This is important - MAJOR Worm Warning

[railz]

I know this isn't the forum for it, but this seems to get the most views so I had to put this up. I got infected by this worm within 20 seconds of booting up both machines (Desktop running XP Pro and laptop running XP home) - it's VERY nasty and almost caused me to reinstall before I figured out what was happening:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Turn off auto system restore, install this patch, then go to:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Download the fix utility from this page and run it. Reboot, run it again then when it gives the all clear, turn on system restore again.

[CCM]

I spent an hour and a half at my friends house last night getting rid of that damn worm!  He just got his computer last week, and just got his internet access last Friday.  

I kept getting the NT Authority\system reboot in 1 minute message as soon as I would start to do anything!  So it took forever, it must have rebooted 15 times on me.  

My friend wasn't running any firewall software, but he did have McAfee that came with his computer (great job it did, I hate McAfee!).  What I ended up doing was installing zone alarm, then installed the patch from Microsoft, then I got rid of that piece of crap McAfee and installed Norton.  Then I followed symantec's instructions to get rid of the virus...

[railz]

To fix that, boot up without a connection to the net. Goto Control Panel - > Amin Tools - > Services and locate the RPC service - right click on it, select "properties" and on the "restore" tab, select "Do nothing" for all choices.

Reboot, connect and you can download the patch.

[Raleigh]

Great post, hopefully people will read this and will know what to do when/if this happens, or better yet apply the patch to prevent this from happening.

Last night that started happening to me and I was like WTF
It took about 20 minutes and several shutdowns/restarts but I figured it out and applied the patch.

[railz]

Even if you've applied the patch, check to see if you have been infected. Normally you can see this by either:

Press ctrl+alt+del - go to "processes" and look for msblast.exe
Goto start -> run -> msconfig [enter] - go to the startup tab and look for "msblast" to be run at startup from the registry

In other words, if you've installed the patch before, double check to make sure you've not been infected. Part of the worm tricks Windows Update into thinking it's already been applied.

The public service announcement brought to you by a classic arcade nut who can't afford a cab yet

[TheTick]

Almost everyone at work got infected this morning... as the auto updates were applied to our virus scanners. Just a minute too late I suppose.

Of course last night at 9pm, our deployment team was bugging me saying the terminal server was having trouble.   Guess we know the cause.

[Bill_S]

My brother just called me last night with this problem.

Thanks for the heads up, now I'll know how to fix it!

[tmasman]

yup...
My network @ work was attacked today... All 45 machines needed the patch & remover. My MIS manager still hasn't set us up with an automated instalation method, so I was stuck doing it 1 PC at a time... WHAT A PAIN!!!

I have to say I am embarassed that my network was hit and affected this badly by a virus though. This ought to be the kick in the @$$ my MIS manager needs to set up some automated software distrobution stuff.

Ug...

[Jakobud]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

[CCM]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

this is from symantec's site:

When W32.Blaster.Worm is executed, it does the following:


Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.


Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.

NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.


Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.


Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

NOTES:
This means the local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.


Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.


Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.


If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.


The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

[SirPoonga]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

[SirPoonga]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

1) Though not openning random emails and not using Outlook will prevent alot of worms, it doesn't prevent all of them.  That's not the only means of transportation of worms.  

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

[DeathMonk]

yup...
My network @ work was attacked today... All 45 machines needed the patch & remover. My MIS manager still hasn't set us up with an automated instalation method, so I was stuck doing it 1 PC at a time... WHAT A PAIN!!!

I have to say I am embarassed that my network was hit and affected this badly by a virus though. This ought to be the kick in the @$$ my MIS manager needs to set up some automated software distrobution stuff.

Ug...

From one network admin to another:  Tell your guy he's an idiot.

[CCM]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

the quote about billy gates is actually in the worm.. that wasn't my comment...

