Infection
The worm exploits a widely publicised "DCOM" vulnerability found in several versions of Microsoft Windows. While the vulnerability affects Windows NT4, Windows 2000, Windows XP and Windows Server 2003, the worm only infects Windows 2000 and XP.
Because the method by which the vulnerability is exploited varies between the two operating systems, there have been numerous confirmed reports of the worm "crashing" systems. This happens when a worm uses a Windows 2000 exploitation technique on an XP machine and vice versa. The worm will use the Windows XP method 80 percent of the time, and the remaining attempts are directed at Windows 2000.
It is worth noting that an updated version of the worm could affect other Microsoft operating systems, so it is recommended that all systems are patched against the DCOM vulnerability.
Detection
The worm is very easily detected by users.
Pressing control-alt-delete, then clicking on "Task Manager" and selecting the "Processes" tab will bring up a list of processes running on the machine. Clicking on "Image Name" will sort the processes alphabetically. If there is a process named "msblast.exe" running on the system, then it has been infected by the worm.
Clean up
The worm is relatively easy to clean up after detection.
Step one is to patch the infected system against the vulnerability that allowed the worm to "get in" in the first place. This process requires the user of the computer to have administrator level access to the system.
Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to windowsupdate.microsoft.com. The user will be prompted by some pop up windows, and directed through a fairly easy to understand and intuitive process.
The next step is to reboot the system.
After the system has rebooted it will be necessary to delete the worm's executable file, msblast.exe. However, its process must be stopped before it can be deleted.
Once the user logs back in with administrator rights, they should load up the "Task manager" again as described above. Click on the "Image Name" field under the "Processes" tab and click once on the "msblast.exe" process. Press "End Process" to stop it from running.
The worm's executable file will be found in the system32 directory, which is a subdirectory of (by default) the "winnt" directory in Windows 2000 machines, and the "windows" directory in Windows XP installations.
Use Windows Explorer to navigate to the system32 directory, locate the mblast.exe file and delete it. Reboot your system. Done!
The final step, removing the registry key created by the worm, is optional. It isn't really that important -- the key simply causes the worm to start every time the system is re-booted, but once the worm file itself is deleted it's redundant anyway.
This is done manually by using the registry editor. It is important to note that making incorrect changes to the registry can have catastrophic consequences.
Load the registry editor by clicking on the start button, navigating to "Run..." and typing in "regedit". Run regedit and navigate to the following "key".
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right hand section of the registry editor, the following value will be found:
"windows auto update"="msblast.exe"
Delete it.
Reboot. Done!
ZDNet Australia wishes to thank Hamish O'Dea and Jakub Kaminski from Computer Associates, Paul Ducklin from Sophos, and Grant Slender from Internet Security Systems for their assistance in preparing this guide.
Talkback
This is not true as the MSBlast virus has also infected windows 98 machines. In fact it has infected every computer on the campus network at the University of Leeds. The latest DAT file (4284.dat) from Mcafee does not work. As soon as a cleam computer connects to the network, it becomes contaminated with the Virus. I hope I do not loose any of my research :(
Deleting the file msblast.exe file from the System32 file folder was not all that easy. After I got the patch from Microsoft (which rendered the worm ineffective) I went to the file folder and when I tried to delete it I was told Access Denied. I also did as you sugested with the Processes tab and MSBlast was not there.
I had noted that Norton had found the virus when I rebooted after downloading all the security updates from MS and had quaranteened it.
After trying to manually delete the file a second and third time the idea struck me that I should turn off Norton.
Bingo! Problem solved! Apparently the fact that Norton had quaranteened the file I am assuming that for whatever reason my XP system "saw" that the file was still in use or active.
After I shut Norton down I did a system search for msblast and found nothing. It was gone.
I then went to the Registry and deleted the line as per your instructions.
I rebooted and did one final search for MSBlast and again found nothing. It is finally gone.
