B
brett
my pc keeps shutting down what should I do
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
T
Thomas O'Grady [MSFT]
It sounds like you were infected. Here is brief info followed by extensive
details.
From http://www.microsoft.com/security/incident/blast.asp
Prevention
If you are using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server
2003, you should follow these steps to help protect your system:
1.. Make sure you have a firewall.
a.. If you have Windows XP or Windows Server 2003, enable the Internet
Connection Firewall (ICF).
b.. If you have Windows 2000 or Windows NT, visit Windows Catalog for a
list of Internet firewall software.
2.. Get the latest critical updates for the version of Windows that you
are using and make sure you get the update addressed in Security Bulletin
MS03-026.
3.. Make sure you install and use antivirus software.
a.. If you have antivirus software installed, get the latest virus
definitions from your antivirus vendor's Web site.
b.. If you do not have antivirus software installed, visit Windows
Catalog for a list of antivirus software vendors.
What to Do If You Think Your Computer Has Been Infected
If you think your computer has been infected with the Blaster worm, please
contact Microsoft Product Support Services or your antivirus vendor for
assistance removing it.
a.. For Microsoft Product Support Services within the United States and
Canada, call toll-free (866) PCSAFETY (727-2338).
b.. For Microsoft Product Support Services outside the United States and
Canada, visit the Product Support Services Web page.
From a posting by a member of the Security Response Team:
PSS Security Response Team Alert - New Virus: W32.Blaster.worm
SEVERITY: CRITICAL
DATE: August 11, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT
4.0, NT 4.0 Terminal Services Edition
WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026 should
prevent infection from this worm.
Customers that have previously applied the security patch MS03-026 before
today are protected and no further action is required.
IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets
re-booted or has mblast.exe exists on customer's system.
TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable
systems on TCP port 135. The worm attempts to exploit the DCOM RPC
vulnerability patched by MS03-026.
Once the Exploit code is sent to a system, it downloads and executes the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customer may not notice any symptoms at all. A
typical symptom is the system is rebooting every few minutes without user
input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from your
anti-virus vendor and scan your machine.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:
Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
For more information on Microsoft's Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows
Server 2003) or use a third party firewall to block TCP ports 135, 139, 445
and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits
download and TCP 4444 for remote command shell. To enable the Internet
Connection Firewall in Windows: http://support.microsoft.com/?id=283673
1. In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and
then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my
computer or network.
This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. Install the
patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
As always, please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
RECOVERY: Security best practices suggest that previously compromised
machine be wiped and rebuilt to eliminate any undiscovered exploits that can
lead to a future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise.
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
For additional information on recovering from this attack please contact
your preferred anti-virus vendor.
RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.
RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary. Support for virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsoft.public.security.virus.
PSS Security Response Team
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--
Thomas O'Grady,
Security Business Unit
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
details.
From http://www.microsoft.com/security/incident/blast.asp
Prevention
If you are using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server
2003, you should follow these steps to help protect your system:
1.. Make sure you have a firewall.
a.. If you have Windows XP or Windows Server 2003, enable the Internet
Connection Firewall (ICF).
b.. If you have Windows 2000 or Windows NT, visit Windows Catalog for a
list of Internet firewall software.
2.. Get the latest critical updates for the version of Windows that you
are using and make sure you get the update addressed in Security Bulletin
MS03-026.
3.. Make sure you install and use antivirus software.
a.. If you have antivirus software installed, get the latest virus
definitions from your antivirus vendor's Web site.
b.. If you do not have antivirus software installed, visit Windows
Catalog for a list of antivirus software vendors.
What to Do If You Think Your Computer Has Been Infected
If you think your computer has been infected with the Blaster worm, please
contact Microsoft Product Support Services or your antivirus vendor for
assistance removing it.
a.. For Microsoft Product Support Services within the United States and
Canada, call toll-free (866) PCSAFETY (727-2338).
b.. For Microsoft Product Support Services outside the United States and
Canada, visit the Product Support Services Web page.
From a posting by a member of the Security Response Team:
PSS Security Response Team Alert - New Virus: W32.Blaster.worm
SEVERITY: CRITICAL
DATE: August 11, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT
4.0, NT 4.0 Terminal Services Edition
WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026 should
prevent infection from this worm.
Customers that have previously applied the security patch MS03-026 before
today are protected and no further action is required.
