OK first off. You follow these directions at your own risk. I haven't tested these on an infected machine because I don't have one (yet). I'm just putting common commands together that should get rid of the virus. If someone can tell me what account msblast runs under that would be great. Now, as for removing the virus. I haven't found a solution online that would do it without being logged on as admin, which kind of makes it a pain to kill it. I'm assuming remote registry service has been disabled on most computers that you work with, so I am counting that out as well. Again, I don't have a crash box infected right now that I can try this on. If someone wants to you're still up, feedback on whether this works would be great. Windows 2003 Solution --------------------- Windows 2003 has a bunch of nifty tools out of the box to deal with this mess. - Assuming that msblast.exe is run under the logged in user's account - It might not be, in fact I'm pretty sure that it is not (running under system or something similar), but if it is - this should remove the virus. Running this as admin (perhaps in a .bat file) should terminate the process no matter what account it is running under. [patch filename] /q /z taskkill /f /im msbl* del %systemroot%\system32\msblast.exe shutdown /f /r Explanation of what the commands do =================================== [patch filename] /q /z 'runs the patch, does not reboot. taskkill /f /im msbl* 'kills all tasks begining with msbl forcibly. del %systemroot%\system32\msblast.exe 'deletes the msblast.exe file, shutdown /f /r 'restarts the system, forcibly. This will leave the "run" entry in the registry - not the cleanest solution, but one that will do. the virus stopped and deleted, the computer is restarted. Plain users can't remove the key anyways because of permissions issues, and leaving the entry there won't cause any error messages. Actually, running the patch twice is redundant, so [patch filename] /q /z is not really necessary, but saves a reboot. For other os's it gets more complex. Find your install cds. I'm not sure about nt4, but this should work for 2k. maybe xp too, but I'm about to fall asleep, someone else can research that. (I believe xp has taskkill) Anyways, \windowscd\support\tools\support.cab extract to a folder inside that folder we need kill.exe to terminate the process and delete the virus. kill -f msbl* del %systemroot%\system32\msblast.exe echo "restart your computer now!" kill -f msbl* 'kills all processes begining with msbl del %systemroot%\system32\msblast.exe 'deletes the worm echo "restart your computer now!" 'gets the user to reboot. again, admin priv. required AFAIk. C'est la vie. I was also thinking about getting msblast.exe into HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations, I believe those actions are done by system, so as long as that gets into the registry, no permissions issues should occur. I'd do more but I'm tired and going to bed. Night All
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 03:50:07 PDT