[SirPoonga]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

the quote about billy gates is actually in the worm.. that wasn't my comment...

sorry, my bad, I worded that incorrectly. I meant the worm writer, even though symantec report came after the worm was released.  I just like how how people put M$ down for their bugs which you can exploit but they do get fixed eventually.  Windows isn;t the only system like that, just the most popular out there so it's the prime target.

[Minwah]

3 of my colleagues at work got this last night, and 2 more today.  I spent all day trying to fix it (it wasn't detected by Norton).

I thought just deleting c:\windows\system32\msblast.exe was sufficient enough (seems to be no problem now), but maybe I need to go through those steps more carefully tomorrow...

[Dave_K.]

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

Wow, who would have guessed running Lotus Notes as your main work email client was a good thing!  

[SirPoonga]

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

Wow, who would have guessed running Lotus Notes as your main work email client was a good thing!  

Oh god, I feel sorry for you!

[CCM]

billy gates why do you make this possible ? Stop making money and fix your software!!

He has.  To quote yourself in which you were quoting Symantec:
"While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server"

the quote about billy gates is actually in the worm.. that wasn't my comment...

sorry, my bad, I worded that incorrectly. I meant the worm writer, even though symantec report came after the worm was released.  I just like how how people put M$ down for their bugs which you can exploit but they do get fixed eventually.  Windows isn;t the only system like that, just the most popular out there so it's the prime target.

no problem, I just read it wrong...  anyway, you're right, just about all software has some kind of bugs and eventually needs patched and updated...

[Howard_Casto]

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

[jakejake28]

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

i agree and disagreee with yuo... windows is exploited because of it's popularity, not because it is an unsecure system. if nobody ran windows, people wouldn't do this. but i don't think that other os'es "suck", i run linux at my job, and it is fine for the purpose.

[bionicbadger]

If you run a Microsoft OS and your computer is connected to the net, you have to keep up to date on security patches.  The patch for this has been out for WEEKS.  If you haven't updated, then you have only yourself to blame.

If you have some kind of high speed connection, you should also have a hardware firewall, they are so cheap now that there isn't an excuse not to have one.  (And if you do get or have one, get it updated with the latest firmware patches and change the default password).

People whine and complain about getting hit with a virus or worm, but for some reason most of the problems mysteriously happen to stupid or lazy users who don't bother to get patches, don't use and update a virus scanner and/or firewall, or open e-mails and attachments from unexpected e-mails.

[jerryjanis]

This worm could have been a lot more destructive...  It's actually kind of a good thing because it will force Microsoft to repair a potentially devastating bug, and also to encourage people to protect themselves behind firewalls.   (Hmmm, I think I should probably use a firewall).

Ha ha...  Moments after I fixed the worm, I got this popup on my computer:



Another little reminder that a firewall is a good idea.

Can anybody recommend any good firewall software?  I'm running Windows XP Pro...

[CCM]

Can anybody recommend any good firewall software?  I'm running Windows XP Pro...

zone alarm works great and it's free...

http://www.zonelabs.com/store/content/home.jsp

[DeathMonk]

I heard zonealarm tracks your activity and sends all the info back to their servers..  So don't be downloading anything illegal, say, mame roms.

About the popuppadlock.com "popup" (irony anyone?) that is just adware.  download adaware and scan your system.

[SNAAAKE]

GRRR ! !  
I got one that looked similer in black dos box.
Also asked to click yes or no(can't remember).
This is some kind of virus ? ??  

[tmasman]

Those "Messagner Service" pop-ups are actually an exploit to use Windows Messanger service. It's not a "virus" per say, but it is another MS Exploit. Don't worry, It won't hurt you, it's just another annoying way for spammers to pop-up info in front of you.  If you want to make them go away for good disable your Windows Messanger service.

[railz]

Geez i dont understand how everyone is getting infected so easily with this sort of stuff.  How does it spread?  You aren't opening email attachments from random people are you?  You aren't using Outlook or Outlook Express are you??

This worm doesn't require the end-user/victim to do anything, except have a computer connected to the net that has not had the patch applied and is running various versions of OS that use the NT kernel.

