blaster worm

  • Thread starter Thread starter Glen Lillquist
  • Start date Start date
G

Glen Lillquist

I'm surprised that there hasn't been a lot of query regarding this worm. The
MSN site is loaded with requests on how to remove etc. but here are nor
replies...
I think I.m rid of it, but not sure. Is there a way tofind out if the worm
is still sqirmming? Thx Glen
 
How to beat the webworm

Step-by-step guide to removing the MS Blast worm from your PC

Jack Schofield

Thursday August 14, 2003

http://www.guardian.co.uk/online/news/0,12597,1018722,00.html

"This system is being shut down in 60 seconds by NT Authority/System due to
an interrupted Remote Procedure Call (RPC)," says your PC.

Congratulations: you have picked up the latest worm on the net, commonly
known as MS Blast, Blaster, or LovSan. (We don't know who San is, but the
worm's writer says he loves her.) It exploits a long-standing "buffer
overrun" flaw in Microsoft's RPC (Remote Procedure Call) code.

The solution is to go to Microsoft's website and download a patch that was
posted on July 16. Microsoft Security Bulletin MS03-026 has patches for the
seven "new technology" versions of Windows affected, from the antique NT4
via Windows XP to the latest 64-bit server software. All you have to do is
install the update and you're almost done.

The catch, of course, is that your PC may close down or reboot before you
have time to do it. The solution is to go to the Start menu, select Run,
type the command

shutdown -a

in the box and click OK. This aborts the shutdown process. Then you can
download the patch and restart your PC.

There are some more complicated alternatives. One is to get a friend with an
unaffected version of Windows, such as Windows Me, to download the patch to
a floppy disk for you. Another is to disable the RPC feature by turning off
its life support, as described in Microsoft Knowledge Base Article 825750.

Once you have the patch installed, you can remove the worm code. This is a
three-step process.

First, press Ctrl-Alt-Del and click on the button to select the Task
Manager. Look through the list of Processes for msblast.exe and click End
Process to stop it running.

Second, use Windows Explorer to search for a file called msblast.exe and
delete it. It should be in the Windows system directory. In fact, do a
search even if you don't think you have MS Blast.

Third, go back to Start|Run and type regedit in the box to run the Registry
Editor. Go to the HKEY_LOCAL_MACHINE section, open SOFTWARE, and keep going
until you get to he entry for Microsoft|Windows|CurrentVersion|Run|windows

auto update.

Delete that entry.

In this case there are some simpler alternatives. If you use an anti-virus
checker, update the virus signatures and it should be able to find and
remove the worm for you. Or - and perhaps even easier - you could use one of
the special tools that anti-virus companies have made available to delete
the worm.

F-Secure has posted one on its site. (I have F-Secure to thank for the
"shutdown -a" command. I did not know it either. . . .)

Now, how did you get caught by MS Blast? You could have avoided it by
downloading and installing the patch earlier, by using Windows XP's "auto
update" feature to install the patch for you, by updating your anti-virus
program earlier, or by using a firewall that stopped the worm from entering
on of your PC's unguarded internet ports.

If you don't have an anti-virus checker, you can download AVG, free for home
users, from Grisoft. There are also several places where you can run a virus
check online.

Examples include HouseCall and the Symantec Security Check.

If you have Windows XP, turn on its built-in firewall. Or, better still,
download either the free Sygate Personal Firewall or Zone Alarm or something
similar.

The sad thing is that this whole saga has been all too predictable. On July
29, for example, I posted a note to the Onlineblog headed Windows world due
for devastating attack.

What made it inevitable was not the flaw in Windows, which has been around
for ages (Windows NT4 was launched in 1996) but the fact that samples of
"exploit code" became available. If any idiot can use that to write a worm,
it is a safe bet that some idiots will.

But looking on the bright side, perhaps we should be grateful to our
humorous, San-loving author. He has released an "exploit" that will make
sure most people patch their vulnerable versions of Windows - something that
is clearly beyond Microsoft, anti-virus companies and the press - and he
hasn't done anything really nasty to their hard drives.

If you fell victim to MS Blast, consider yourself lucky. A really malicious
worm-writer could have done something much worse.
 
Back
Top