I reactivated Norton and I am now good to go. Hope this helps.
your system should be fine if you disconnect from your campus network, start your computer in 'safe' or 'diagnostic' mode, and then install the microsoft patch from a CD. just in case you don't know how to start in this mode click start, run, and type "msconfig" into the box. Next select the 'general' tab and select the proper startup option under startup options. sometimes this must be done quickly because the worm will shut down your system if you take too long. the patch that worked for me was called "WindowsXP-KB823980-x86-ENU.exe". a google search on this should bring up the applicable download site at microsoft.com, so download it on an uninfected PC, copy it to portable storage media, and if all goes well you'll be just fine.
Has anyone ever looked at how many patches that are being posted to fix bugs and then fix bugs in the patches.
Microsoft is known as releasing fixes that break more things then they fix. NT 4.0 is a perfect example of SP's gone bad. SP3 ok, SP4, SP5 bad. SP6,SP6 ok.
Now in the age of Win2K, XP, Win3K, updating your OS on a daily / weekly basis is considered the norm.
Anyone who has lived the Microsoft adventure know that patching your online servers with all of the patches, patches that fix the patches is a crap shoot. Most live with the concept that it works now, screw the patches.
Non-Microsoft firewalls appear to be the only safe guard to protect yourself from Microsoft.
For the dial-up users, how does Microsoft expect these individuals to download in upwards or 78MB patches & upgrades to protect their systems. It's not going to happen.
We recently aquired a new HP PC loaded with XP. Over 60MB of updates where required to bring a new "system" to the current patch level.
Microsoft should be required to mail all registered users monthly CD's with all necessary updates to fix screwups in the Microsoft O/S.
Only positive note is that Microsoft has created an entire sector in business who protect users from Microsoft (virus, firewalls, etc.)
Unix is the only way.
Duncan
Dear guy,
Your solution is not very smart! You recommend to download the Windows update. The problem is that I simply do not have the time to do this, since at the middle of the download, I get System restart, because of the virus!!!!!!!!!!!!!!!!!
I can never finish the download.
What can I do???
Hi, i have been infected by this worm, and i have XP. As you have stated i was one of the 20% where xp crashes every 60 seconds so i was racing the clock at first until i realised there was no need. I just installed a firewall found on a magasine cover disc and denied the worm accsess to and from my PC. This seems to have stopped the crashes and makes removing the worm easier. just thought this approach may be useful to someone else
it has also affected windows ME too
PG,
I hadn't bothered to check the numerous helpful sites on this lit'l bastard msblast.exe. But I seem to recall Dan Rather talking about it... but I digress.
My win2k system was hoplessly compromised, so I re-formatted and reinstalled win2k. The virus re-appeared! Still working on the source of the re-infection. My RedHat system is squeaky clean, BTW.
Norton's AV could not delete or quarantine the file. My brute force method was to boot with a windows 98 disk. Since my partition is FAT32, I manually deleted the file from c:/winnt/system32. Regedit for the rest of the clean up.
Safe mode boot was not helpful on the new build, as the system seem to lock up.
Its always a good idea to check HKLM/Software/Microsoft/windows/run for ANY service(s) leftover from an install (and subsequent removal) of a program.
Thanks ZDNet!
Very helpful article and very precise. One comment, I use internet via dial-up and such a download takes quite a while. While you may have just started downloading the pactch the worm strikes again and you end up getting booted out.
Here is a solution. I had a free trial of a firewall software and fired it and connected to the internet. msblast.exe was detected by the firewall software and I diasabled msblast.exe from sending any info in or out. Now the download is going on fine. I will complete the download and try and follow these instructions.
This was very useful. Thanks for the same.
The solution offered did not worked, at least in my case. The better way to handle this is once infected. Reboot the machine, to to services and right click on Remote Prodedure Call, go to properties and then select recovery tab. Select Take no action on first, second and susequent crashes. THis will prevent the computer from crashing.
Go to windows update, download and install the latest update. Then follow the steps outlined in your article to clean the instance of virus in the computer.
Happy antivirusing !!
