View Full Version : MSBLASTER worm warning

08 August 2003, 10:50 AM

this is spreading fast...the hotfix from MS was the fix that caused max files to be corrupted so its likely a lot of people will be caught.

Unless the correct ports are blocked or the fix patch is applied this worm can get through firewalls.

theres a fix for it above

symptoms include shutdown messages and failure of copy/paste as well as other system instabilities

if you look at your task manager and see MSBLAST.exe running then you have it...

08 August 2003, 12:03 PM
well, my system shut itself down today. So I got it. F*** Does anyone know what sort of damage it does? I did a virus scan of my system and nothing.

08 August 2003, 12:23 PM
from what i know from my machines you may not have it seems the pop up occurs as your machine is being infected...the machines that were shut down when this occured were safe, however we still took steps to prevent the machines connected to the net from getting infected again.

follow the symantec link for a tool to discover and remove the virus

to stop infection you need to block the ports mentioned in theregister link or apply the MS patch. Be aware though that the MS patch will corrupt max files, if you need to use max, MS have a patch for the patch that corrects this, but it needs to be requested by phone (at this time the line is down due to call overload:rolleyes: )

08 August 2003, 02:05 PM
My other computer was acting wierd, and by chance I alt-ctrl-del it this morning, and it had msblast runnin. I shut it down, because I didn't recognise it and today i read it is a virus. :)

08 August 2003, 02:05 PM
i almost put my mouse through my screen last night dealing with this. nice to know it's a worm and not windows XP just acting normally.

08 August 2003, 02:36 PM
Yeah I got a message telling me my computer was gonna reboot. I tried to disconnect and I could not. I shut the modem down during the countdown. But it rebooted anyway. Argh:annoyed:

08 August 2003, 02:50 PM
Hey all-

I've you're worried you have it, download the following removal tool from symantec. It's a small 873k file, I ran it this morning and it worked great. After running this, then make sure to do the windows update first thing, and install all the critical patches.

If you have recently installed all the windows updates as of last week you should be ok...

08 August 2003, 03:48 PM
a word of warning: the hotfix from MS that fixes it is the one that causes max file corruption :surprised ...there is a patch for that patch as well...but you need to phone MS to get it and the list time i tried their phones were overloaded :rolleyes:

08 August 2003, 04:10 PM
I got the shutdown yesterday, weird thing was that i didnt see any msblast

anyway I installed the patch, made a dummy readonly msblast.exe file in windows/system32 and blocked the ports where it can come thru

but the ISP's here already blocked the ports so i dont get any attacks anymore

The Time Serpent
08 August 2003, 04:21 PM
i got it too.... but i didnt install any patch or something i just put a firewall (yes, i forgot to put on after the last system reinstallation)

08 August 2003, 04:42 PM
Crap I should have thought about a virus last night when I had problems starting up VC6 to work on a new pluggin. Saw this and checked and there it was in all its horribleness. Thanks for the word since neither my firewall nor my virus detection junk caught it. I guess I should stop delaying my Windows Update tray icon and dl that update!
Thanks again!

08 August 2003, 04:50 PM
Thanks halo! I was just thinking I had to reinstall windows! :thumbsup:

Saved me my evening :beer:

08 August 2003, 05:14 PM
Thanks Halo for the info, I got it yesterday.

take care, jairbair

08 August 2003, 05:34 PM
I ajust downloaded the windows update and everything seems to be A.O.K. So far I haven't found any problems with my max files (knock on wood). :shrug:

08 August 2003, 05:38 PM
yay :applause: i'v got one too my first worm ever

08 August 2003, 06:36 PM
you wont get any problems with max files until you try to use them on a system that hasn't had this fix or hasn't been updated to winxp sp4...there is a patch for this, but you need to phone MS and judging by their telephone message they have been to swamped to even answer the phone.

the fix is about 1mb and they email it to you...perhaps if someone has got it they could email it to others? even my dealer hasnt got it yet

the virus blocks (by a DOS attack) access to, so you may have to remove it before getting the fix, but just beware if you work in a multiOS max pipeline

08 August 2003, 07:31 PM
OK this is how bad it is. I reinstalled windows yesterday (it needed it badly) then right when it was done about 10 minutes later my computer restarted (this is after a full format of my harddrive) I got the virus before i had a chance to install my antivirus or run windows update. I was furious. If you do get a shutdown message run the command prompt and type

shutdown -a

this aborts the shutdown but it makes your computer run stupidly you will need to restart but it will give you more time than a minute.