It uses a known bug that was discovered in July that allows a hacker to overflow the RPC service with a packet and allows them to run a TFTP command and execute the code it finds. (In other words, your computer instantly downloads and runs the worm if you want to or not without you doing anything).

[SirPoonga]

As said before, windows isn't the only OS with issues like this.  Unix went through this before.    In unix there is something also called RPC.  It's simular to Windows RPC but not quite the same.

[DZuroff]

According to Symantec this worm is distributed through ports TCP 135, TCP 4444, and UDP 69.  I have a a good firewall at work so none of my servers were infected.  It was kinda funny though because for now I am on a dialup connection on my home PC and I use Norton Anti-Virus 2003.  The virus infected my PC while norton Anti-Virus was in the process of downloading the 8/11/2003 definition file update.  Even though Windows XP has been VERY stable for me for the past 1.5 years, when the reboot timer popped up the second time I was quick to blame the unstability of Windows.  <Grin>  I did find that if you get infected, once you end the "MSBLAST.EXE" process your system won't crash giving you the time you need to apply the patch and do a full virus scan.  Don't forget to remove the registry entry as well!  Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:

"windows auto update"="mblast.exe"

[CCM]

Norton released a removal tool for this worm... It deletes the msblast.exe file and also fixes the registry...  

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

[soslo]

Can anyone else open the registry using regedit post-worm removal? How about msconfig? Mine will pop open for about one second and then shut down...odd.

BTW, just diasble the messenger service and you won't get those 'pop-ups'

[teef two]

Makes you glad to still be running Win 98SE doesn't it  

[ErikRuud]

AdAware is good, but Spybot search & Destroy has some additional features that I really like.  I use them both, but Spybot can "Immunise" your system against many types of exploits.

[Bill_S]

2) Not all people have the luxary of NOT running Outlook.  Note how many of the responses are "this happened at my work".

Wow, who would have guessed running Lotus Notes as your main work email client was a good thing!  

Here I thought I was the only one stuck with this at work

[anthony691]

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

But HC; I would asume about 75% of Linux users know how to code as opposed to probably 5% of Windows users. I think that there is a brotherhood of Linux. You can't even compare the two. And saying Linux sucks is very ignorant! Where would we be without Apache? And where will you be in M$'s world of the future (longhorn et cetera) with Paladium and DRM up the wazoo?

Just sayin...

[MrBond]

Can anyone else open the registry using regedit post-worm removal? How about msconfig? Mine will pop open for about one second and then shut down...odd.

BTW, just diasble the messenger service and you won't get those 'pop-ups'

I don't know if this is what you have, but it sounds just like it:  I just got/removed a virus that is called W32/Spybot-B.  What it does exactly what you have stated.  It won't allow you to use:
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe
It also records every keystroke you have made since the time the worm infects your computer, and then sends it via IRC protocal.  You can't end the task (which is TESTING.EXE) in your taskmgr (ctrl-alt-del).  You must download a thrid party task manager, such as Process Explorer from SysInternals which can be downloaded freely from this site: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml (at the bottom)

Hope this helps  

[AlanS17]

My mom's PC got it and so did my brother's. None of the computers at work got it, but we have a pretty good firewall. Got new virus definitions, but I don't know if that's enough. Gonna be working those updates, too. It's just really hard to connect to MS servers right now. They're overloaded with traffic!

[soslo]

MrBond - you are the man! Thanks! That is exactly what I needed!

[ThePaul]

Brotherhood of Linux, Linux is better, blahh blahh blahh .... Same old same old ... If you are an elitist and want a system to do what you want it to do (or be able to change it to do what you want it to do) while not caring about any software that the real world operates on then *nix is for you.

But in the real world, open source and anti MS sentament does not make any sense (or cents). While we are in the habbit of pulling stats out of thin air ... allow me.. I "venture to guess" that .005% of office secretaries use *nix and .005% of executives use *nix based systems as their work station pc.

You can parade your penguin and protest MS every day all you want, but it will not change the fact that Windows and MS Products are what real world business is built on.

