Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msblaster Worm Back In Action?


  • Please log in to reply
6 replies to this topic

#1 Rogue75

Rogue75

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 17 May 2008 - 08:13 PM

So I installed a clean & legal copy of windows XP pro on my laptop and after only two weeks it seems I got a virus (not sure where from).

I looked up the symptoms of it and it appears to be the MSBlaster Worm that hit the net a few years ago.
The virus opens this window giving me 1 minute to save and then it restarts...

Posted Image


I can save and let it restart or hit "shutdown -a" in the command prompt.
If I do the latter my wireless networking doesn't work anymore and restarting network connections
in services.msc doesn't work either as it says there that it doesn't respond.
Basically I have to either way restart the laptop.


The strange part is the install disk includes service pack 2, which includes the Microsoft hotfix for this issue,
as well I have updated every hotfix past it, excluding service pack 3.

Has this virus been remade to overcome the previous hotfix?

I find this quite strange....
Avast Antivirus can't even detect this few years old virus.

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 May 2008 - 12:27 AM

Hi Rogue75,

First I've moved your topic to a more appropriate forum. Sasser/MSBlast isn't making a comeback so this isn't breaking news.

Windows is set to shut down in case of a system failure by default. You aren't the first one to mistake this for a Sasser infection. The message in your screenshot says Remote Procedure Call stopped unexpectedly. Many services are dependent on RPC, so this is more likely a hardware or software driver issue. You seem to indicate that you've installed SP3--since that is still new I would hazard a guess that it may be at fault.

If you still have doubts, run a full system scan with your Antivirus and let us know if anything is found. BTW, which one are you running?

But I would look into troubleshooting the shutdown issue. Check your Event Viewer for errors. It is usually recommended that a good way to troubleshoot a shutdown/BSOD is to set Windows to not shutdown automatically. Next time it happens, write down the exact message. The following guide will show you how and links to another guide on Event Viewer.

http://www.bleepingcomputer.com/forums/t/74644/how-to-disable-automatic-restarts-when-windows-crashes/

If you AV finds something post back and let us know. If not and you need more help, it would be better to start a new topic in the XP forum, as this one is only for security issues--or I can move it. :thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:24 PM

Posted 18 May 2008 - 05:59 AM

what's the make and model of the laptop and original installed OS

does device manager show any problem devices

laptops are a bear to find drivers for and then get them loaded
Chewy

No. Try not. Do... or do not. There is no try.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:24 PM

Posted 18 May 2008 - 09:15 AM

After reading over the original post again a bit more carefully, let me make some corrections and add a few things.

Corrections:

1. I see that you did mention that Avast didn't find anything. That is actually good news.

2. MSBlaster and Sasser are two different infections. However, both would cause Windows to crash/BSOD and thus the symptom that most keyed on to discover the infection was the fact that Windows was shutting down automatically. So I've seen several people still who think they are infected with Sasser when their system shuts down automatically. They are also both old, obsolete infections, from late 2003 and early 2004, respectively. Wikipedia has short summaries of both:

http://en.wikipedia.org/wiki/Blaster_(computer_worm)
http://en.wikipedia.org/wiki/Sasser_worm

Also note that the authors of both worms were arrested and prosecuted.

3. I see you have said your system is fully up to date with the exception of SP3, so apologies for guessing that it was the culprit.

Actually you have already mentioned a likely source of the problem:

I can save and let it restart or hit "shutdown -a" in the command prompt.
If I do the latter my wireless networking doesn't work anymore


I see a lot of people have trouble with wireless and, as DaChew has rightly asked about, if you've switched Operating Systems on an older computer you may have a hard time finding a driver for it.

Also:

If I do the latter my wireless networking doesn't work anymore and restarting network connections
in services.msc doesn't work either as it says there that it doesn't respond.
Basically I have to either way restart the laptop.


That is by design and apologies for not mentioning this before. Even if you configure Windows to not shut down automatically on system crash, the system still must be shut down/restarted. This just gives you time to get more information for troubleshooting purposes. In the days of MSBlaster and Sasser it would give you time to remove the infection. So if you think about it, RPC has stopped running, so it won't work correctly until the system is restarted so that RPC is reloaded.

The thing about people

is they change

when they walk away.--Mipso


#5 Rogue75

Rogue75
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 May 2008 - 02:36 PM

If you could move this to the XP forums that would be great.
Sorry for having it in the Security Issues forum.
From what I read about the worm MSBlaster it's creator is now out of jail
and factor that with the symptoms I just assumed he was back in demolition mode.

Anyway, that's good news that it's not a virus.

I have an HP DV6700t. I replaced the hard drive with a Seagate Momentus 7200rpm 200GB and installed Windows XP Pro (legal copy).
The system originally came with Windows Vista (as bad an operating system as Windows ME).

I just tried to update the wireless drivers and that same error popped up. It's definitely a problem with the wireless card.
I have an Intel 4965AGN. I'm going to test updating the driver from within device manager as opposed to running the .exe because it gave me the shutdown message like before. I'll write back when i found the results.

#6 Rogue75

Rogue75
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 18 May 2008 - 02:44 PM

I got the wireless driver to update to ver. 11.5.1.15 by running "DPInst32.EXE" rather than "iProdifx.EXE"

If I don't write back then assume this problem is fixed.

For the sake of helping others on the internet, below is the error I had so anyone else can google it and find the issue.

This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM

Time before shutdown:

Message
Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly


Thanks gentlemen for all your help.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:24 PM

Posted 18 May 2008 - 02:50 PM

The system originally came with Windows Vista


I suspected this was the issue, been there myself
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users