Variant of the Blaster worm? Technical help

[SpiritWarrior]

So this is a problem with my mates' computer. He was infected with the blaster worm a month or so back and asked me to sort it out for him. When I went down I found it running under MSBlast.exe, disabled it, looked in the registry but did not find it so got the critical patch for XP and thought it sorted. Time passed and his system seemed fine. Great.

Just recently he had reinstalled XP and began to get this RPC error again (about a day or so after reinstallation), with XP shutting down after a 60(?) second countdown. I immediately thought he had somehow gotten re-infected so went down there to sort it out. When I checked the the task manager there was no sign of MSblast.exe so I disabled the RPC to 'take no action' so I could buy myself some time to look around his system.

It started doing alot of weird shit to be honest. In the task manager there was no telltale MSblast.exe but there was a blank line...like it had no description under 'Image Name' except for the path after it. Basically something was running but it had no name at all. I suspected maybe a variant of the blaster worm, hiding itself under a blank in the task manager so I clicked 'End task' and stopped it. I went back into services.msc to re-enable to RPC back to default and for some reason I could not bring up the properties menu to do this, I clicked and nothing happend. I clicked on other things (files, apllications etc.) and none would bring up a properties menu when asked to. When I tried to run media player it gave a message of 'Low Memory'. I downloaded the symantec Blaster worm removal tool and ran it. No blaster worm detected.

Well after messing around with it my mate said he'd been thinking of re-installing XP again since he'd done this recently and this would be a better time than any since there was basically nothing on the drive yet. I said ■■■■ it and let him go ahead and do this, warning him that he must patch XP and get up to date as soon as he reinstalls. Well, he reinstalled and it looked fine, he downloaded half of the patches (he's on dial-up) then just called me right now (2 days after) to say the RPC error had started again! I'm now thinking it may not be the blaster worm at all. He says that when he clicks on media player it again gives him a 'low memory'. I told him I really didn't have a clue what it is and would ask around before arriving with the intention of fixing it. Again, it's my friends computer so I can't provide specific details on the problem only that it sounds like the one I already looked at not 2 days previous. Does anyone have any idea/experience on this? If i disable to RPC protocol and just patch for the blaster worm (regardless of symantec saying there is none detected) you think it will be okay? Or should I still try to find the root of the problem?

[ 10-22-2003, 01:54 PM: Message edited by: SpiritWarrior ]

[Faceman]

if you really suspect a virus download one of the great free anti-virus tools (AVG or Panda)

[SpiritWarrior]

Tried Norton, MCAfee, and the symantec tool.

[WillowIX]

Disable the DCOM service on that machine, it's never used anyway... You can find more info about that here. The program is called DCOMbobulator.

[SpiritWarrior]

Ok will have a look at it. Although from what I can see that's already involved in the patch. I dled the manual patch for it at http://www.heise.de/english/newsticker/news/39464 so I'm hoping that will address just the worm since he's on dialup and it takes hours to fully patch a new system. I'll see what I can do.

[WillowIX]

Quote:

Originally posted by SpiritWarrior: Ok will have a look at it. Although from what I can see that's already involved in the patch. I dled the manual patch for it at http://www.heise.de/english/newsticker/news/39464 so I'm hoping that will address just the worm since he's on dialup and it takes hours to fully patch a new system. I'll see what I can do.

No Microsoft's patch does NOT disable the DCOM service. It just solves one exploit but leaves the service running.