I leave you now with these words...linux is better ;)


08 August 2003, 07:33 PM
Yesterday, for no reason, I got online on my other computer, and a few minutes pass, and I get a countdown meter saying my computer will restart and there's an error, and win32 error or something. I guess this is the same problem everyone else is having. I dont have an antivirus thing on that computer, but on the one I'm on now, I do have an antivirus thing, and as I am typing this, I get a pop up that says "virus found" has the name of it "msblast.exe" and says "clean failed: quarantine failed acces denied" (this is norton antivirus btw). Shoot, I've never got a virus before. Need help, thanks.

08 August 2003, 08:11 PM
I was chatting with my friends online and they both kept shutting down. They would come back online basically gasping for help before shutting down again.

They described the problem they were having (error messages and the such) and did a some research. Researching led me to the site below which seemed to have solved my friends problems... or at least long enough for them get the Windows Update Critical patches.

Fortunately I didn't have this problem since I patched my OS last week. Let me know if this helps.


08 August 2003, 09:26 PM
a little tip....disconnect from the net...apply patches or port blocks while in safe mode...reboot...oh and pay attention to symantecs warning about system rollback...

08 August 2003, 09:30 PM
I'm still not sure If i've got it or not. I'm not getting reboots, but I keep getting little issues now and then which I've never had before, like tasks getting errors and the "open in new window" command not working.
I've run the fixblast, and it says I don't have it...:hmm:

08 August 2003, 09:52 PM
So does this msblast worm screw up maya and xsi too? I found it in my system32 folder, which i promptly deleted, so i'm back to surfing the net again. Everythings cool for a while, but then 10 min later or soemthing i'm getting these recent same problems mainly deleaing with the Internet explorer(copy paste doesnt work). The only error i get is svchost.exe dies or something.

i'm gonna format soon...just wondering how serious this "worm" problem is and will it screw with maya and xsi files like it does with max?

08 August 2003, 10:17 PM
if you havent applied the patch or blocked the relevant ports then its likely you've picked it up again...

the virus works in two parts, 1st an infect machine scans your machine for the vulnerability and then runs a buffer overflow to run malicious code on your machine. This code then sets up a mini ftp server on your machine to download the rest of the virus from the infected machine which is then able to use your machine to infect another.

It may be your getting symptoms before its able to get the last part in action, i have seen this today already, machines trying to shutdown but upon a scan dont reveal the virus, so im guessing that this is when the machine is still in its first stage and for one reason or another cant complete the rest.

get patching or blocking

08 August 2003, 10:18 PM
look here for a vulnerability test

08 August 2003, 10:26 PM
Yeah, I just finished cleaning this bastard from my parents computer. I had to disconnect them from the internet because they kept getting shutdown via the RPC buffer overflow. Once you get rid of the worm and apply the MS hotfix, however, everything is dandy. I hate the sociopathic little twerps who write these worms/viruses... :annoyed:

08 August 2003, 10:29 PM
Thanks Halo. I'll get the patch.
I bet IM and other chat programs dont help contain this worm either huh.... . heh fun times.

08 August 2003, 10:38 PM
well this one exposes a flaw in the OS, but yes, the more apps you expose to the net and for longer your chances of problems increase...

