W32.Blaster.Worm is a worm which
exploits the
DCOM RPC vulnerability in Windows NT based operating systems
(Windows NT, Windows 2000, Windows XP, and Windows Server 2003) The
worm does not require user interaction to infect new systems, it
simply scans the network from a host system and looks for machines
that have not been patched. If a vulnerable system is found, the
worm installs the file MSblast.exe into the %windir%/system32
directory using TCP port 135.
Users with infected systems may receive frequent notices from
the NT Authority that the RPC service has terminated unexpectedly
and is shutting down", followed by a countdown timer that shuts
down the affected system. Most AntiVirus programs can not
effectively clean infected systems without the use of additional
tools. This worm is also known as Win32.Poza [CA], Lovsan
[F-Secure], W32/Lovsan.worm [McAfee], W32/Blaster [Panda],
W32/Blaster-A [Sophos], WORM_MSBLAST.A [Trend].
Log in as Administrator
To be able to access all of
the functions necessary to disable MSBlast, you must be logged in
to the computer with an account that has Administrator
privileges.
Kill the MSBlast.exe Process
To prevent Mblaster from
shutting down your system before you get a chance to apply these
fixes, you must stop the running Mblast.exe file via the task
manager.
- Press CTRL-ALT-DEL, and choose task manager tab.
- Select the Processes tab, Double-click the Image Name
column header to alphabetically sort the processes.
- Find and select the "MSblast.exe" process from the list,
then click the End Process button in the bottom right hand
corner of the task manager pane.
- If the "RPC service has terminated unexpectedly " pop window
appears, simply click Start then Run and type in
"shutdown /a" (without the qoutes)
| Stop the System Restore Process in
Windows XP
|
|
In order to run any automated tools,
or remove the MSBlast.exe file, you need to disable the System
Restore function. You can stop this process by:
- Right click the My Computer icon, and select
Properties
- Click on the System Restore Tab menu.
- Select the box that says "Turn off System Restore on all
drives" (see the screenshot to the right)
- Click Apply
|
|
Enable the Firewall on your Internet connection
Because of the way the MBlast worm works, user may experience
difficulties when attempting to connect to the Internet in order to
obtain the patch, update antivirus definitions, or download removal
tool before the worm shuts down the computer. It has been reported
that activating the Windows XP Internet Connection Firewall may
allow affected users to download and install the tolls required to
clean their systems. This may also work with other firewalls,
although this has not been confirmed.
Open Network Connections panel, either via the Control
Panel, (click Start, point to Settings, click
Control Panel, click Network and Internet
Connections, and then click Network Connections) or by
Right clicking "My Network Places" and selecting Properties. Click
the Dial-up, LAN or High-Speed Internet connection that you want to
protect, and then, under Network Tasks, click Change
settings of this connection. On the Advanced tab, under
Internet Connection Firewall, select the Protect my
computer and network by limiting or preventing access to this
computer from the Internet check box.
After this process is complete you have 2 choices. You can use
the
automated clean up tool provided by
Symantec, or clean the Mblaster components out by hand.
If you are unfamiliar with editing the registry, we recommend using
Symantec's tool first. You can download it
here.
Remove the Registry Entries
Since Mblast is launched at system startup via a key in the
Registry, you'll need to remove this key. If you've used the
Symantec clean up tool, this step is not necessary.
Warning: Editing the Registry improperly can disable
your operating system. Before you modify the registry, make sure to
back it up and make sure that you understand how to restore the
registry if a problem occurs. For information about how to back up,
restore, and edit the registry, be sure to read Microsoft Knowledge Base Article 256986 - Description of
the Microsoft Windows Registry.
- Click Start then select Run
- Type in Regedit in the dialog box.
- Find the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- In the right pane, delete the value: "windows auto
update"="msblast.exe"
- Close the Registry Editor
- Reboot
Find and remove any instances of MSblast.exe
Using the
Search functions within Windows, find any instance of MBlast.exe
and delete them. Click Start, then select Search and
Find files or Folders. Search all of your drives for the
MSBlast.exe, and delete any found files.There should be at
least one file in your Windows/system32 folder.
Patch the RPC vulnerability
To prevent reinfection by
the W32.Blaster.Worm or any undiscovered variants, you need to
close the vulnerability that
allowed it to happen. The patch for this vulnerability is 1261Kb
and can be downloaded from the following locations based on your
operating system:
You can also run Windows Update, and use this opportunity to
install all of the critical updates available from Microsoft.
Update your virus definitions!
You should also take
this opportunity to update your virus definitions in order to
detect any remnants of the worm that you may have missed.
Consider upgrading your firewall
While XP's Internet
Connection Firewall is "acceptable" on a minimum level, you may
want to consider upgrading your firewall to something a little more
robust. We recommend
ZoneAlarm Pro , BlackICE or
Sygate for most
users.
Additional Information:
If you're looking for
additional information on how Viruses, Worms, Trojans, and other
forms of malicious software works, and how to prevent further
outbreaks, please read our Virus
and Malware Primer for Administrators.
|
