|
| |
How to remove the
W32/Blaster Worm
Check
out out new sister company, Securigy,
a Global Provider of Security & Network
Management Solutions for Enterprises. Check out the Best-of-Breed Host
Intrusion Prevention Systems from the leading security vendors that you
need NOW.
W32.Blaster.Worm is a worm which exploits the
DCOM RPC vulnerability in Windows NT based operating systems
(Windows NT, Windows 2000, Windows XP, and Windows Server 2003)
The worm does not require user interaction to infect new systems,
it simply scans the network from a host system and looks for
machines that have not been patched. If a vulnerable system is
found, the worm installs the file MSblast.exe into the %windir%/system32
directory using TCP port 135. Users with infected systems may
receive frequent notices from the NT Authority that the RPC
service has terminated unexpectedly and is shutting down",
followed by a countdown timer that shuts down the affected system.
Most AntiVirus programs can not effectively clean infected systems
without the use of additional tools. This worm is also known as
Win32.Poza [CA], Lovsan [F-Secure], W32/Lovsan.worm [McAfee],
W32/Blaster [Panda], W32/Blaster-A [Sophos], WORM_MSBLAST.A
[Trend],
|
| |
|
|
|
Log in as
Administrator
To be able to access
all of the functions necessary to disable MSBlast,
you must be logged in to the computer with an
account that has Administrator privileges. |
|
|
Kill the
MSBlast.exe Process
To prevent
Mblaster from shutting down your system before you
get a chance to apply these fixes, you must stop
the running Mblast.exe file via the task manager.
- Press CTRL-ALT-DEL, and choose task manager
tab.
- Select the Processes tab,
Double-click the Image Name column header to
alphabetically sort the processes.
- Find and
select the "MSblast.exe" process from the
list, then click the End Process button in
the bottom right hand corner of the task manager
pane.
- If the "RPC service has terminated
unexpectedly " pop window appears, simply click
START then RUN and type in "shutdown
/a" (without the qoutes)
|
|
|
|
Stop the System Restore
Process in Windows XP |
|
In order to run
any automated tools, or remove the MSBlast.exe
file, you need to disable the System Restore
function. You
can stop this process by:
-
Right click the My
Computer icon, and select Properties
-
Click on the System Restore Tab
menu.
-
Select the box
that says "Turn off System Restore on all
drives" (see the screenshot to the right)
- Click
Apply
|
 |
|
|
|
Enable the
Firewall on your Internet connection
Because of the way the MBlast worm works, user may
experience difficulties when attempting to connect
to the Internet in order to obtain the patch,
update antivirus definitions, or download removal
tool before the worm shuts down the computer. It
has been reported that activating the Windows XP
Internet Connection Firewall may allow affected
users to download and install the tolls required
to clean their systems. This may also work with
other firewalls, although this has not been
confirmed.
Open Network
Connections panel, either via the Control
Panel, (click
Start, point to Settings, click
Control Panel, click Network and Internet
Connections, and then click
Network Connections)
or by Right
clicking "My Network Places" and selecting
Properties. Click the Dial-up, LAN or High-Speed
Internet connection that you want to protect, and
then, under Network Tasks, click Change
settings of this connection. On the
Advanced tab, under Internet Connection Firewall,
select the Protect my computer and network by
limiting or preventing access to this computer
from the Internet check box.
After this process
is complete you have 2 choices. You can use the
automated clean up tool provided by Symantec,
or clean the Mblaster components out by hand. If
you are unfamiliar with editing the registry, we
recommend using Symantec's tool first. You can
download it
here |
|
|
Remove the
Registry Entries
Since Mblast is launched at system startup
via a key in the Registry, you'll need to remove
this key. If you've used the
Symantec clean up tool, this step is not
necessary. Warning: Editing the Registry
improperly can disable your operating system. Before
you modify the registry, make sure to back it up
and make sure that you understand how to restore
the registry if a problem occurs. For information
about how to back up, restore, and edit the
registry, be sure to read
Microsoft Knowledge Base Article KB824146 - Description of the Microsoft Windows Registry
- Click Start
then select Run
- Type in Regedit
in the dialog box.
- Find the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right
pane, delete the value:
"windows auto update"="msblast.exe"
- Close the
Registry Editor
- Reboot
|
|
|
Find and
remove any instances of MSblast.exe
Using the Search functions
within Windows, find any instance of MBlast.exe
and delete them. Click Start, then select
Search and Find files or Folders.
Search all of your drives for the MSBlast.exe,
and delete any found files.There should be at
least one file in your Windows/system32 folder. |
|
|
Patch the
RPC vulnerability
To prevent re-infection by the
W32.Blaster.Worm or any undiscovered variants, you
need to
close the vulnerability that allowed it to
happen. The patch for this vulnerability is described
by Microsoft Security Bulletin MS03-039
and Knowledge Base article KB824146, and can be
installed using Service Pack Manager.
|
|
|
Update your
virus definitions!
You should also take this
opportunity to update your virus definitions in
order to detect any remnants of the worm that you
may have missed. |
|
|
Consider
upgrading your firewall
While XP's Internet Connection
Firewall is "acceptable" on a minimum level, you
may want to consider upgrading your firewall to
something a little more robust. We recommend ZoneAlarm Pro or
BlackICE for most users. |
|
|
Additional
Information:
If you're
looking for additional information on how Viruses,
Worms, Trojans, and other forms of malicious
software works, and how to prevent further
outbreaks, please read our
Virus and Malware Primer for Administrators |
| |
|
|
|