08 August 2003, 10:40 PM
Originally posted by Slick
So does this msblast worm screw up maya and xsi too? I found it in my system32 folder, which i promptly deleted, so i'm back to surfing the net again. Everythings cool for a while, but then 10 min later or soemthing i'm getting these recent same problems mainly deleaing with the Internet explorer(copy paste doesnt work). The only error i get is svchost.exe dies or something.

i'm gonna format soon...just wondering how serious this "worm" problem is and will it screw with maya and xsi files like it does with max?

Yeah, that's what I'm getting... dang.:annoyed:

I cannot see a process in the task manager that would identify this though... also fixblast says everything is okay.

08 August 2003, 10:51 PM
that sounds like its trying to get into your system but failing and causing instability....get patching or blocking

08 August 2003, 11:25 PM
this virus uses the DCOM/RPC exploit , you simply do not have to do anything to get it. It will set itself on your pc just by connecting to your port 135. After that it does some stuff to infect other pc's from your pc.

I havent heard about any damage it does , except for restarting the RPC service which is vital and therefore will force a reboot.

Applying the patch from MS will close the port 135 problem but will not delete the worm as far as I know.

As pointed out above ,
You can check if your system is vulnerable to it with this site , it runs a test and gives you the result.

Open : BAD
Stealth,Closed : GOOD

I did not get the worm myself , I seem to have been invulnerable to it without having applied the patch. The only reason I can think of why I am not affected is because I have never ever installed a patch and/or service pack of microsoft :p

08 August 2003, 12:41 AM
Hmm, I think the problem may be solved for me. I downloaded the patch from microsoft and so far my computer that always restarted has not restarted at all, when it usually would do it when I would be on the Internet for about 10 min. and I've currently been on this one for 1:28 min. I went out and bought an antivirus package since this computer was unprotected. I also got the fixblast thing from here and it said it removed the worm file. So far so good (so far). I have opened up some Maya files and they seem to be fine, and everything else on my computer seems to be fine as well.

08 August 2003, 01:00 AM
Okay, I got the worm removed from my computer running XP with the fixblast, but I can't get it removed from my laptop running 2000. The worm isn't messing this machine up, but the file is still here nonetheless. When I run the fixblast, it runs, then says it has generated errors and will be closed and it does this everytime I run it. Does this fixblast not work on Windows 2000?

08 August 2003, 01:15 AM
Originally posted by hopper2k
Okay, I got the worm removed from my computer running XP with the fixblast, but I can't get it removed from my laptop running 2000. The worm isn't messing this machine up, but the file is still here nonetheless. When I run the fixblast, it runs, then says it has generated errors and will be closed and it does this everytime I run it. Does this fixblast not work on Windows 2000? has instructions on how to deal with this worm. It worked for me.

08 August 2003, 02:39 AM
Man I have some crap luck.. I reinstalled Windows yesterday since it's been a while, and in the short window of time while I was in the process of downloading from Windows Update shortly after getting my internet connection up, svchost crashed, and I quickly went to task manager to see if something funky was in there, only to notice msblast.exe. I deleted that sucker, and found out about it online, quickly blocking any open ports on my router and applying the patch again ( I had already applied it, but I already had the worm so I guess it didn't apply right ). It just couldn't wait five minutes for me to finish downloading and applying all the security updates. :rolleyes:

By the way, after I cleared it off my system, I ran a virus check at TrendMicro's page, and it found a trace of a worm in the recycle bin, I suppose left behind from when I deleted the worm ( strange since I had emptied the recycle bin ), so be sure to run a virus check with the updated virus definitions to make absolute sure all traces of it are off your system.

08 August 2003, 03:38 AM
I've always used ZoneAlarm as a firewall for my computer.

Lately i've notice a TON of connection attempts to my computer at port 135.
I guess this would explain it.

Anyone else latly notice a lot of connection attempts on port 135?

08 August 2003, 04:26 AM
this virus made me format twice.... :thumbsdow

daddy hate this one.

