excellent illwill ...thanks mate

http://illmob.org/rpc/cleaners/dcom2.zip

kills and removes the blaster worm and the b and c variants of it. all in a pretty little package of 1.62kb (gotta love assembly)

Coded in MASM by:
illwill
xillwillx@yahoo.com
www.illmob.org


DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
WORM_MSBLAST.B [Trend], Win32.Poza.C [CA], W32/Lovsan.worm.c [McAfee], Worm.Win32.Lovesan [KAV]
etc..... blablablabla keep changing it motherfuckers we'll still find yer ass


This program is a tool to remove the malicious worm(s)
that spread through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.

-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOM2.exe
a. Deletes the registry values that have been added.
b. Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes.
c. Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm and W32.Blaster.C.Worm files.
d. Deletes the dropped files.

-------------------------------------------------------------------------
Tech Info:
Startup registry keys-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="penis32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Inet Xp.."="teekids.exe"

Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
'msblast.exe' 'penis32.exe' 'teekids.exe' 'root32.exe' 'index.exe'

Source:
http://illmob.org/sources/DCOM2.html
http://illmob.org/sources/DCOM2.asm

Now this is a quality post illwill. Thanks for sharing it

Hey illwill,
nice to see ya here. And thnx for the post, i already saw it. Should help alot of ppl out.

nice ASM code btw.

Cheers,
woutiir

that site is down mate.

I think removing msblast from your pc it too easy so you can do it manually
As the article says the vers of msblast are quiet few...but the way of disinfection is always the same . The only thing you have to do is to shut the worm from the proccess then open regedit and delete the keys that article says :

thanx for the information

link is down

can / will this work remotely?

in other words can I set it against a remote machine or a number of remote machines to clean blaster remotely?

very nice tool illwill!

thanx for the info