Can someone explain how I got THE virus when I had the RPC patch installed?

  • Thread starter Thread starter David C. Allen
  • Start date Start date
D

David C. Allen

I have a windows 2000 sp4 server with all of the patches including the RPC
patch and I still got the blaster virus. The only way I could stop my server
from crashing and rebooting everytime I connected to the internet was to
block port 135 at the firewall. On all of the other computers applying the
RPC patch fixed the problem. Any ideas?

Thanks!
 
I understand your frustration, I had the very same thing happen to me. I am
wondering if the intensity of attacks from other hijacked systems attempting
to spread the worm over TCP port 135 might be a factor here. My 2000 SP4
system was having problems all day long where svchost.exe would crash for no
reason, then copy/paste would not work, as well as a variety of other
functions in IE and some MS Office apps.
 
Always use qchain when you apply multiple updates on the same time. Search on Google about qchain.

The biggest problem is that sometime you can solve one problem and broke others when you apply this updates. Sometime it
can pass weeks after updates and you will not have a clue that this broke your software. It happened to me after I
applied XPsp1 and Win2000sp3...

The best thing is that always you should have a good copy of system state that you can restore...

Remove the computer from network

Use CTRL+ALT+DEL and terminate the process tree for msbalst.exe

Remove the msblast.exe file from %systemroot%/system32 and the registry RUN "windows update" that contain msblast.exe

Chris



I have a windows 2000 sp4 server with all of the patches including the RPC
patch and I still got the blaster virus. The only way I could stop my server
from crashing and rebooting everytime I connected to the internet was to
block port 135 at the firewall. On all of the other computers applying the
RPC patch fixed the problem. Any ideas?

Thanks!
 
Ok I need to clarify what I said. I had applied the patch right after it
came out in July. Also I have done some checking up on the virus and it
appears that I did not get infected. My problem is that some computer
somewhere is trying to infect it over port 135. 20% of the time the virus
sends the win2k version. 80% of the time it passes on the XP version. When a
Win2k OS gets hit with the XP version it causes w2k to flake out and cause
the problems that Sid is having. Applying the patch fixes this because you
can not be attacked then. But on my server I am having the problem that
about 30 seconds after I connect to the internet (via dial-up) the server
reboots just like i powered it off and back on. No message, nothing. Just
goes dead. I have blocked out port 135 at the firewall and thought I was
good last night but 4 hours later it happened again. I can't figure it out.
I have the patch installed. I have run a virus scan (came back clean) and
have the port blocked so I shouldn't be able to be attacked. Maybe I have a
different problem. Any ideas?

Chris Popescu said:
Always use qchain when you apply multiple updates on the same time. Search on Google about qchain.

The biggest problem is that sometime you can solve one problem and broke
Click to expand...
others when you apply this updates. Sometime it
can pass weeks after updates and you will not have a clue that this broke
Click to expand...
your software. It happened to me after I
applied XPsp1 and Win2000sp3...

The best thing is that always you should have a good copy of system state that you can restore...

Remove the computer from network

Use CTRL+ALT+DEL and terminate the process tree for msbalst.exe

Remove the msblast.exe file from %systemroot%/system32 and the registry
Click to expand...
RUN "windows update" that contain msblast.exe
 
I blocked those last night in zone alarm. Four hours later the server
rebooted again? Virus scans are clean.
 
Back
Top