08 August 2003, 04:39 AM
last week I was in the middle of working on something, and I got one of those damn countdown to restarts. I knew nothing about this mblast.exe, so I immediately assumed it was an asshole friend of mine using a new packet attack on me. As soon as the computer restarted, I ran Windows update and installed everything new. Ive now scanned my computer, and I have no problems and no mblast, but I think that shutdown was probably mblast

08 August 2003, 05:48 AM
MS support:

08 August 2003, 10:15 AM
if you encouter reboots all the time you should do the folowing,

go to start>run> type "services.msc" scroll down to the rcp service>doubleclick it>go to the "failure" tab and select no action instead of reboot> this will give you some time to work on removing the blast virus

to remove it do the folowing:
download the ms patch>
disconnect from the web>
bring up your task manager>
end the process called msblast.exe>
delete the file msblast.exe from the folowing directories
c:\windows\system32\ and c:\windows\prefetch\

now go to start>run>type regedit>
go to localmachine>software>microsoft>windows>currentversion>run>
delete the string with the msblast name in it> close the register>

now go to start>run>type msconfig>
go to the boot settings and deselect msblast.exe>

reboot and install the ms patch


i know you can download things that do it automaticly but some ppl prefer to get rid of it themselves, i had the virus sundaynight when i couldnt find any tools to do so, i had to remove it this way, and everything works fine now!

08 August 2003, 11:01 AM
unless you patch or block you will get it again....

08 August 2003, 01:34 PM
This virus is the most widespread one I have ever seen:p

08 August 2003, 02:22 PM
woah.. yesterday i read it here, i block my ports

yesterday my mom saw it on the evening news, has it this morning on her work pc... that is 'spreading fast' for ya. somehow it killed her userprofile.. i thought i heard it wouldn't do any damage?

four hours of work to fix everything.. four hours of her not being able to do her photoshop work :thumbsdow

08 August 2003, 03:29 PM

I'm a survivor!

I logged on about 2 hours ago after removing the virus once and I was in the process of posting a new reply here (and downloading the patch from M$) when blow me down, a pop up window telling me that I have 1 minute. Grrr. Back online after rushing out to get the patch on a quicker connection. Here's hoping its gone for good.

This virus is quite the good. Eh?

:thumbsdow :applause:

08 August 2003, 06:08 PM
Here's what I experienced starting in mid-July:

I stay current with my Windows Updates (Win2K SP3), but after installing Hotfix 823980, I started having serious problems with gmax. gmax would, for no apprent reason, suddenly introduce me to my desktop. The very next thing I would do, no matter what it was, would result in a BSOD. At the time, I didn't really relate the two because I use gmax sparingly and a couple weeks had past since installing the patch. But, after reading about max & gmax file corruption caused by this hotfix, I unistalled it. gmax ran fine without a hitch afterward, except that I had to use File/Merge to import and re-save all my files I had worked on before un-installing the hotfix. Until M$ or discreet issues a new patch that doesn't screw up my software, I'll rely on my firewall blocking incoming on all pertinent ports (both TCP/IP and UDP), AV software, and the fact that I have DCOM for Internet Services, RPC over HTTP, and RPC over UDP disabled on my machine to gaurd me from infection.

I usually have 3-5 "Blocked" incoming requests in a 2-3 hour session on my "connected" 'puter. In the 2 hours I was on my machine yesterday evening, my firewall blocked over 70 incoming requests on port 135!!!

08 August 2003, 06:49 PM
I had this worm, too, on my home desktop but I managed to get it cleaned off and my firewall plugged as of late yesterday evening...
The tech support at the software company I work for as visual designer (my day job) sent us the following information:

There is a new Internet Worm on the loose named "W32/Lovsan.worm" and it is spreading rapidly.

If you have a home network firewall, or a software firewall, please block the following ports:

tcp 135 <inbound>

tcp 4444 <outbound>

udp 69 <outbound>

If you are infected with the virus, DO NOT REBOOT! Please view the information below to determine if this is your problem:

This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user.

