoft Windows® 2000 Service Pack 2 or greater, Microsoft Windows XP, and Microsoft Windows Server(tm) 2003, should install "MS03-026: Security Update for Windows XP (823980)." Microsoft Windows NT4 users are also vulnerable and should click here for more information.
Users of Windows 2000 or Windows 2000 Service Pack 1 should upgrade to the latest service pack and then install "MS03-026: Security Update for Windows XP (823980)."
Your computer is not vulnerable to the Blaster Worm if either of these conditions apply to you:
*If you have already downloaded and installed the security update that was addressed by Security Bulletin MS03-026. The MS03-026 update will not be listed on Windows Update in this case.
*If you are using Microsoft Windows 95, Windows 98, Windows 98 Second Edition (SE), or Windows Millennium (Windows Me).
posted
The sickest thing i saw during the onset of the RCP blaster was someone who put out some popup ads, which would full screen the browser window, with a fake RCP shutdown window saying "your system has been infected with the RCP worm, UPDATE DETECTED, CLICK BELOW TO GET FIX"
this ad had popped up on my dad's system, who called me over to look at it. Of course since i hadn't been there when it popped up (and thus didn't know what he was runing in the the background), i was at first dismayed to find out he'd been hit with the worm, and then did a double take at the RCP shutdown window, since, you know, most RCP windows don't have update links underneath them. I didn't bother to query the domain they linked to, but that was simply disgusting opportuinism at its absolute worst.
Posts: 4482 | Registered: May 2000
| IP: Logged |
posted
Am I just a big nerd, or is there anyone else who can't help thinking of the last scene of Antony and Cleopatra when this thread comes up?
Posts: 1046 | Registered: Sep 2002
| IP: Logged |