As for how many people "know how to code" ... who cares? The vast majority of software is written for productivity related environments. Now.. being a "coder" .. doesn't it make sense to develop for the "vast majority" ? Maybe not if you don't care about making money... but again my post is based on the real world where making money is the purpose for everything.

Every time there is a new worm/virus that effects MS products the *nix and Mac crowd come out of the woodwork to flame the rest of us. Of course if the user base for *nix or Mac was higher we all know that there would be viruses/worms that effected them. Lets be honest though, the reason there are no worms effecting Linux or Macs today is the same reason there are no retail software titles for these OS either.

So be the black sheep (penguin) if you want to be. But don't think you are better because you are different.

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

But HC; I would asume about 75% of Linux users know how to code as opposed to probably 5% of Windows users. I think that there is a brotherhood of Linux. You can't even compare the two. And saying Linux sucks is very ignorant! Where would we be without Apache? And where will you be in M$'s world of the future (longhorn et cetera) with Paladium and DRM up the wazoo?

Just sayin...

[AlanS17]

I'm not picking sides, but I will say this:

Viruses are written for MS products cuz they will cause optimum damage. Viruses are not written for Linux products because even if it devistated Linux workstations most of the world wouldn't notice or care.

I would also venture to guess that the same people that use Linux workstations are also more likely to have other countermeasures (such as hardware firewalls) in place. This makes them a less appropriate target.

[anthony691]

Brotherhood of Linux, Linux is better, blahh blahh blahh .... Same old same old ... If you are an elitist and want a system to do what you want it to do (or be able to change it to do what you want it to do) while not caring about any software that the real world operates on then *nix is for you.

But in the real world, open source and anti MS sentament does not make any sense (or cents). While we are in the habbit of pulling stats out of thin air ... allow me.. I "venture to guess" that .005% of office secretaries use *nix and .005% of executives use *nix based systems as their work station pc.

You can parade your penguin and protest MS every day all you want, but it will not change the fact that Windows and MS Products are what real world business is built on.

As for how many people "know how to code" ... who cares? The vast majority of software is written for productivity related environments. Now.. being a "coder" .. doesn't it make sense to develop for the "vast majority" ? Maybe not if you don't care about making money... but again my post is based on the real world where making money is the purpose for everything.

Every time there is a new worm/virus that effects MS products the *nix and Mac crowd come out of the woodwork to flame the rest of us. Of course if the user base for *nix or Mac was higher we all know that there would be viruses/worms that effected them. Lets be honest though, the reason there are no worms effecting Linux or Macs today is the same reason there are no retail software titles for these OS either.

So be the black sheep (penguin) if you want to be. But don't think you are better because you are different.

For the record, the fact that windows is exploited so much is a compliment to how popular it is, not to how unsecure it is.  All oses even the "secure" ones have similar security holes.  It's just that nobody uses those oses becuase they suck, including hackers, and thus they don't get as many worms, viri, ect programmed for them.  

But HC; I would asume about 75% of Linux users know how to code as opposed to probably 5% of Windows users. I think that there is a brotherhood of Linux. You can't even compare the two. And saying Linux sucks is very ignorant! Where would we be without Apache? And where will you be in M$'s world of the future (longhorn et cetera) with Paladium and DRM up the wazoo?

Just sayin...

Hmm...

Things you are ignorant to:

-Apache is king in web-serving (duh)
-MS Office compatible Office suites are built into almost any Linux distro. (free)
-Money isn't everything (you'll learn this someday)
-By code I was referring to coding viri
-You can pop a Linux box onto just about every network.

I would agree completly that .005% of executives use *nix. I would also say they could operate on Linux with no problem.

What percentage of labratory's around the world use *nix? Well many, many more than use Windows! Every lab I have ever been to only runs Linux. The ones down at the UOC campus. Hell the particle excelerator's support systems run Linux.  (the one in Il).