You can also set your clock back a few hours after boot, this will give you time to download and apply the patch
Hi,
I'm trying to clean up the MSBlast worm from my computer. But, I'm unable to logon to the following web-site as suggested : http://windowsupdate.microsoft.com/
I did delete the file MSBlast.exe from the Registry. But, I'm unable to do an "End Process" from Task Manager.
so, can you plz advise as to how I can clean-up this worm ? Any help in this regard is greatly appreciated and admired. Thanx,
Madhu
309-287-3612
Monday, 7 pm.
No football on TV, nothing to do, so off to the Internet we go. Suddenly, an attack! Every time we tried to go online, our computer would shut down and reboot. We had no idea why, so we called our ISP. They informed us about the msblaster worm and advised us to contact our PC's manufacturer for instructions on how to remove it.
Tuesday, 1:00 am.
Two hours on hold with Compaq "support". I give up! But we have Tuesday off, so we'll get up bright and early and have this thing fixed in time to enjoy the day.
HAH!!! US$30 and six more hours of Yanni hold music later (interspersed with a dozen random disconnections) and a poor frazzled Tech suggested several options, none of which worked. My tension headache was approaching meltdown status.
Tuesday, 10:00 pm.
Grabbed a 3½" floppy, got in the car, drove to work. Fired up the It's-not-as-decrepit-as-I-thought Win95 machine at my desk and downloaded the patch. Went home, installed it, and cursed Yanni again.
Wednesday, 12 Noon.
Decided, during my lunch break, to do some research on how to squish that worm. And there, on ZDNet, beautifully simple instructions!
Now, if ZDNet could only show me how to get my $30 back... and help me get that Yanni music out of my head!
I seem to have that msblast worm but I dont see msblast.exe on my task manager! Some strange things happen to my PC!!! I'm not sure if it is a worm but the RPC on my services always automatically stop when I'm online and sometimes even when I'm not using the internet!
if u guys need time to stop from restarting....go to control panel, then administrative tools, then click services. The window that pops up scroll down till you find Remote Procedure Call (RPC). Right click that and click properties. Under the recovery tab, there will be a pull down menu that says first failure, change it from restart to take no action. This will stop your computer from restarting giving you time to delete the virus.
Hats off to Zonealarm!
Just want to say that my (free) version of zonealarm is doing a valiant job of repelling the repeated blaster attacks. At the moment we are getting one every three seconds. You can almost hear the 'thunk' as it bounces off!
What order is best? Um I used
Firewall (updated))
Then Patch
Then antivirus (updated)
But maybe it's because I didn't get the shutdown problems. Have said byebye to my network though. Possibly permanently.
IIf you get the box that says you have a minute before it shuts down you can go to command and type shutdown -a and the box will go away and then you can simply go to task manager and delete msblast. To get to the command you go to start, run, and type command or cmd and the black box will come up. enjoy
First of All use LINUX!!
second: check how many times you have to reboot your system to have simple thing done...
third: USE LINUX
Hey guys!
If anyone is still having problems with the computer rebooting due to the virus, go to: Start, Run type in "COMMAND" you then will get a DOS prompt, Type "shutdown -a" this will abort your shutdown. MsBlast.exe is also a Write protected file so thats why it might not let you delete it. Just rightclick goto properties and remove the readonly attribute. Another helpful hint, Goto http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp and downlaod the appropriate patch for 2k or xp they are relatively small, enough to fit on floppy. Good Luck guys
Ive tried grays solution and the CMD one and the Remote procedure call property changing one, but now I cant change the remote procedure call properties back, nor can i even get to the remote procedure call's properties as it just wont open when I click properties....
I also dont know what patch to download from windows update.com nor can I access Windows update.com can someone help me?
My WIN2K system has been infected with the blaster worm, but I don't see the msblast.exe or mblast.exe in my Task Manager. THere are strange things happening. I ran the fixbalst Tool from Symantec but I get the message "W32.Blaster.Worm has not been found on your computer" When I m surfin this message keeps irritating "svchost.exe has generated errors & will be closed by Windows.. " When I open Frontpage "Frontpg.exe has generated errors & will be closed down.." My Copy Paste options get disabled. I can't even open a new browser Window. WHat Do I do Now
i was recently infacted with MSBlast worm,
since i had zone alarm firewall, it asked me if i wanted to let this worm acess the internet. i said no. then i ran my norton anti virus, which detected the work, but could not remove it, fortunately norton had a program, i forget what its called, which i downloaded from thier website with which i was able to remove the worm and then install the patch.
seems to worked for me.
