Sophos

W32/Blaster-F

Aliases
  • Worm.Win32.Lovesan
  • W32.Blaster.Worm
  • WORM_MSBLAST
  • Worm/Lovsan
Category
Type
What to do
Prevalence low high

Summary

 
Included in our products from October 2003 (3.74)
Protection available since 28 September 2003 09:47:14 (GMT)
Detected by All Sophos products

Action

To remove W32/Blaster-F manually on Windows 95/98/Me and Windows
NT/2000/XP:

  • ensure you have installed Microsoft patch MS03-026.
  • press Ctrl+Alt+Del
  • in Windows NT/2000/XP click Task Manager and select the Processes tab
  • look for a process named enbiei.exe in the list
  • click the process to highlight it
  • click the 'End Process' (in Windows 95/98/Me 'End Task') button
  • close Task Manager.

Search for the file enbiei.exe in the Windows system
folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following
registry entry. The removal of this entry is optional in Windows
95/98/Me. Please read the warning about editing the registry.

  • At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
  • Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
  • Locate the HKEY_LOCAL_MACHINE entry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    and remove any reference to any file you deleted.

  • Close the registry editor.

You should reboot your computer and repeat the above process to
ensure all traces of the worm have been removed from your
system.

If you have any problems removing W32/Blaster-F after following
these instructions, please contact technical support.

To remove W32/Blaster-F on other platforms please follow the instructions for removing worms.

More Information

W32/Blaster-F is functionally equivalent to W32/Blaster-A, except for the following changes:


  • The worm filename used is enbiei.exe
  • The registry entry used has been changed to
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\www.hidro.4t.com
  • The target for the distributed denial-of-service attack has been changed to tuiasi.ro
  • The internal message has been changed to the following text in Romanian:
    "Nu datzi la fuckultatea de Hidrotehnica!!! Pierdetzi timp ul degeaba...Birsan te cheama pensia!!!Ma pis pe diploma!!!!!!"

    In English this translates to:

    "Don't go to the Hydrotechnics faculty!!! You are wasting your time... Birsan, your pension awaits!!! I urinate on the diploma!!!!!!"

In September 2003, a 24-year-old Romanian was charged in connection with the W32/Blaster-F worm.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer