MSBlast Worm Removal Instructions and Information

[FalcomPSX]

There is a new virus running around as of 8/16/03 This virus is described here http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

**edit** NEW INFO
There is an auto fix available that works very well. http://securityresponse.symantec.com...r/FixBlast.exe
1. click the link above, download that file.
2. go download the patch for the specific version of windows you are running. http://www.microsoft.com/technet/tre...n/MS03-026.asp
3. go to safe mode(hit F8 when starting before windows loads)
4. Disable System Restore if running WinXP.(in control panel -> System)
5. run the fixblast.exe file.
6. run the microsoft patch file you downloaded in step 2.
7. reenable system restore if you wish to use it.(XP only)

removal is very easy and can be done with no data loss. Just follow the instructions, update your virus scanner to the latest definitions and do a full scan after removing the active virus on your system(using the method described in the link).

Manual Removal Instructions(original variant only):

Win2k/XP
1. Right click on taskbar
2. Click task manager
3. look for msblast.exe in the processes tab
4. choose it and choose end process.
5. start -> run -> "regedit" (no quotes)
6. hkey_localmachine\software\microsoft\windows\curre ntversion\run
6b. also try checking this location for the same key mentioned below hkey_localmachine\software\microsoft\windows\curre ntversion\run
7. look for "auto windows update" with the value "msblast.exe"
8. delete this key
9. update your virus scanner and run a full scan and you will be cleaned!

To prevent getting this virus, run a firewall(XP has one built in, a router works well, or norton internetsecurity, zone alarm, etc...) and be sure you get all your critical updates for windows.

The specific vulnerability is discussed here http://www.microsoft.com/technet/sec...n/MS03-026.asp

*edit fixed step six...sorry!*

[operative x]

I am ok until I hit step 6. I cant find currentversion\run

[Buzioid]

Firewall is a MUST.
If no firewall is on, you WILL get this virus again, unless you have the microsoft patch for this virus.

[CERuppel]

He missed the "Windows" step in the registry path.

HKEY_LocalMachine\software\microsoft\WINDOWS\curre ntversion\run

Also check [...\runonce ] while you are there.

Another good spot to keep tabs on is

HKEY_CurrentUser\software\microsoft\windows\curren tversion\run

and

HKEY_CurrentUser\software\microsoft\windows\curren tversion\runonce

Many of the "free" softwares hide other spywares and such here, only barely mentioning them in the EULA. They also rarely remove them when you uninstall the program they came with.

[thekingofpain]

Tryin to assist an infected neighbor---I was gonna burn to cd Trends system cleaner (for non-subscribers) with the latest pattern file, along with the MS patch rather then digging into the registry on their semi mission critical machine---sound like an easy fix?

Also----->Update virus defs and run, and inform about a firewall...

Quote:

I found it and delete it now when i try to use my norton the screen that displays the drives is gone

They freak when someone sits NEAR the machine, I need to avoid THIS scenario...

[operative x]

CERuppel THANKS! a lot! I found it and delete it now when i try to use my norton the screen that displays the drives is gone and also i am a little unsure of this other one in the \run it is called dcomx.exe should i be worried about this?

[FalcomPSX]

i fixed step six now. It shows correct info. The other spots CERuppel mentioned are very good to check.

I think this should be sticky until this virus gets under control!

[operative x]

Quote:

Originally posted by Buzioid
Firewall is a MUST.
If no firewall is on, you WILL get this virus again, unless you have the microsoft patch for this virus.

I downloaded the patch but it asks if my xp is a 32bit or 64bit how can I tell because i got this pc from compact is their somewhere i can go on my pc to check. And also i don't know anything baout firewalls how can I 'activate' this on my pc?

[Xeroid]

I'm reporting this thread to a mod. I think it should be a sticky also! I just checked and I have 3 infected machines at home (haven't had time to check my work laptop yet). I updated my virus defs saturday. 2 are running norton 2003 and one avg. I still got it anyways.

[FalcomPSX]

operative x, you haev the 32bit version unless you are running an Itanium cpu(which i highly doubt). If you have a p4, or athlon, or duron, or celeron, or anything earlier then that, it's definately the 32-bit verison.