Norton Internet Security firewall stops the worm in it's tracks!
I'm running 98SE w/ Internet Security. Internet Security blocks unused ports, and I watched the worm repeatedly try the blocked ports only to fail every time. I come to the conclusion that any personal firewall that closes off unused ports keeps your windows PC from getting msblast.
Good Luck
Possible that there exists more than one variety of msblast? As in lookalikes that have been produced after the introduction of the first?
On the 10th I was infected by msblast, supposedly before Microsoft began investigating the problem. ... On this occurance I mannaged mearly to remove it via recovery console. (wasn't aware the means of distribution as there wasn't documentation of the virus that I saw on Norton's site as of yet, so, of course left my system at bay having the needed ports for infection open).. Suprisingly, my system was kept clean the next two days, after which .... Access violation, SVCHOST, shi.... Looked in taskmannager, no occurance of msblast, looked in system folder, and, of course, there it was again... (potentially not the same as last given I didn't think to run a file check).
Alright, so this time I downloaded Norton's fixblast utility, launched it, let it scan, and it reported msblast removed. Rebooted my machine and figured that I could finally get back to work on a project in Visual Studios when "Access violation in SVCHOST"... Rebooted again, did nothing, and the same occured yet again followed by a blue screen of death. The only config alteration that msblast is supposed to make is a reg alteration to start itself, right? So... Does this appear that my system has been tampered with by someone after the infection? Or... Has anyone else encountered this problem? Want to know before I take the effort to format & reinstall a load of SDK's.
Having same problem as Ryan S.
"svchost.exe has generated errors & will be closed by Windows.."
IE does not work
Setting up new internet connection does not work.
Dragging files and folders doesn't work.
Add/Remove Programs doesn't work.
Find files and folders doesn't work.
Computer takes a long time to boot.
Anyone know a solution. Getting close to a re-format of my friends computer.
Luckily my firewall saved me.
None of the current tools detect or repair the worm.
Hi everybody! I was hit by MSBlast worm and I just did what it was told on Symantec site and it seems that it went away. here it is:
1. Restoring Internet connectivity
In many cases, on both Windows 2000 and XP, changing the settings for the Remote Procedure Call (RPC) service may allow you to connect to the Internet without the computer shutting down. To restore Internet connectivity to your PC, follow these steps:
Click Start > Run. The Run dialog box appears.
Type:
SERVICES.MSC /S
in the open line, and then click OK. The Services window opens.
In the right pane, locate the Remote Procedure Call (RPC) service.
--------------------------------------------------------------------------------
CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two.
--------------------------------------------------------------------------------
Right-click the Remote Procedure Call (RPC) service, and then click Properties.
Click the Recovery tab.
Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service."
Click Apply, and then OK.
--------------------------------------------------------------------------------
CAUTION: Make sure that you change these settings back once you have removed the worm.
--------------------------------------------------------------------------------
2. Ending the Worm process
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for Msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.
It might help you too!
P>S. I have windows XP
I have the same problem as Cheesedog exactly and have found it impossible to do any of the solutions suggested.
I'd love to clear the system of the after-effects of the worm. What's the simplest way, please?
Good luck to all the rest of you who are suffering with this.
hey everyone, i kinda have a solution on msblast, download a programme called zonealarm from www.zonelabs.com and its a firewalla which will block every programme that connects to the internet once u log onto the net unless u give access to the programme. basically do not give acess to any programme which you don't know and you will be safe. there is also a free version of zoneAlarm and its a really useful software to get.. from Uves...C
i hope this has helped you!!
I was very happy with the advice this site provided. It was just as easy as the site said it would be. I have PC-cillin 2000 with the most recent updates. It was able to quarantine the msblast virus.