When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].

Once run, the worm creates the registry key (may be either of the following):

Run "windows auto update" = msblast.exe
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

As of this morning, our firewall has blocked 100's of attempts of this virus trying to reach our internal networks. Please make the appropiate changes to your home network immediately.


08 August 2003, 07:34 PM
I dont have any sign of the worm, but when I run that Fixblast it just crashes on me, never finishes. I have already installed the MS Patch.

08 August 2003, 07:42 PM
It's very possible that you also have some other virus as well, then. A friend of mine found out that she has one on her home machine that kills any installation of anti-virus software if that software installation attempt was done after the virus infected the machine.


08 August 2003, 07:49 PM
That sucks, but I do have nortons on and running. Hmmmm time to look into a firewall I think.

08 August 2003, 10:05 PM
RAN13- that patch causes problems with discreet max and gmax, goto discreets support forum, where there is a number to call MS to get another patch....(their phones were busy yesterday) can unistall the patch, block the ports with a firewall and you will be ok...

08 August 2003, 11:21 PM
Grrh....I've been BLASTED yesterday :annoyed:

But the funniest things is Blaster contains the following text strings:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!! :cool:

Some more information here ( :)

08 August 2003, 11:29 PM
Originally posted by halo
RAN13- that patch causes problems with discreet max and gmax, goto discreets support forum, where there is a number to call MS to get another patch....(their phones were busy yesterday) can unistall the patch, block the ports with a firewall and you will be ok...

Thanks, halo. I learned about the additional "fix for the fix" soon after I posted. As of right now, all seems to be OK. My firewall is turning away an amazing number of incoming requests on port 135! Wow, this little nasty is persistent. :p Between 5:11pm EST and 5:48 EST, my firewall has turned away 7 connection requests on TCP port 135 or UDP port 137 as possible attacks. That's already 3 times as many that I normally see when connected for an entire 24 hour period!

08 August 2003, 11:35 PM

08 August 2003, 11:36 PM
Does anyone know if Microsoft is planning on posting the other patch on their site anytime soon? I use Max at home and can't afford to be without it. I have a firewall set up and run daily virus scans, so hopefully I won't have it at home.

A few people got it at work, but luckily the IT department made us all do a scan and install the patch here in time.

If anyone has that patch from calling Microsoft (how weird) could you please PM me and I'll give you my e-mail address to send it...pretty please?!

Also, maybe someone that has it could post the phone number to call if they have it...

08 August 2003, 11:45 PM
Hey should download this MSBlaster scanner and removal ( from symantec :thumbsup:

08 August 2003, 12:40 AM
the thing about the patch and max is this...

if you work on a machine with the patch from MS's site then it should be ok, however if you transfer your files to a machine without it or without SP4 then your files will appear corrupt.

so make sure whatever you do, that all your machines in your workflow are either all patched or all not

08 August 2003, 12:55 AM
the mods may not like this but i dont see what harm it does seeing as MS are too swamped to even answer emails or phonecalls (btw discreet have this link on their site so i guess its ok)

above links to turkish & english 2000&XP versions of the beta MS hotfix to the patch that resolves the security issue with msblast

ONLY INSTALL IT IF YOU HAVE INSTALLED THE 823980 HOTFIX FROM MS'S SITE....AND THIS IS A BETA (ie dont moan at me...moan at Discreet or MS if it doesnt work or causes a backup 1st if you could lose something valuable)

that should, according to discreet and ms, fix the vulnerability and the conflict between it and max/gmax

08 August 2003, 01:04 AM
Heh, w00t Glad i had my router set up, blocked all ports :)

go teh secuirty, not hit yet, But my school has been raped inside-out :)


08 August 2003, 01:48 AM
Did not know this part about the worm.

08 August 2003, 04:47 AM
yup, tahts the pretty interesting part of it, a mass attack against windows update.

It made CNN News Broadcast, and they had to give out Microsot's web addy :)