SHOW ME ONE thing that you can do on Windows that you can't on Linux! (gaming aside)

Any buisiness where computers are mission critical, and are reallly serious about computers use Linux for servers anyway.

Now I'm not talking about workstations, (different story all together)

And as for there being no comercial software for *nix, there is (sadly). The world would be a better place if there was not.

Do money and the business world compose all of your life? Small life. I pity you.

I can say confidently I won't be jumping out of a building on Wall Street someday...

[ThePaul]

Anthony,

Thanks for the personal flames. Do you make it a habbit to label people you do not know as ignorant? I imagine some might take offense to that.

I never said that there is something you can do on Windows that you can't do on *nix. There is no need to take offense and worry that I am trying to put down your beloved OS. I know it is like a cult for you to be pro penguin.

Again my post and message are based on the real world. You said, "Do money and the business world compose all of your life? Small life. I pity you". Thanks, but I don't need your pity. Againe, I only refer to the real world which acording to you is made up of ignorant people who should be running Linux (after all anyone running MS products is ignorant.. right?). ... On that we will have to agree to disagree.

[SirPoonga]

ACtually, M$ has 905 of the desktop world.  The server world is a completely different story.  M$ may have more than half by now but *nix is still there.  Look at this site, abvious which OS this site runs bases off YabbSE

Actually, Apache has 60% of the web servers of the world.  I don't know if that number includes the off shoots of apache like IBM's httpd.  Well, that was last year stat to.  So the "real world" does use *nix quite extensively.  The desktop world uses windows.  There's a big difference there.  There are alot more desktops than servers.  


I'm not standing up here for any OS, they all have their good points and bad points.  Personally, I love BeOS, but only for multimedia apps.  You probably couldn't have a faster OS for multimedia.  The cube demo is quite impressive.  Linux is great for running webservers and such.  Windows is great desktop OS.  Mac OS X is a great all around OS.

I do think it is funny thouh that when one flaw is found in and OS supports of the other OSes start laughing.  About 7 years aog linux had a major security hole to teardrops.  Each OS has it's issues.  But since Windows is the most popular desktop OS there are going to be alot more people whole barely know the basics of using the computer that you can take advantage off so it's a target.

I found a hole in Mac OS X in my Mac class.  Opps, it defaults execute file permissions for all levels.

[anthony691]

Anthony,

Thanks for the personal flames. Do you make it a habbit to label people you do not know as ignorant? I imagine some might take offense to that.

I never said that there is something you can do on Windows that you can't do on *nix. There is no need to take offense and worry that I am trying to put down your beloved OS. I know it is like a cult for you to be pro penguin.

Again my post and message are based on the real world. You said, "Do money and the business world compose all of your life? Small life. I pity you". Thanks, but I don't need your pity. Againe, I only refer to the real world which acording to you is made up of ignorant people who should be running Linux (after all anyone running MS products is ignorant.. right?). ... On that we will have to agree to disagree.

If I did make a personal attack; I went too far. I am sorry for that.

I did mean ignorant though. Which I stand by being true. All that ignorance is is not knowing something. I don't think you know very much about Linux.

I offer you a copy of Knoppix Linux. Linux that operates completly from CD-ROM. It has no install, and comes with office. I'll pay shipping! If you are brave enough to try something new and use it before you put it down; PM me your address (assuming you're in the US).

[ThePaul]

Anthony,

Thank you for the offer, but like I said you have me figured all wrong. I am familiar with *nix, in fact I have a flavor of it called "familiar" running on my IPAQ right now. I never said *nix sucked or was crappy or something.. I never attacked it. I have a degree in Computer Science, I understand the powerful nature of open source in the hands of talented developers... But not in the hands of billions of real life working class people who make the world go 'round.

Oh I wanted to ask you, what is the purpose of everything if not to make money?  

[SirPoonga]

I understand the powerful nature of open source in the hands of talented developers... But not in the hands of billions of real life working class people who make the world go 'round.