I truly hope the perpetrators of these worms/viruses get prosecuted to the fullest extent of the law. I hope the big corporations will have their lawyers working overtime to do this!
It has ruined my summer and the computers of my kids - not to mention the expense and down time. The whole world is not as tech savvy as others and truly feel terrorized!
As a teacher, I wasted three weeks of summer preparation time while I figured out how to fix the computers!
I believe my problem was the Welchia/Nachia worm
And the solution was..
backup usefull files using DOS 'caus explorer don't work.
reinstall OS
Marvelous, very sensible
I have the worm virus on my laptop, I have tried the Microsoft instructions on the website but I am still being thrown out of the net by the virus, What do I do now please help?
I seriously doubt these claims that the virus has affected any 9x/ME machines. The virus relies on the Remote Procedure Call service to do the rebooting and TFTP to send itself, and 9X/ME machines have no RPC service and no TFTP running. Any MS operating system with services(NT 3.X/4.0, XP, Win2k, 2k3 server) and TFTP will be affected, however. The easiest way to halt the reboot is to run "shutdown -a" without the quotes, which will abort the shutdown process for the duration of the session. You can also change the reboot time in the RPC properties under services. Just figured my two cents might be of value since I deal with this every day.
If anyone needs help with MSBLASTER or any other worm, go to symantec.com and go through their steps to remove the worm(s). It worked for me.
I didn't have the MSBLAST worm--but something very similiar---and even more destructive.
I was having major computer problems--the blue face of death out of nowhere, malicious programs suddenly popping up--trying to entice me to click on them, a huge decrease in my getting any emails, a huge increase in my receiving a bunch of spam mails with filthy re: headings, computer freezing up, and finally the pointer of my mouse scrolling up or down the side of the screen all on it's own.
This had been going on for about eight months---and had gotten worse. I run Windows XP HOME ----on a Dell----and access dial up to get online. And of course I was running the latest version of Norton and always let it update itself.
My friend ranted on SPYBOT SEARCH AND DESTROY & I downloaded it---can't beat the price--it's free----and it opened up my eyes on my major virus/trojan farm I had going on.
I had codebase memory leaks---called XMLID.EXPLOIT which is all backdoor evilness.
I also had somekind of SMAILBOX EXE. , a virus file called 'App/Gator-A' that was located in my C:/proga~1/Blubster/FSG_40~1.EXE....and a TROJAN.DOWNLOAD.REVIRD.html....
Abd these programs would be in one location then all of a sudden jump to another location.
My computer crashed so hard--I couldn't restart it. Trying to talk to Dell techhelp is like pouring tobasco sauce in my eyeballs---cause they barely speak any English I could understand--nor did they know what to do to help me.
I learned how to replace my hard drive all on my own. And for being a female and never having experience doing this---I had to pat myself on the back.
Within a week of installing my new hard drive---my problems were rearing their vicious heads again. My registry settings kept changing---I had no control over my own computer all over again.
Bought hard drive #2---hooked it up---two days later---back to square one.
Installed hard drive #3---immediately downloaded the sixty critical updates--and since I'm dial up---it must have taken over a week. I purchased TREND MICRO SECURITY PC-CILLIN PROTECTION that my cop friend ranted and raved about---and even had excellent reviews online---and installed it.
It also installed a firewall for added port protection. Geeze---since when did we dial up people need to worry about firewall protection?
Not only did this blasphemous software make my system crash but these boxes kept popping up asking me which ports I would allow access.
Huh??????
I kept clicking on NO NO NO NO NO.
More and more boxes. I clicked on ok--enable one time--and now I've had nightmares of backdoor programs all over again. It's like they never left---or if they did--they know so much personal info on me--they no matter what I do or replace--they can easily hack themselves back into my computer.
All of my registry settings have been changed---I'm not even the administrator on my own computer this week, I constantly have these ports "listening" to mine, keylogging---yada yada yada.
Is this the end? Have they won?
Yes they have, haven't they?
Everything says I have isolated the worm, but am still having all kinds of problems. I can't run a search from the start menu, I can't download anything, I think because my connection is open. My connection is very slow. Can anyone help?