 |
|
| Automated PC Solutions |
| VACM - Virus Alerts for the Common Man |
|
|
||||
|
||||
| VACM Home | APCS Home | Links | ||
|
||||
|
||
|
||
 |
||
|
||
|
||||||||||||||||||||||||||||||||||||||||||
The "Blaster" worm...
Have you been getting error messages that have the word
"RPC" in them?
Does your system shutdown/reboot every few minutes?
Is it acting abnormal in general, too?
You very likely have been infected with
the "Blaster" worm virus.
Now a new variant has sprung forth, threatening to double the
infection rates. Such worms cause an Internet jam we all have
to contend with. Be a good neighbor and follow the steps outlined
in today's VACM article to make sure your system is safe.
MSBLAST can cause widespread system instability including
but not limited to Windows Blue screens, out of memory
errors, changes to Control Panel, inability to use
functions in browser, and many more oddities.
This Monday, machines without the patch started getting infected
thanks to the fast-spreading nature of the Blaster worm.
Microsoft published a hot fix that fixed one thing and
opened up a huge vulnerability in the process. (sound
familiar?) So...
in mid-July, Microsoft published patches for the previous
patch to the DCOM Remote Procedure Call (RPC) module. The
gaping hole they had opened up was one where the system
would allow a worm download and subsequently run any program.
Affected Systems are:
Windows NT4, 2000, XP, and Windows Server 2003.
BTW-
Blaster is set to launch a Distributed Denial of Service (DDoS)
attack on windowsupdate.microsoft.com this Saturday, August 16th,
among its other "tasks". This will make it very difficult to
download the needed patches to fix this Blaster virus.
Because of this situation, The VACM Team has made the patches
available on our own servers as well as the removal tool
created by Symantec (see below).
***************************************************
* What You Should Do
***************************************************
If your system is one of tens of thousands already infected by
Blaster, you may not be able to install the patch, or do much of
anything on your PC. On most machines, Blaster triggers a
Windows shut down sequence with a 60-second warning, leaving
no time for downloading or much of anything. Your first step
is to abort the shutdown by clicking Start, then Run and
then entering the command:
"shutdown /a" (no quotes) or "shutdown -a"
in the Start menu's Run dialog. Then click OK or hit
This may work, but in most cases the system may be too
unstable to recover and may need to be rebooted anyway.
With the countdown halted, you can then try the free removal tool
from Symantec or you can remove Blaster manually.
The Steps You will do:
1. First remove Blaster from your system, then
2. install the correct Microsoft patches for your
system (as you will see below).
3. ABSOLUTELY DO NOT FORGET, empty your recycle bin !!
So, choose the manual or automatic method below and simply
follow the instructions given.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Automatic: Remove Blaster with Symantec's removal tool
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Follow these steps to remove Blaster automatically.
1) First, turn off the worm (terminate the program). To do this,
For Windows 2000 and XP users, open the Windows Task Manager
by pressing CTRL+SHIFT+ESC. Click on the "Processes" tab.
Locate the MSBLAST.EXE program, click once on it to highlight
it and then click the "End Task" button.
For other Windows Versions, press CTL+ALT+DEL. A window
will come up containing a list of all running tasks and a
number of buttons on it. Click on the MSBLAST.EXE task to
highlight it, then click the "End Task" button. You may or
may not get another window asking you to confirm that you
want to end the task. If you do, click "End Task" again.
When this has been done, you can close the Task Manager or
Task List window.
2) Download the Blaster Removal Tool (courtesy of Symantec)
from our VACM servers at:
http://apcsnh.com/vacm/tools/blasttool/fixblast.exe
Save this file to your desktop. When the download completes,
double-click on the FIXBLAST.EXE file you downloaded and click
on "Start" to let the tool begin to scan and remove all Blaster
components from your system.
If, while FIXBLAST.EXE is running, it gives any messages saying
that it cannot delete something, you will need to run it in
Safe Mode. Reboot your computer in Safe Mode. Instructions
for booting in Safe Mode are at the end of this message.
3) Next, you need to install the patches for this DCOM RPC
Exploit. You can download the patches from the links below.
So, first, you need to reestablish your internet connections,
then download the file and select "Open" or "Run from current
location", then you can disconnect from the internet again.
Patches available. Get the right one for the system you have!
(Some email software will cause the links to wrap on to two lines.
In this case, you may need to copy and paste the two
parts into your brower's Address field.)
Windows NT 4.0 Server
http://apcsnh.com/vacm/tools/blasttool/for-nt4sp6a-srv/q823980i.exe
Windows 2000
http://apcsnh.com/vacm/tools/blasttool/for-win2k/win2k-kb823980.exe
Windows XP 32 bit Edition for-WinXP-32bit
http://apcsnh.com/vacm/tools/blasttool/for-winxp32/winxp-kb823980.exe
Windows XP 64 bit Edition
http://apcsnh.com/vacm/tools/blasttool/for-winxp64/winxp-kb823980.exe
Windows Server 2003 32 bit Edition for-Win2003-server-32bit
http://apcsnh.com/vacm/tools/blasttool/w2k3srv32/winsrv2k3-kb823980.exe
Windows Server 2003 64 bit Edition
http://apcsnh.com/vacm/tools/blasttool/w2k3srv64/winsrv2k3-kb823980.exe
4) Next, if you have a firewall capable of blocking specific ports,
you should configure it to block access to TCP port 4444 at the
firewall level, and then block the following ports if you are able to
get by without the applications that use them:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
And that's it for the automatic removal process, you are done.
