[Kenny]

excellent illwill ...thanks mate B)

[illwill]

http://illmob.org/rp...aners/dcom2.zip

kills and removes the blaster worm and the b and c variants of it. all in a pretty little package of 1.62kb (gotta love assembly)

Coded in MASM by:
illwill
xillwillx@yahoo.com
www.illmob.org


DCOM worm killer (W32.Blaster.Worm)
Aliases: W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure]
WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]
WORM_MSBLAST.B [Trend], Win32.Poza.C [CA], W32/Lovsan.worm.c [McAfee], Worm.Win32.Lovesan [KAV]
etc..... blablablabla keep changing it (filtered)s we'll still find yer ass :)


This program is a tool to remove the malicious worm(s)
that spread through exploiting the DCOM RPC vulnerability using TCP port 135.
This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.
Once executed it creates a hidden Cmd.exe remote shell that will listen on TCP port 4444,
allowing an attacker to issue remote commands on the infected system.
This tool was made to Automate the process of removing the worm from memory and all files related to it.

-------------------------------------------------------------------------
Directions:
1. Execute the file called DCOM2.exe
a. Deletes the registry values that have been added.
b. Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes.
c. Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm and W32.Blaster.C.Worm files.
d. Deletes the dropped files.

-------------------------------------------------------------------------
Tech Info:
Startup registry keys-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="penis32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Inet Xp.."="teekids.exe"

Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
'msblast.exe' 'penis32.exe' 'teekids.exe' 'root32.exe' 'index.exe'

Source:
http://illmob.org/sources/DCOM2.html
http://illmob.org/sources/DCOM2.asm

[virus]

Now this is a quality post illwill. Thanks for sharing it ;)

[woutiir]

Hey illwill,
nice to see ya here. And thnx for the post, i already saw it. Should help alot of ppl out.

nice ASM code btw.

Cheers,
woutiir

[SLiM577]

that site is down mate.

[KoStIsTR]

I think removing msblast from your pc it too easy so you can do it manually :)
As the article says the vers of msblast are quiet few...but the way of disinfection is always the same :P . The only thing you have to do is to shut the worm from the proccess then open regedit and delete the keys that article says :

Quote

Startup registry keys-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="penis32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Inet Xp.."="teekids.exe"

after this make a search at your system32 folder for this names :

Quote

Dropped files-
Windows system directory (c:\windows\system32 c:\winnt\system32)
'msblast.exe' 'penis32.exe' 'teekids.exe' 'root32.exe' 'index.exe'

and delete them.
Simple heh? :)

[ST.]

link is down

[as0l0]

can / will this work remotely?

in other words can I set it against a remote machine or a number of remote machines to clean blaster remotely?