Cleaning up after the MSBlast worm

Cleaning up after the MSBlast worm

Summary: How to rid your system of the latest fast-spreading worm

SHARE:
TOPICS: Security
36
The MSBlast worm has caused widespread infection on the Internet. This ZDNet Australia analysis contains infection information, detection strategies, and clean up instructions.

Infection
The worm exploits a widely publicised "DCOM" vulnerability found in several versions of Microsoft Windows. While the vulnerability affects Windows NT4, Windows 2000, Windows XP and Windows Server 2003, the worm only infects Windows 2000 and XP.

Because the method by which the vulnerability is exploited varies between the two operating systems, there have been numerous confirmed reports of the worm "crashing" systems. This happens when a worm uses a Windows 2000 exploitation technique on an XP machine and vice versa. The worm will use the Windows XP method 80 percent of the time, and the remaining attempts are directed at Windows 2000.

It is worth noting that an updated version of the worm could affect other Microsoft operating systems, so it is recommended that all systems are patched against the DCOM vulnerability.

Detection
The worm is very easily detected by users.

Pressing control-alt-delete, then clicking on "Task Manager" and selecting the "Processes" tab will bring up a list of processes running on the machine. Clicking on "Image Name" will sort the processes alphabetically. If there is a process named "msblast.exe" running on the system, then it has been infected by the worm.

Clean up
The worm is relatively easy to clean up after detection.

Step one is to patch the infected system against the vulnerability that allowed the worm to "get in" in the first place. This process requires the user of the computer to have administrator level access to the system.

Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to windowsupdate.microsoft.com. The user will be prompted by some pop up windows, and directed through a fairly easy to understand and intuitive process.

The next step is to reboot the system.

After the system has rebooted it will be necessary to delete the worm's executable file, msblast.exe. However, its process must be stopped before it can be deleted.

Once the user logs back in with administrator rights, they should load up the "Task manager" again as described above. Click on the "Image Name" field under the "Processes" tab and click once on the "msblast.exe" process. Press "End Process" to stop it from running.

The worm's executable file will be found in the system32 directory, which is a subdirectory of (by default) the "winnt" directory in Windows 2000 machines, and the "windows" directory in Windows XP installations.

Use Windows Explorer to navigate to the system32 directory, locate the mblast.exe file and delete it. Reboot your system. Done!

The final step, removing the registry key created by the worm, is optional. It isn't really that important -- the key simply causes the worm to start every time the system is re-booted, but once the worm file itself is deleted it's redundant anyway.

This is done manually by using the registry editor. It is important to note that making incorrect changes to the registry can have catastrophic consequences.

Load the registry editor by clicking on the start button, navigating to "Run..." and typing in "regedit". Run regedit and navigate to the following "key".

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right hand section of the registry editor, the following value will be found:

"windows auto update"="msblast.exe"

Delete it.

Reboot. Done!

ZDNet Australia wishes to thank Hamish O'Dea and Jakub Kaminski from Computer Associates, Paul Ducklin from Sophos, and Grant Slender from Internet Security Systems for their assistance in preparing this guide.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion
  • This is not true as the MSBlast virus has also infected windows 98 machines. In fact it has infected every computer on the campus network at the University of Leeds. The latest DAT file (4284.dat) from Mcafee does not work. As soon as a cleam computer connects to the network, it becomes contaminated with the Virus. I hope I do not loose any of my research :(
    anonymous
  • Deleting the file msblast.exe file from the System32 file folder was not all that easy. After I got the patch from Microsoft (which rendered the worm ineffective) I went to the file folder and when I tried to delete it I was told Access Denied. I also did as you sugested with the Processes tab and MSBlast was not there.
    I had noted that Norton had found the virus when I rebooted after downloading all the security updates from MS and had quaranteened it.
    After trying to manually delete the file a second and third time the idea struck me that I should turn off Norton.
    Bingo! Problem solved! Apparently the fact that Norton had quaranteened the file I am assuming that for whatever reason my XP system "saw" that the file was still in use or active.
    After I shut Norton down I did a system search for msblast and found nothing. It was gone.
    I then went to the Registry and deleted the line as per your instructions.
    I rebooted and did one final search for MSBlast and again found nothing. It is finally gone.
    I reactivated Norton and I am now good to go. Hope this helps.
    anonymous
  • your system should be fine if you disconnect from your campus network, start your computer in 'safe' or 'diagnostic' mode, and then install the microsoft patch from a CD. just in case you don't know how to start in this mode click start, run, and type "msconfig" into the box. Next select the 'general' tab and select the proper startup option under startup options. sometimes this must be done quickly because the worm will shut down your system if you take too long. the patch that worked for me was called "WindowsXP-KB823980-x86-ENU.exe". a google search on this should bring up the applicable download site at microsoft.com, so download it on an uninfected PC, copy it to portable storage media, and if all goes well you'll be just fine.
    anonymous
  • Has anyone ever looked at how many patches that are being posted to fix bugs and then fix bugs in the patches.

