MSBlaster Question

Guy · Nov 11, 2003

Ok here's an odd one. I've just built a brand new computer pretty much from scratch - new HD, Memory, CPU, etc. I installed XP on the machine then ran the mobo's drivers and utilities CD to get all those bits up to date.

The machine hadn't yet been connected to either the net or a network.

For no reason at all, the machine suddenly started rebooting and crashing. Turned out that MSBlaster had snuck on. Now how the hell could that possibly have happened, given that the PC is an isolated unit? Do hardware manufacturers test stuff before it ships and could the virus have been resident on one of the new items (hard disk)?

It's fixed now, but just interested to know how it could have got there...

Althorn · Nov 11, 2003

Sounds like the mobo CD has been snafued when they burnt it ... doh ...

Guy · Nov 11, 2003

A scan of it doesn't show anything's on there - already thought of that...

Zeus · Nov 11, 2003

well, it couldnt be on the HDD - i'd guess you formatted that yourself. could be in the bios maybe? or maybe on the windows install cd?

Kelger · Nov 11, 2003

Don't think blaster can become resident in bios. Assuming Piper is using original software the disks shouldn't be a problem.

Thought the worm itself didn't cause the resets, just the exploit to take control of your comp via RPC which is used to then place blaster on your comp. But then that shouldn't happen at all if you're not connected to the web.

Best thing to do is make a copy of the security updates then whenever you do a fresh install of windows make sure installing them is the first thing you do before anything else.

Guy · Nov 11, 2003

Not a bad idea, Kelg...

Zed · Nov 11, 2003

Kel is correct. Technically there is no way it should have got onto your machine hower

MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.

Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

for information:

MSBlast does not spread via e-mail. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.

Guy · Nov 11, 2003

All well and good, but it still relies on your machine being connected to the net...

Rochdale · Nov 11, 2003

I go for option 3:

Piper is a ****nugget.

MSBlaster Question

Guy

Piper/Leonaedas

Althorn

Full Member

Guy

Piper/Leonaedas

Zeus

Full Member

Kelger

Sexy?

Guy

Piper/Leonaedas

Zed

Rogue Chimp

Guy

Piper/Leonaedas

Rochdale

l33t g1bb0n