Hi Connie,
While this does explain some of the behavior of the worm it does not assist
in removing it. I have posted below the steps that we are currently
recommending for removal of the worm. While this does remove the immediate
problem I think it also bears stating that once infected with a worm,
trojan or virus, even if it is removed; Microsoft recomends that you save
your important data and then format and reinstall the operating system.
Once a machine has been infected there is no reliable way to ensure that it
can ever be trusted or that another "back door" program was not delivered
with the offending program.
1. Remove the infected computer from the network and reboot into Safe Mode.
2. Locate the files below, plus the Value "windows auto update" under the
Run registry key and deleted them all:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSBLAST.EXE under the "C:\Windows\system32" folder
MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch" folder
2a. If you are running Windows XP (any version) it is also recommended that
the Internet Connection Firewall be enabled to prevent re-infection when
connecting to the internet.
3.Contact your Antivirus provider for assistance in using any removal tools
they are providing or you can use one that Symantec is providing.
Symantec's Removal tool
<
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.re
moval.tool.html>.
4. If the OS continues to shut down when trying to connect to
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp, with the
dialog box stating the OS will be shutting down in 30 seconds.
Set the RPC Service to "Take No Action" and reboot, this should allow you
to download the patch and install it.
--
Curtis Koenig
Support Professional
Microsoft Clustering Technologies Support
MCSA, MCSAS,MCSE, MCSES
This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!
--------------------