    Microsoft is known as releasing fixes that break more things then they fix. NT 4.0 is a perfect example of SP's gone bad. SP3 ok, SP4, SP5 bad. SP6,SP6 ok.

    Now in the age of Win2K, XP, Win3K, updating your OS on a daily / weekly basis is considered the norm.

    Anyone who has lived the Microsoft adventure know that patching your online servers with all of the patches, patches that fix the patches is a crap shoot. Most live with the concept that it works now, screw the patches.

    Non-Microsoft firewalls appear to be the only safe guard to protect yourself from Microsoft.

    For the dial-up users, how does Microsoft expect these individuals to download in upwards or 78MB patches & upgrades to protect their systems. It's not going to happen.

    We recently aquired a new HP PC loaded with XP. Over 60MB of updates where required to bring a new "system" to the current patch level.

    Microsoft should be required to mail all registered users monthly CD's with all necessary updates to fix screwups in the Microsoft O/S.

    Only positive note is that Microsoft has created an entire sector in business who protect users from Microsoft (virus, firewalls, etc.)

    Unix is the only way.

    Duncan
    anonymous
  • Dear guy,

    Your solution is not very smart! You recommend to download the Windows update. The problem is that I simply do not have the time to do this, since at the middle of the download, I get System restart, because of the virus!!!!!!!!!!!!!!!!!
    I can never finish the download.

    What can I do???
    anonymous
  • Hi, i have been infected by this worm, and i have XP. As you have stated i was one of the 20% where xp crashes every 60 seconds so i was racing the clock at first until i realised there was no need. I just installed a firewall found on a magasine cover disc and denied the worm accsess to and from my PC. This seems to have stopped the crashes and makes removing the worm easier. just thought this approach may be useful to someone else
    anonymous
  • it has also affected windows ME too
    anonymous
  • PG,

    I hadn't bothered to check the numerous helpful sites on this lit'l bastard msblast.exe. But I seem to recall Dan Rather talking about it... but I digress.

    My win2k system was hoplessly compromised, so I re-formatted and reinstalled win2k. The virus re-appeared! Still working on the source of the re-infection. My RedHat system is squeaky clean, BTW.

    Norton's AV could not delete or quarantine the file. My brute force method was to boot with a windows 98 disk. Since my partition is FAT32, I manually deleted the file from c:/winnt/system32. Regedit for the rest of the clean up.

    Safe mode boot was not helpful on the new build, as the system seem to lock up.

    Its always a good idea to check HKLM/Software/Microsoft/windows/run for ANY service(s) leftover from an install (and subsequent removal) of a program.

    Thanks ZDNet!
    anonymous
  • Very helpful article and very precise. One comment, I use internet via dial-up and such a download takes quite a while. While you may have just started downloading the pactch the worm strikes again and you end up getting booted out.
    Here is a solution. I had a free trial of a firewall software and fired it and connected to the internet. msblast.exe was detected by the firewall software and I diasabled msblast.exe from sending any info in or out. Now the download is going on fine. I will complete the download and try and follow these instructions.

