Tuesday, August 12, 2003

Beware MSBLASTER Worm

Well, its finally here a worm that takes advantage of the security hole in Microsoft RPC (Remote Procedure Call) Interface. The Worm is called MSBLASTER.EXE (W32/Blaster). Several different security professionals have to prophesying the coming of this event for weeks.

Now, I have said it before, and I will say it again, if you use Windows NT 4.0, 2000, XP, or 2003 and not installed the Microsoft patch MS03-026, do it now!

This worm has already hit my mother and knocked her computer off the Internet. From what I have read about the problems she is experiencing, it failed to install itself on here computer. The problem is that it corrupts here ability to get online.

To protect yourself try following these suggestions:

1. Install a firewall at the perimeter of your network.
2. Update your anti-virus signatures.
3. Update your application and OS patches.

Inside MSBLASTER:
The way this worm works is that it tries to force an unprotected computer to download and execute a copy of a file called 'MSBLAST.EXE' from another compromised computer. When the application gets executed on the newly compromised host computer, it then begins scanning for other vulnerable systems to infect. One of the interesting feature of this worm is that it is suppose to include the ability to launch a Denial-of-Service (DoS) attack against WindowsUpdate.com using the infected computers.

Coming Clean...
If your computer does become infected by the MSBLASTER Worm, then follow the steps below to remove the it.

1. Open RegEdit by typing "REGEDIT" at the Run... command.
2. Locate the following registry key: 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and delete the following value: 'windows auto update'
3. From the Run... menu type following command delete the worm: "del %Windir%\system32\msblast.exe"
4. Open Task Manager by right-clicking the taskbar, open up the Process tab. Find the 'msblast.exe' process, right-click it and select 'End Process'.
5. Patch your system with MS03-026.

Or, download one of the following removal tools:

- Symantec Removal Tool
- Trend Micro Removal Tool
- F-Secure Removal Tool
- Computer Associates Removal Tool
- McAfee/NAI Removal Tool

No comments: