Re: I\'m in Computer Hell!!!
On my friends computer, I believe it was in the Windows directory. Instead of just deleting the file(which does nothing to erase the registry entry) go to this link and download FixBlast.exe, this should remove the worm from your computer.
Symantec FixBlast
Just for grins (from the Symantic website), this is what this sucker actually does:
When W32.Blaster.Worm is executed, it does the following:
Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.
NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.
Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.
NOTES:
This means the local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them.
Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.
Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.
If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
The worm contains the following text, which is never displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!