Nasty Worm going around

At the risk of sounding stupid.......What does RCP stand for?

RPC: Remote Procedure Call.

In a nutshell, it (the RPC service,) is one of the critical services of Windows NT. ^.^

https://grc.com/x/portprobe=135 is a direct link to test if your port 135 is open or closed. Open is bad....closed or stealth is good.

Thank you!

ok even i have this bug now .. i wish i knew how 2 get rid of it .. its very very annoying .. i hope none of u get it ..

Use REGEDIT.EXE and wipe out the value referencing MSBLAST.EXE at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Reboot. \windows\system32\msblast.exe (location may vary slightly depending on OS) should now no longer be running. Get rid of it.

Use WindowsUpdate to make sure you're patched or grab it by following the links for your OS from here: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp

here is a direct link to the update
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

Thanks so much for telling us about this!

Barb

Grrrrrrrr I got it and I never get anything

O well all better now

Seems no matter what I do, the link above still reports that port 135 is "Open". I've applied the patch, changed the registry entry for DCOM service, even used DCOM config to disable and it still says...."OPEN". Am I suffering from another bout of "headuperectus" or just is it just full-blown Dumass Inc.?

i think it piggybacks on windows update

I got it too!

>

thanx for the infos... nasty worms. checked my port. its stealth yay . ehmm i guess my system is protected. even tho my 135 port is stealth (according to the grc test),i would still like to know how to close it..

Cool! my port is closed! (gee, that sounds a little nasty) But, it doesnt surprise me. We have two puters networked here and we have them as tight as a drum

kthxbye
thx for the info on RPC

This thing pounded us today. We had 12 servers RPC service all die at the same time and subsequenly it started spreading around to the desktops. Unfortunately it's almost impossible to keep up with the Microsoft/Anti-Virus patching machine

Just a heads up... despite my port being stealthed i still got hit somehow

Edit: got hit cause it's more than port 135 to worry about
http://isc.sans.org/diary.html?date=2003-08-11

I got it everytime I tried to open my computer a countdown would start ...I went to get that patch from Microsoft and applied it and so far no countdown I hope it stays like

Thanks for the info I thought I was flippin me lid

I recently switched to Trend Micro's Anti Virus software and have been very satisfied.

Like most of the major Anti-Virus companies, Trend Micro offers a free on-line scan. House Call is available from http://housecall.trendmicro.com/

Manual removal instructions are available from http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

I hope that this helps.

Ok... I got this thing and I was able to stop the shutdown process:
start > run > shutdown -a

done...

um.... before i read all this i just searched for msblast and deleted it... bad or good?

thanks for the heads up, this thing was doing its dirty work every time i started msn messenger. now i can stop ripping my hair out

OK...I admit I got it too.. ...

but with your info...everything is A-OK again!!!
Thank you very much for this one!!!!

Live long, and prosper...!!!

Ditto., I got it and have no idea how,,, i've been virus free for years..
disabled all startup proggies and no reboot since,, now i know what to look for and kill the Mo Fo.

Thanks folks

Hate to say this but Starone and I got that Worm. I don't cruise the net and rarely go to another site but to buy or pay bills other than camp out here. Starone goes everywhere. It came thru a firewall. Downloaded the patch on her DSL as my 56k couldn't stay connected long enough. All fixed now but was pissed for a while. That isn't an accusation against this site.So I hope no one thinks that. SkinStudio says that all you had to be is connected to the internet to get it.