IMPACT OF ATTACK: Spread through open RPC ports. Customer's machine gets
re-booted or has mblast.exe exists on customer's system.
TECHNICAL DETAILS: This worm scans a random IP range to look for vulnerable
systems on TCP port 135. The worm attempts to exploit the DCOM RPC
vulnerability patched by MS03-026.
Once the Exploit code is sent to a system, it downloads and executes the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customer may not notice any symptoms at all. A
typical symptom is the system is rebooting every few minutes without user
input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from your
anti-virus vendor and scan your machine.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:
Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
Computer Associates: http://www3.ca.com/virusinfo/virus.aspx?ID=36265
For more information on Microsoft's Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION: Turn on Internet Connection Firewall (Windows XP or Windows
Server 2003) or use a third party firewall to block TCP ports 135, 139, 445
and 593; TCP ports 135, 139, 445 and 593; also UDP 69 (TFTP) for zombie bits
download and TCP 4444 for remote command shell. To enable the Internet
Connection Firewall in Windows: http://support.microsoft.com/?id=283673
1. In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and
then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my
computer or network.
This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp. Install the
patch MS03-026 from Windows Update http://windowsupdate.microsoft.com
As always, please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
RECOVERY: Security best practices suggest that previously compromised
machine be wiped and rebuilt to eliminate any undiscovered exploits that can
lead to a future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise.
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
For additional information on recovering from this attack please contact
your preferred anti-virus vendor.
RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.
RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary. Support for virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsoft.public.security.virus.
PSS Security Response Team
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
--
Thomas O'Grady,
Security Business Unit
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
N
Nicholas
Brett --
Read and follow the procedures outlined in the following articles:
What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp
W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
MS-MVP Kelly Theriot's Excellent Repair Solution:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
**** You need to make sure you have a FIREWALL enabled ****
Open XP's "Help and Support" and type: FIREWALL , and hit enter.
Click on the topic titled "Enable or Disable Internet Connection Firewall".
Essential Security Tools for Home Office Users
http://www.microsoft.com/technet/tr...l=/technet/columns/security/5min/5min-105.asp
Last, but not least, consider purchasing and installing a good
internet security package, such as:
Norton Internet Security 2003
http://www.symantec.com/sabu/nis/nis_pe/
-- Includes Norton AntiVirus 2003
-- Includes Norton Personal Firewall
-- Includes prevention of annoying web pop-ups
-- Includes Parental Controls
-- All in one, easy-to-install & manage package
Read and follow the procedures outlined in the following articles:
What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp
W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
MS-MVP Kelly Theriot's Excellent Repair Solution:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
**** You need to make sure you have a FIREWALL enabled ****
Open XP's "Help and Support" and type: FIREWALL , and hit enter.
Click on the topic titled "Enable or Disable Internet Connection Firewall".
Essential Security Tools for Home Office Users
http://www.microsoft.com/technet/tr...l=/technet/columns/security/5min/5min-105.asp
Last, but not least, consider purchasing and installing a good
internet security package, such as:
Norton Internet Security 2003
http://www.symantec.com/sabu/nis/nis_pe/
-- Includes Norton AntiVirus 2003
-- Includes Norton Personal Firewall
-- Includes prevention of annoying web pop-ups
-- Includes Parental Controls
-- All in one, easy-to-install & manage package
E
Elijah
"Read and follow the procedures outlined in the following articles:
What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp
W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
MS-MVP Kelly Theriot's Excellent Repair Solution:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
**** You need to make sure you have a FIREWALL enabled ****
Open XP's "Help and Support" and type: FIREWALL , and hit enter.
Click on the topic titled "Enable or Disable Internet Connection
Firewall"." - Taken from Nicholas
--
Elijah
"Hope this helps"
| my pc keeps shutting down what should I do
What You Should Know About the Blaster Worm
http://www.microsoft.com/security/incident/blast.asp
W32.Blaster.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
MS-MVP Kelly Theriot's Excellent Repair Solution:
http://www.kellys-korner-xp.com/xp_qr.htm#rpc
**** You need to make sure you have a FIREWALL enabled ****
Open XP's "Help and Support" and type: FIREWALL , and hit enter.
Click on the topic titled "Enable or Disable Internet Connection
Firewall"." - Taken from Nicholas
--
Elijah
"Hope this helps"
| my pc keeps shutting down what should I do