Friday, June 27, 2008

MSBLAST.A worm

The MSBLAST.A worm infects machines via network connections. The worm
targets only Windows 2000 and Windows XP machines.It exploits the DCOM
RPC vulnerability that is described in Microsoft Security Bulletin
MS03-026. This worm attempts to download the msblast.exe file to the
%WinDir%\system32 directory and then execute it. The worm also attempts
to perform a Denial of Service (DoS) on the Microsoft Windows Update
Web server (windowsupdate.com). This is an attempt to prevent you from
applying a patch on your computer against the DCOM RPC vulnerability.

Remove this worm virus using McAfee Virus Scan 2004!

Some customers whose computers have been infected may not notice the
presence of the worm at all, while others who are not infected may
experience problems because the worm is attempting to attack their
computer. Typical symptoms may include Windows XP and Windows Server
2003 systems rebooting every few minutes without user input, or Windows
NT 4.0 and Windows 2000 systems becoming unresponsive.


How to Remove MsBlast.A?

Follow these steps to remove the MsBlast.A worm.

1. You must first download and install the patch. In many cases, you
will need to do this before continuing with the removal instructions,
download and install the patch using the links below:

Windows XP: DCOM/RPC Exploit patch
Windows 2000: DCOM/RPC Exploit patch

2. Disconnect your computer from the local area network or Internet
3. End the running program
- Open the Windows Task Manager by either pressing CTRL+ALT+DEL,
selecting the Processes tab or selecting Task Manager and then the
process tab on WinNT/2000/XP machines.
- Locate one of the following programs (depending on variation), click
on it and End Task or End Process

MSBLAST.EXE
PENIS32.EXE
TEEKIDS.EXE
MSPATCH.EXE
MSLAUGH.EXE
ENBIEI.EXE

4. Block access to TCP port 4444 at the firewall level, and then block
the following ports, if they do not use the applications listed:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"

5. Remove the Registry entries
- Click Start| Run, type "Regedit" and click OK. The Regedit dialog
opens.
- In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
- In the right panel, right-click and delete the following entry
"windows auto update" = MSBLAST.EXE (variant A)
"windows auto update" = PENIS32.EXE (variant B)
"Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
"Nonton Antivirus"=MSPATCH.EXE (variant E)
"Windows Automation" = "mslaugh.exe" (variant F)
"www.hidro.4t.com"="enbiei.exe" (variant G)
- Exit the Registry Editor

6) Delete the infected files (for Windows ME and XP remember to turn
off System Restore before searching for and deleting these files to
remove infected backed up files as well)
- Click Start, point to Find or Search, and then click Files or
Folders.
- Search files msblast*.* in C:\WINDOWS directory.
- Delete the displayed files in search results.
- Empty the Recycle bin, the worm can reinfect even if the files are in
the recycle bin.

7) Reboot the computer, reconnect the network, and update your
antivirus software, and run a thorough virus scan using your favorite
antivirus program.

No comments: