Cleaning up after the MSBlast worm
Published: 12 Aug 2003 14:59 BST
The MSBlast worm has caused widespread infection on the Internet. This ZDNet Australia analysis contains infection information, detection strategies, and clean up instructions.
Infection
The worm exploits a widely publicised "DCOM" vulnerability found in several versions of Microsoft Windows. While the vulnerability affects Windows NT4, Windows 2000, Windows XP and Windows Server 2003, the worm only infects Windows 2000 and XP.
Because the method by which the vulnerability is exploited varies between the two operating systems, there have been numerous confirmed reports of the worm "crashing" systems. This happens when a worm uses a Windows 2000 exploitation technique on an XP machine and vice versa. The worm will use the Windows XP method 80 percent of the time, and the remaining attempts are directed at Windows 2000.
It is worth noting that an updated version of the worm could affect other Microsoft operating systems, so it is recommended that all systems are patched against the DCOM vulnerability.
Detection
The worm is very easily detected by users.
Pressing control-alt-delete, then clicking on "Task Manager" and selecting the "Processes" tab will bring up a list of processes running on the machine. Clicking on "Image Name" will sort the processes alphabetically. If there is a process named "msblast.exe" running on the system, then it has been infected by the worm.
Clean up
The worm is relatively easy to clean up after detection.
Step one is to patch the infected system against the vulnerability that allowed the worm to "get in" in the first place. This process requires the user of the computer to have administrator level access to the system.
Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to windowsupdate.microsoft.com. The user will be prompted by some pop up windows, and directed through a fairly easy to understand and intuitive process.
The next step is to reboot the system.
After the system has rebooted it will be necessary to delete the worm's executable file, msblast.exe. However, its process must be stopped before it can be deleted.
Once the user logs back in with administrator rights, they should load up the "Task manager" again as described above. Click on the "Image Name" field under the "Processes" tab and click once on the "msblast.exe" process. Press "End Process" to stop it from running.
The worm's executable file will be found in the system32 directory, which is a subdirectory of (by default) the "winnt" directory in Windows 2000 machines, and the "windows" directory in Windows XP installations.
Use Windows Explorer to navigate to the system32 directory, locate the mblast.exe file and delete it. Reboot your system. Done!
The final step, removing the registry key created by the worm, is optional. It isn't really that important -- the key simply causes the worm to start every time the system is re-booted, but once the worm file itself is deleted it's redundant anyway.
This is done manually by using the registry editor. It is important to note that making incorrect changes to the registry can have catastrophic consequences.
Load the registry editor by clicking on the start button, navigating to "Run..." and typing in "regedit". Run regedit and navigate to the following "key".
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right hand section of the registry editor, the following value will be found:
"windows auto update"="msblast.exe"
Delete it.
Reboot. Done!
ZDNet Australia wishes to thank Hamish O'Dea and Jakub Kaminski from Computer Associates, Paul Ducklin from Sophos, and Grant Slender from Internet Security Systems for their assistance in preparing this guide.
Did you find this article useful?
37 out of 82 people found this useful
- Share this article:
Full Talkback thread
36 comments
-
This is not true as the MSBlast virus has also inf... Anonymous -
Deleting the file msblast.exe file from the System... Mick Slater
-
your system should be fine if you disconnect from... Anonymous
-
Has anyone ever looked at how many patches that ar... Duncan Fiander
-
Dear guy,
Your solution is not very smart! You rec... Anonymous
-
Hi, i have been infected by this worm, and i have... Anonymous
-
it has also affected windows ME too kevin
-
PG,
I hadn't bothered to check the numerous helpfu... Jake Owsley
-
Very helpful article and very precise. One comment... John Singh
-
The solution offered did not worked, at least in m... Malkit Singh Bhasin
-
You can also set your clock back a few hours after... Anonymous
-
Hi,
I'm trying to clean up the MSBlast worm from... Madhu Kadaba
-
Monday, 7 pm.
No football on TV, nothing to do, so... Linda Ladwig
-
I seem to have that msblast worm but I dont see ms... Anonymous
-
if u guys need time to stop from restarting....go... JiMmErS
-
Hats off to Zonealarm!
Just want to say that my (f... SD
-
IIf you get the box that says you have a minute be... Chris
-
First of All use LINUX!!
second: check how many ti... Thomas Sinczak
-
Hey guys!
If anyone is still having problems with... Gilbert Ortiz
-
Ive tried grays solution and the CMD one and the R... Anonymous
-
My WIN2K system has been infected with the blaster... Anonymous
-
i was recently infacted with MSBlast worm,
since i... azmol hussain
-
Norton Internet Security firewall stops the worm i... G. Mack
-
Possible that there exists more than one variety o... Ryan Stephen
-
Having same problem as Ryan S.
"svchost.exe has ge... CheeseDog
-
Hi everybody! I was hit by MSBlast worm and I just... Anonymous
-
I have the same problem as Cheesedog exactly and h... Christina Shaw
-
hey everyone, i kinda have a solution on msblast,... Uves C...
-
I was very happy with the advice this site provide... Darius
-
I truly hope the perpetrators of these worms/virus... Anonymous
-
I believe my problem was the Welchia/Nachia worm
A... CheeseDog
-
I have the worm virus on my laptop, I have tried t... jacqui boothe
-
I seriously doubt these claims that the virus has... Phil
-
If anyone needs help with MSBLASTER or any other w... ERIC
-
I didn't have the MSBLAST worm--but something very... FREAKED THE HECK OUT
-
Everything says I have isolated the worm, but am s... Cindy Barrett
