mschost.exe - Dangerous
mschost.exe
Manual removal instructions:
Antivirus Report of mschost.exe:
mschost.exe
W32.Blaster.K.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The worm targets only Windows 2000 and Windows XP computers.
It recommends that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
When worm is executed, it does the following:
Generates an IP address and attempts to infect the computer that has that address.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability. The worm sends one of two types of data: either to exploit Windows XP or Windows 2000.
Uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it sends mschost.exe to that computer and then executes it.
The worm contains the following text in the code:
Can you hear me? I LOVE YOU SAN!!
Sucky gates why do you made this windows? Stop fooling around and make good things!!!
Use RegRun Startup Optimizer to automatical remove this worm from system registry.
| mschost.exe | Malware |
| mschost.exe | Dangerous |
| mschost.exe | High Risk |
The worm targets only Windows 2000 and Windows XP computers.
It recommends that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com).
This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
When worm is executed, it does the following:
Generates an IP address and attempts to infect the computer that has that address.
Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability. The worm sends one of two types of data: either to exploit Windows XP or Windows 2000.
Uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it sends mschost.exe to that computer and then executes it.
The worm contains the following text in the code:
Can you hear me? I LOVE YOU SAN!!
Sucky gates why do you made this windows? Stop fooling around and make good things!!!
Use RegRun Startup Optimizer to automatical remove this worm from system registry.
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.