How I survived MSBlast

The Blaster worm is affecting hundreds of thousands of Windows computers whose owners couldn't be bothered to patch them. But there's a very good reason why so many PCs are left insecure, as I found out first-hand

The other day, after I'd been online for a few minutes, my Windows 2000 PC started behaving oddly. Nothing serious -- it wouldn't let me disconnect my dial-up connection, and the cut-and-paste function stopped working -- but there had been enough front-page headlines about the MSBlast worm lately that I figured I'd better play it safe and protect myself.

That was the beginning of what turned out to be a mind-numbingly tedious and frustrating day, an experience which I fear has become all too common for Windows users as viruses become an increasing nuisance. One thing that came through loud and clear: the patching process is far too cumbersome for dial-up users -- who still account for most of the Internet population, after all -- and it's really no wonder there are so many insecure PCs out there.

MSBlast is different from the usual run-of-the-mill worms, which often spread via email, in that you don't have to do anything or even be running any applications to be vulnerable. I've found you can protect yourself from some of the worst security problems simply by using an email program other than Outlook. But a study carried out as MSBlast began to gain momentum found that a computer had only to be connected to the Internet for a few seconds before it was attacked. The worm seeks out computers with a known vulnerability, then exploits that vulnerability to insert code on the machine. Firewalls can keep the malicious code out, but the best protection is to install Microsoft's patch -- which has been around for a month.

I was working from home on a dial-up connection that day, and had thought to bring a copy of the Microsoft patch along on a disk, along with a MSBlast-removal program from Symantec. I executed the patch program. That was when I ran into my first problem of the day: I found I needed a service pack installed before I could use the patch -- Service Pack 2 or later.

No problem. I went to Microsoft's site, which had convenient links to the needed service pack -- I went for the most recent, Service Pack 4. Microsoft provides a handy Express Installation, the idea of which is to scan your system, find out which bits you already have, and then install only the bits you need, thus cutting down on how much you have to download. The downside is that you have to stay online throughout the installation process, instead of just downloading the service pack in one go and then installing it offline. I launched the Express Installation and attempted to get on with some work while it was (slowly) downloading in the background -- about 26MB, it informed me.

After a while, I noticed that something strange was happening with Express Installation: the connection was resetting every few minutes, so that it was stuck with about 19MB left to download. This was no good. I decided to have a look at the Network Installation method, where you download the whole Service Pack at once, and then install it offline. Unfortunately, this was out of the question -- the Network Installation version requires you to download 129MB. I might have been able to leave my PC overnight to download a file that size, but I needed to get some work done right away, and in its current state my PC was next to useless.

I should note that Microsoft also offers Service Packs on CD; they can be ordered from the company's Web site.

There's another, more immediate way to protect yourself against MSBlast that doesn't involve patches or Service Packs: if you have a firewall, you can set it to filter certain ports used by the worm, which should keep you safe for the short term. Windows XP and Mac OS X ship with firewalls built in, but Windows 2000 requires you to get the software from a third party. Microsoft's Web site lists a few companies that let you try out their firewalls for free. This, I figured, would be a short-term fix that would let me get on with the day's work -- although by this time the morning was already gone.

I found a likely looking candidate, with a download size of only a few megabytes: Armor2Net Personal Firewall, which took only about half an hour to download. To my chagrin, it didn't seem to have a port-filtering option. Another three-quarters of an hour wasted. Next candidate, Norton Personal Firewall. It seemed very small as well, although I discovered when I launched it that this was only the installer -- it needed to download a bit more to finish the installation. Actually, it needed to download another 26MB, meaning it would be finished around bedtime. Not an option.

Another firewall had a promising name: Tiny Personal Firewall ("Turn your PC into the fortress!"). It did seem moderately tiny (6.7MB or so), and only took another forty-five minutes or so to download and set up. Tiny's site even has instructions on how to filter the ports used by MSBlast, although these turned out to be inordinately complicated. And although the user interface was friendly-looking, alert boxes kept popping up declaring that unknown system processes needed to be "enrolled" or added to mysterious security groups. I did observe, however, that a process called MSBlast was being dealt with, which set my mind at ease.

The next step was to run the Symantec MSBlast remover, so that, theoretically, I could get back to work. The program took a long time, apparently scanning every file on my hard drive, and finally, at the end, informed me that there was no MSBlast infection on my computer. Really? I restarted in Safe Mode and ran the remover program again, with the same result. Was the infection all in my head after all?

Apparently not. If the worm had been destroyed, it had left behind plenty of evidence of its passing. Certain programs were corrupted, the most important of which was Microsoft Office, which was now unusable, though all the program files were still on the hard drive. I didn't have the install CD to hand, which meant I was now deprived of Outlook, Word and other useful Microsoft products. What's more, after all my efforts, I was still without my Service Pack and still unpatched. I had begun working on my PC at about 8:30 a.m., and it was now 3:00 p.m.

Fortunately, there was another immediate solution readily available. I had a Power Mac packed away somewhere; I switched the PC off, plugged in the Mac, and connected to the corporate intranet without incident or worm attack, managing to get a couple of hours' work done in the end.

People may not bother writing hardware drivers or games for the less-popular Mac platform, but they also don't bother writing worms to attack it.