win98 is not vulnerable, otherwise i would be on that list.

 

It only attacks Win NT based machines. 9x is not included. The block attacks the scvhost of a machine, causing it to lock up and crash. It's scheduled to start a denial of service attack against Microsofts Windowsupdate.com on the 16th. The virus spreads itself, one does not have to do anything to get it - you just do. What it does is send out signals on TCP port 135, 139, 145, and 4444 and set's up a tftp server on a client machine it attaches to.

more info:

- McAfee, symantec and other anti virus companies have issued alerts and updates. Don't bother with them. Just install the MS patch and remove the file and you are done.
- the scanning algorithm of the worm seems to be weak and pretty inefficient
- removing the file msblast.exe prevents your machine from rebooting, but it can be easily infected again
- the worm seems to fire off several concurrent TCP 135 scan threads
- The worm survives a reboot. So it has to be removed manually
- most people are getting the following error on their windows machines - "Windows must now restart because the remote procedure call RPC service terminated unexpectedly NT Authority System has initiated the shutdown since the RPC service terminated unexpectedly."
- Once it finds a vulnerable system, it will spawn a shell and use it to download the actual worm via tftp
- The name of the binary is msblast.exe

So far it exhibits the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registery key to start itself after reboot ( reg key : SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update')

Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

 

can we just make one ****ing thread and sticky that shit instead of having more of them?!

 

you should run the remover from symantec BEFORE you run the patch.

http://www.jcspctech.com/fixblast.exe

 

Agreed.

PEOPLE NEED TO READ!

Not trying to be mean, but asking if 98 is affected by this is just ignorant. It was covered, asking that question is just proof you didn't read the first bit of info, why should someone respond with more info that you might not read.

Again, that's for anyone that asks a question that is already covered.

 

go F yourself

 

Yes, I hate answering the same questions over and over again, however for something like this, I will put up with peoples ignorance to do my part.

 

Yes, I hate answering the same questions over and over again, however for something like this, I will put up with peoples ignorance to do my part.

 

I sure hope you aren't refering to me.

 

the force is strong in that one </vader>