This is a new variant of the W32/Sobig.e@MM virus that I wrote about June 26th. I've received hundreds of copies of this virus to my computer. Of course, not everyone would receive this many copies. I'm an unusual case in that I monitor several websites for large companies with thousands of people in their database. Anybody that's only their list probably has me or one of my webmaster accounts on their computer.

What really amazes me is that this variant is much more widespread that the previous version. The attachments, subjects, and body of the email is so obviously a virus that the stupidity of the folks that open them is mind-boggling. YES, I'm being harse, but face it. If you're doing anything on the Internet and you do not have a good AND UPDATED anti-virus program, you're either stupid or real cheap. Let's see how much getting rid of this one is going to cost.

Click on the link to this item and you can go to McAfee's website and find out all about this one and how to get rid of it.

Here's good followup on measure to prevent this:

Greetings,

As you may have heard by now in the news there is a new virus that
is exploiting a security flaw in Windows XP, NT and 2000. The
virus is known as "W32.Blaster.Worm" or "MSBlast." The virus does
not come through email. It is sent to your computer through a Remote
Procedure Call, or RPC, meaning that an infected computer scans
other computers for a certain open port, and then sends itself
through that port. This security flaw is not in Macintosh, Linux or
Unix operating systems. To read more about the security flaw,
please go to
http://www.microsoft.com/technet/se...in/MS03-026.asp

To keep from getting this virus, you should go to
http://www.windowsupdate.com and scan for all patches available for your
computer. After it scans, you should download all the security
patches. This will keep you from getting the virus.

NOTE: If you are infected, you will see an error saying "...NT
authority must shut down your computer in 30 seconds."

BEWARE! Some users who have the virus have reported that while they were
attempting to download the patches from Microsoft, the virus rebooted
their computer. There is little chance of damage from this and it will be
possible to eventually receive the patches from Microsoft even if you are
infected and the virus reboots your computer. Just keep trying to get the
patches.

XP users can prevent this from happening by turning on Internet Connection
Firewall in their connection profile. IF YOU ARE AN XP USER, right click
on your connection icon, left click on Properties, click the Advanced
Tab, and place a checkmark next to "Internet Connection Firewall." This
will allow you to download the patches without the virus rebooting your
machine.

To fix this, you must edit your Windows registry. It is extremely
important that you follow these set of instructions very carefully.
Enter.net is not responsible for any damage to your computer from
following these instructions. If you don't feel competent to perform
this service, you should contact your computer dealer/consultant, or
Enter.Net's in-house service department.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
3. Then click OK. (The Registry Editor opens.)
4. Navigate to the key by clicking on the plus next to each section:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr
entVersion\Run
5. In the right pane, delete the value:
"windows auto update"="msblast.exe"
6. Exit the Registry Editor by click the x in the top right corner.

You should then be able to go to http://www.windowsupdate.com and get the
patch to keep your computer safe. You should also then go to
http://www.housecall.antivirus.com Click on Scan Now listed under
the Customer Advisory. Press yes to any boxes that pop up. You will
then see the Active Update windows where it is downloading an
updated engine and pattern file. Once this is done, put a checkmark
next to your C: drive and a checkmark next to Auto Clean. Then click
Scan. This will scan your computer for viruses and automatically clean
any that it can. It will also give you the option to delete the
infected files that it was not able to clean. This online virus
scanner is free.

Please make sure to update your antivirus programs and your windows
updates at least twice a month. This will keep your computer updated
against any viruses and security flaws.

If a machine is a target of the currently available exploit program
for the MS03-026 vulnerability, it will in some cases pop up a window titled "System Shutdown"\" with the text:
This system is shutting down. Please save all work in progress
and log off. Any unsaved changes will be lost. This shutdown
was initiated by NT AUTHORITY\SYSTEM

Time before shutdown: 00:00:59

Message:
Windows must now restart because the Remote Procedure Call
(RPC) service terminated unexpectedly


(The machine then reboots in 59 seconds.)

This indicates an unsuccessful exploit attempt on an unpatched
machine. If customers see this message, they should most likely save their work and then disconnect from the network, or else patch the machine immediately after it reboots.

So what we did was get her a copy of the MS patch for this security hole. Deleted the MSBlast.exe file from her computer (she IM'd it to me for further handling). Applied the patch and now she's going through the tedious task of updating her computer with the lastest MS updates and then get an updated virus signature file and install a firewall.

Doing a search on Google for MSBlast.exe, which was showing up in her startup configuration, yielded no answers. The answers were found by searching for the specific error messages that her computer displayed. The winning keywords "nt authority\system shutdown" and I found the main clues to the problem at techsupportforum.com

When I got the file, my McAfee program identified this virus as the Exploit-DcomRpc. Since McAfee's search did not reveal anything on the MSBlast.exe file I forwarded it to their labs. Got a real quick response! Their labs said it was the W32/Lovsan.worm. And guess what? This MSBlast.exe is now showing up in their search. Here's what's even better! I sent the file to them at 4:28pm they responsed with an autoreply at 4:33pm, it was escalated to their techs and replied to at 4:34pm and added & updated in the virus information library at 4:57. This is why I really like McAfee.

Additional Links:

http://vil.nai.com/vil/content/v_100547.htm for the W32/Lovsan.worm virus

and

http://vil.nai.com/vil/content/v_100516.htm for the Exploit-DcomRpc virus

I've received this one several times. You'll receive a message like this:

From: Admin (ADMIN@your_domain)
Subject: your account %user%
Importance: High

Hello there,

I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

--- Best regards, Administrator

Attachment: message.zip

The message.zip file if opened contains a message.htm file which can infect your system. The virus checks to see if the system is connected to the Internet by trying to contact google.com. If this check succeeds, the virus attempts to harvest email addresses from the local system. It grabs addresses from all files on your system.

The link to this item goes to McAfee.com's website for more information.