Man, People in this industry Eg: Virus / Security, Are either getting fired, or making lots,

Either way, a experience which will not be forgotten by all


08 August 2003, 06:54 AM
Hi everyone :buttrock:, actually I am an network administrator of a University in Montreal. The entire computers of the school got this problem. However, as the other says, you can go to to download the tool to kill the virus ( I did that one by one for about 200 computers) :annoyed: I have done 32 so far:wise:

The virus will generate a connection to a random IP and send the virus to that particular computer, so that's all it does... However, the damage level of this virus is very low as they only shut down your computer, and nothing will happen to your harddisk.

*Note to XP user When you perform the symantec's tool you must shut off the "system restore" where you can find in "accessories". After perform the tool and put the system restore back to normal.

The worm contains the following text, which is never displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

lol Bill Gates, what you can do? lol

08 August 2003, 07:41 AM
got blasted 2 days ago! thx halo for the link,
so i downloaded the symantec and the ms patch wich fixed the prob.:beer:

however, actually, Mr Gates could make a better OS...:annoyed:

08 August 2003, 07:51 AM
"However, the damage level of this virus is very low as they only shut down your computer, and nothing will happen to your harddisk."

Until Saturday, quite possibly.

08 August 2003, 08:39 AM
Originally posted by Nemoid
however, actually, Mr Gates could make a better OS...:annoyed:

stop whining.

08 August 2003, 08:44 AM
i second that bentllama!

08 August 2003, 09:52 AM
I received it 2 day's ago. I turned on my pc and it always rebooted itself. I had 1 minute to do something. I always received an error. A windows RCP error. I did a recovery from a few days back and I uninstalled MSN, the error message took longer before it poped up. At that time I didn't know that it was a virus.
It gave me enough time to downloaded a new update virusscanpatch. After that I did a windowsupdate.

Works fine know.

Was a scarry experience

08 August 2003, 11:13 AM
however, actually, Mr Gates could make a better OS...

"Only one remote hole in the default install, in more than 7 years!"...openBSD, proving that an OS can do what MS fails to do with every new release

08 August 2003, 01:15 PM
And the world should feel very lucky that this worm doesn't just format the HD or something like that. Imagine how all the huge companies running windows XP/2000 would feel about Microsoft if it was to happen.

Regardless of how much damage THIS virus does, it is the potential damage that is immense.

08 August 2003, 01:36 PM
Today, my small firewall (Proport) blocked 127 unindentified requests from port 135 and 445, ooh man this worms works automatically to scan your network :annoyed:
My modem receive status always blinking :banghead:

08 August 2003, 09:13 PM
i ran msblast fix, then i patched it [i followed all the directions].

now, my brother-in-law's computer seems a bit off. his recycling bin doesn't work. right click, new, shows nothing but shortcut and folder. and his start menu wont show the past programs used. he's running WinXP. is there something i can do, or should i just reinstall?

08 August 2003, 12:53 AM
Bastich finally got through on my machine, so I zapped it. I'm still running 2000 service pack 1, so I can't even run the patch. Boooh. I guess I'll have to update.

08 August 2003, 08:19 PM
The potential damage is horrific.I have had no problems,but hearing all this has gotten me a bit scared.What exactly is the best way of avoiding this other than turning of my PC? Thanks.:beer:

08 August 2003, 08:58 PM
use the patch from ms (and if you use max look for the link to the patch fix) and/or get a good firewall and block the ports

kole-its likely that your relatives machine is being attacked, failed attacks do wierd things to the need to install, just patch or block the ports

08 August 2003, 02:37 AM

i've tried everything and little things are still messed up [he did have the virus for acouple days before i cleaned it]. i just re-installed WinXP instead of wasting more time.

CGTalk Moderation
01 January 2006, 09:00 PM
This thread has been automatically closed as it remained inactive for 12 months. If you wish to continue the discussion, please create a new thread in the appropriate forum.