As I said, 60% of the web servers out there are Apache.  billions of real life people use it each day, een if they don't realize it.   Heck, YabbSE and most forums are open source.

Oh I wanted to ask you, what is the purpose of everything if not to make money?  

Because you can  I'm working on the controls.dat and not making money from it.  Mame devs aren't making money from making mame.

You only need money to pay bills and make arcade cabinets.

[Spaced Invader]

You only need money to pay bills and make arcade cabinets.

Tryin' to stay out of this debate...but that comment deserves an AMEN!

[jerryjanis]

You only need money to pay bills and make arcade cabinets.

Right on...

[hooded_paladin]

and, uh, ddr pads and other bemani controllers ...

kay I'll leave now

[MrBond]

MrBond - you are the man! Thanks! That is exactly what I needed!

Awesome...glad I could help!
'Case you didn't clean it completely:
http://www.sophos.com/virusinfo/analyses/w32spybotb.html

Today I just helped a friend remove the msblast worm.....HOLY CRAP.  I HATE THIS WORM.  Of course, I was able to conquer it with my computer savy ("geekness"), but geese, any "normal" person would go insane trying to hurdle the registry, the fact that the worm doesn't allow you download the patch to prevent infection, you have to be familiar with safe mode, msconfig, and not to mention the services.msc.  You have to make sure the RPC service is set to restart the service, not the computer (which is why people can't use the internet when they are infected...it constantly restarts).

Fun stuff...
At least I got $20 out of it

God help the common computer user who gets this worm...amen

[SNAAAKE]

ummm...
Is this some kind of virus.I got this email from "microsoft".
Thoughts ?

[BombProofPlane]

the guy obviosly spoofed his email address i cant believe you thought it was really microsoft

[SNAAAKE]

the guy obviosly spoofed his email address i cant believe you thought it was really microsoft

lol...
I didnt think it was microsoft.
looked like a suspect....

[Sasquatch!]

Anyone who spells "MICRO$OFT" with the dollar sign needs to be slapped upside the head with a fish.

[emdkay]

I don't know if this is related to the worm or not, but I need some help.  Over the past couple days I've received about 8-10 emails in two different outlook express accounts that are returned mail, that I never sent.  Several of them are saying that there was a virus in the email I sent, others say that the recipient does not exist.  

These emails are not being seen in my sent boxes, and I ran a full virus scan with AVG's latest virus definition.  Any ideas?  

[saint]

Couple of viruses making quite a bit of noise with spoofed email addresses lately.

The Klez virus will take the address book from an infected system, pick 1 address to use as it's forged "from" address, and send itself to the rest of the addresses.  If you are the unfortunate one whose address was picked as the fake "from" address on the infected computer wherever it is, any replies sent to that faked "from" address come to you.  

There's also another whose name I don't know that claims to be from "admin@yourdomain.com" such as "admin@arcadecontrols.com" --  if you are the owner of the domain, then people/auto responses to the admin@xyz.com email will go to you.

Both of these can fill your inbox with auto-responses and hate mail from people who think you really sent the email when you didn't.

I regularly get spam/porno email addressed to my saint@arcadecontrols.com address, and the from address is also saint@arcadecontrols.com .... I'm fairly certain I didn't send those

As long as your virus protection is up to date and you scan regularly, the above emails amount mostly to more spam

--- saint

I don't know if this is related to the worm or not, but I need some help.  Over the past couple days I've received about 8-10 emails in two different outlook express accounts that are returned mail, that I never sent.  Several of them are saying that there was a virus in the email I sent, others say that the recipient does not exist.  

These emails are not being seen in my sent boxes, and I ran a full virus scan with AVG's latest virus definition.  Any ideas?  

[emdkay]

I regularly get spam/porno email addressed to my saint@arcadecontrols.com address, and the from address is also saint@arcadecontrols.com .... I'm fairly certain I didn't send those

   

Thanks for the quick response and saving me from a massive headache.  I ran more virus tests and everything is clean - looks like you were right.  I actually took pride in that one email box because it never got spam until now