    This was very useful. Thanks for the same.
    anonymous
  • The solution offered did not worked, at least in my case. The better way to handle this is once infected. Reboot the machine, to to services and right click on Remote Prodedure Call, go to properties and then select recovery tab. Select Take no action on first, second and susequent crashes. THis will prevent the computer from crashing.

    Go to windows update, download and install the latest update. Then follow the steps outlined in your article to clean the instance of virus in the computer.

    Happy antivirusing !!
    anonymous
  • You can also set your clock back a few hours after boot, this will give you time to download and apply the patch
    anonymous
  • Hi,
    I'm trying to clean up the MSBlast worm from my computer. But, I'm unable to logon to the following web-site as suggested : http://windowsupdate.microsoft.com/
    I did delete the file MSBlast.exe from the Registry. But, I'm unable to do an "End Process" from Task Manager.
    so, can you plz advise as to how I can clean-up this worm ? Any help in this regard is greatly appreciated and admired. Thanx,
    Madhu
    309-287-3612
    anonymous
  • Monday, 7 pm.
    No football on TV, nothing to do, so off to the Internet we go. Suddenly, an attack! Every time we tried to go online, our computer would shut down and reboot. We had no idea why, so we called our ISP. They informed us about the msblaster worm and advised us to contact our PC's manufacturer for instructions on how to remove it.

    Tuesday, 1:00 am.
    Two hours on hold with Compaq "support". I give up! But we have Tuesday off, so we'll get up bright and early and have this thing fixed in time to enjoy the day.

    HAH!!! US$30 and six more hours of Yanni hold music later (interspersed with a dozen random disconnections) and a poor frazzled Tech suggested several options, none of which worked. My tension headache was approaching meltdown status.

    Tuesday, 10:00 pm.
    Grabbed a 3
    anonymous
  • I seem to have that msblast worm but I dont see msblast.exe on my task manager! Some strange things happen to my PC!!! I'm not sure if it is a worm but the RPC on my services always automatically stop when I'm online and sometimes even when I'm not using the internet!
    anonymous
  • if u guys need time to stop from restarting....go to control panel, then administrative tools, then click services. The window that pops up scroll down till you find Remote Procedure Call (RPC). Right click that and click properties. Under the recovery tab, there will be a pull down menu that says first failure, change it from restart to take no action. This will stop your computer from restarting giving you time to delete the virus.
    anonymous
  • Hats off to Zonealarm!

    Just want to say that my (free) version of zonealarm is doing a valiant job of repelling the repeated blaster attacks. At the moment we are getting one every three seconds. You can almost hear the 'thunk' as it bounces off!

    What order is best? Um I used

    Firewall (updated))
    Then Patch
    Then antivirus (updated)

    But maybe it's because I didn't get the shutdown problems. Have said byebye to my network though. Possibly permanently.
    anonymous
  • IIf you get the box that says you have a minute before it shuts down you can go to command and type shutdown -a and the box will go away and then you can simply go to task manager and delete msblast. To get to the command you go to start, run, and type command or cmd and the black box will come up. enjoy
    anonymous
  • First of All use LINUX!!
    second: check how many times you have to reboot your system to have simple thing done...
    third: USE LINUX
    anonymous
  • Hey guys!

    If anyone is still having problems with the computer rebooting due to the virus, go to: Start, Run type in "COMMAND" you then will get a DOS prompt, Type "shutdown -a" this will abort your shutdown. MsBlast.exe is also a Write protected file so thats why it might not let you delete it. Just rightclick goto properties and remove the readonly attribute. Another helpful hint, Goto http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp and downlaod the appropriate patch for 2k or xp they are relatively small, enough to fit on floppy. Good Luck guys
    anonymous
  • Ive tried grays solution and the CMD one and the Remote procedure call property changing one, but now I cant change the remote procedure call properties back, nor can i even get to the remote procedure call's properties as it just wont open when I click properties....
    I also dont know what patch to download from windows update.com nor can I access Windows update.com can someone help me?
    anonymous