Troubleshooting Tweaks - How to remove the W32-Blaster Worm

W32.Blaster.Worm is a worm which exploits the DCOM RPC vulnerability in Windows NT based operating systems (Windows NT, Windows 2000, Windows XP, and Windows Server 2003) The worm does not require user interaction to infect new systems, it simply scans the network from a host system and looks for machines that have not been patched. If a vulnerable system is found, the worm installs the file MSblast.exe into the %windir%/system32 directory using TCP port 135.

Users with infected systems may receive frequent notices from the NT Authority that the RPC service has terminated unexpectedly and is shutting down", followed by a countdown timer that shuts down the affected system. Most AntiVirus programs can not effectively clean infected systems without the use of additional tools. This worm is also known as Win32.Poza [CA], Lovsan [F-Secure], W32/Lovsan.worm [McAfee], W32/Blaster [Panda], W32/Blaster-A [Sophos], WORM_MSBLAST.A [Trend].

Log in as Administrator
To be able to access all of the functions necessary to disable MSBlast, you must be logged in to the computer with an account that has Administrator privileges.

Kill the MSBlast.exe Process
To prevent Mblaster from shutting down your system before you get a chance to apply these fixes, you must stop the running Mblast.exe file via the task manager.

  • Press CTRL-ALT-DEL, and choose task manager tab.
  • Select the Processes tab, Double-click the Image Name column header to alphabetically sort the processes.
  • Find and select the "MSblast.exe" process from the list, then click the End Process button in the bottom right hand corner of the task manager pane.
  • If the "RPC service has terminated unexpectedly " pop window appears, simply click Start then Run and type in "shutdown /a" (without the qoutes)
Stop the System Restore Process in Windows XP  
In order to run any automated tools, or remove the MSBlast.exe file, you need to disable the System Restore function. You can stop this process by:
  • Right click the My Computer icon, and select Properties
  • Click on the System Restore Tab menu.
  • Select the box that says "Turn off System Restore on all drives" (see the screenshot to the right)
  • Click Apply



Enable the Firewall on your Internet connection
Because of the way the MBlast worm works, user may experience difficulties when attempting to connect to the Internet in order to obtain the patch, update antivirus definitions, or download removal tool before the worm shuts down the computer. It has been reported that activating the Windows XP Internet Connection Firewall may allow affected users to download and install the tolls required to clean their systems. This may also work with other firewalls, although this has not been confirmed.

Open Network Connections panel, either via the Control Panel, (click Start, point to Settings, click Control Panel, click Network and Internet Connections, and then click Network Connections) or by Right clicking "My Network Places" and selecting Properties. Click the Dial-up, LAN or High-Speed Internet connection that you want to protect, and then, under Network Tasks, click Change settings of this connection. On the Advanced tab, under Internet Connection Firewall, select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box.

After this process is complete you have 2 choices. You can use the automated clean up tool provided by Symantec, or clean the Mblaster components out by hand. If you are unfamiliar with editing the registry, we recommend using Symantec's tool first. You can download it here.

Remove the Registry Entries
Since Mblast is launched at system startup via a key in the Registry, you'll need to remove this key. If you've used the Symantec clean up tool, this step is not necessary. Warning: Editing the Registry improperly can disable your operating system. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, be sure to read Microsoft Knowledge Base Article 256986 - Description of the Microsoft Windows Registry.

  • Click Start then select Run
  • Type in Regedit in the dialog box.
  • Find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • In the right pane, delete the value: "windows auto update"="msblast.exe"
  • Close the Registry Editor
  • Reboot

Find and remove any instances of MSblast.exe
Using the Search functions within Windows, find any instance of MBlast.exe and delete them. Click Start, then select Search and Find files or Folders. Search all of your drives for the MSBlast.exe, and delete any found files.There should be at least one file in your Windows/system32 folder.

Patch the RPC vulnerability
To prevent reinfection by the W32.Blaster.Worm or any undiscovered variants, you need to close the vulnerability that allowed it to happen. The patch for this vulnerability is 1261Kb and can be downloaded from the following locations based on your operating system:

You can also run Windows Update, and use this opportunity to install all of the critical updates available from Microsoft.

Update your virus definitions!
You should also take this opportunity to update your virus definitions in order to detect any remnants of the worm that you may have missed.

Consider upgrading your firewall
While XP's Internet Connection Firewall is "acceptable" on a minimum level, you may want to consider upgrading your firewall to something a little more robust. We recommend ZoneAlarm Pro, BlackICE or Sygate for most users.

Additional Information:
If you're looking for additional information on how Viruses, Worms, Trojans, and other forms of malicious software works, and how to prevent further outbreaks, please read our Virus and Malware Primer for Administrators.



Lex van der Horst

Date Added:


Last Reviewed: