ActiveMac - The Most Activated mac Resource

MSBlast Patches and Fixes

Time: 15:48 EST/20:48 GMT | News Source: ActiveWin.com | Posted By: Alex Harris

Here is the information about the Worm and fixes and removal tools to remove the virus:

PSS Security Response Team Alert - New Worm: W32.Blaster.worm [Microsoft]

WHAT IS IT?

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm. Customers that have previously applied the security patch MS03-026 before today are protected and no further action is required.

TECHNICAL DETAILS:

This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026. Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:

Presence of unusual TFTP* files
Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.

Here are links to the patches to stop this worm attacking again:

Windows XP

Windows 2000

If you already have the worm on your PC and you need to remove it then here is the information and links to the Symantec site:

W32.Blaster.Worm Removal Tool [Symantec]

Symantec Security Response has developed a removal tool to clean the W32.Blaster.Worm infections.

What the tool does:

Terminates the W32.Blaster.Worm viral processes.
Deletes the W32.Blaster.Worm files.
Deletes the dropped files.
Deletes the registry values that the worm added.

You can download the removal tool from here.

Obtaining and running the tool

Download the FixBlast.exe file from: http://securityresponse.symantec.com/avcenter/FixBlast.exe
Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).
To check the authenticity of the digital signature, refer to the section, "Digital signature."
Close all the running programs before running the tool.
If you are running Windows XP, then disable System Restore. Refer to the section, "System Restore option in Windows Me/XP," for additional details.
CAUTION: If you are running Windows XP, we strongly recommend that you do not skip this step. The removal procedure may be unsuccessful if Windows XP System Restore is not disabled, because Windows prevents outside programs from modifying System Restore.
Double-click the FixBlast.exe file to start the removal tool. Click Start to begin the process, and then allow the tool to run.
NOTE: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "How to start the computer in Safe Mode."
Restart the computer.
Run the removal tool again to ensure that the system is clean.
If you are running Windows XP, then re-enable System Restore.
Run LiveUpdate to make sure that you are using the most current virus definitions.

I know this is a very long post, but from work today at PC World in the UK we created discs with the removal tool and patch on it and had at least 30 people throughout the day come in saying they had this, so it is very widespread. Please note if you have already installed the patch MS03-06 then you are already protected.