++++++++++++++++++++++++++++++++++++++++++++++++
+ Manual:
+ Remove Blaster manually... (if you are not
+ comfortable with editing the Registry, do NOT
+ attempt this procedure. Use Symantec's removal
+ tool, or get a qualified computer technician
+ to follow the procedure shown below.
++++++++++++++++++++++++++++++++++++++++++++++++
Follow these steps to remove the MSBLAST or MSBLASTER worm.
1) Disconnect your computer from your local area network
(if you have one) and disconnect from the Internet (unplug
the network cable from your cable modem, or make sure
you are not dialed into your ISP and online).
2) Terminate the running MSBLAST.EXE program
For Windows 2000 and XP users, open the Windows Task Manager
by pressing CTRL+SHIFT+ESC. Click on the "Processes" tab.
Locate the MSBLAST.EXE program, click once on it to highlight
it and then click the "End Task" button.
For other Windows Versions, press CTL+ALT+DEL. A window
will come up containing a list of all running tasks and a
number of buttons on it. Click on the MSBLAST.EXE task to
highlight it, then click the "End Task" button. You may or
may not get another window asking you to confirm that you
want to end the task. If you do, click "End Task" again.
When this has been done, you can close the Task Manager or
Task List window.
3) Next, you need to install the patches for this DCOM RPC
Exploit. You can download the patches from the links below.
So, first, you need to reestablish your internet connections,
then download the file and select "Open" or "Run from current
location", then you can disconnect from the internet again.
Patches available. Get the right one for the system you have!
(Some email software will cause the links to wrap on to two lines.
In this case, you may need to copy and paste the two
parts into your brower's Address field.)
Windows NT 4.0 Server
http://apcsnh.com/vacm/tools/blasttool/for-nt4sp6a-srv/q823980i.exe
Windows 2000
http://apcsnh.com/vacm/tools/blasttool/for-win2000/win2k-kb823980.exe
Windows XP 32 bit Edition for-WinXP-32bit
http://apcsnh.com/vacm/tools/blasttool/for-winxp32/winxp-kb823980.exe
Windows XP 64 bit Edition
http://apcsnh.com/vacm/tools/blasttool/for-winxp64/winxp-kb823980.exe
Windows Server 2003 32 bit Edition for-Win2003-server-32bit
http://apcsnh.com/vacm/tools/blasttool/w2k3srv32/winsrv2k3-kb823980.exe
Windows Server 2003 64 bit Edition
http://apcsnh.com/vacm/tools/blasttool/w2k3srv64/winsrv2k3-kb823980.exe
4) Next, if you have a firewall capable of blocking specific ports,
you should configure it to block access to TCP port 4444 at the
firewall level, and then block the following ports if you are able to
get by without the applications that use them:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
5) Next we simply remove the entries that Blaster created in the
system's registry. It would be a very good idea to make a backup of
your registry before doing these next steps. Accidentally making the
wrong changes in the registry can lead to a system that will not run.
So, once you have backed up your registry, to remove the Blaster
Registry entries:
Click on Start, Run, type REGEDIT and press
editor.
In the left panel, navigate to the key
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
Make sure the run key is highlighted (click on it once to select it).
In the right panel, if you see an entry called "Windows Auto Update",
right-click the entry and delete it.
Next, in the left panel, scroll all the way to the top of the list and
click once on the top most list item. Now press CTL+F to do a Find
and type (without the quotes) "msblast.exe" into the "Find What"
field. You can then press
delete any entry that is found to contain "msblast.exe". CAUTION: do
not delete the entire key (in the left panel), just delete the value
in the right panel that contains "msblast.exe".
Once deleted, press
"msblast.exe". If more are found, delete them as we did above and just
repeat the process-
Once you have removed all references to "msblast.exe" from your system's
registry, you may then close the Registry Editor.
6) Next we need to delete all infected files. If you are running
Windows ME or XP, remember to turn off System Restore BEFORE searching
for and deleting these files (including backups of these files, and
turn System Restore back on when you are done.)
To find infected files, click Start, point to Find or Search, and
then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type the following (without the
quotes):
"msblast*.*"
Then simply click Find Now or Search Now.
Delete all files found that have msblast in the filename and then
REMEMBER to Empty your Recycle bin, because the worm can reinfect
even if the files are in the recycle bin.
7) Next, reboot the computer, reconnect the network and/or internet,
update your antivirus software, and do a full virus scan on all your
hard drives.
8) Optional: Check for the worm again by repeating step 2. If it has
returned, complete all above steps once more making doubly sure that
you have not missed anything. Do this until the virus is completely
gone.
9) So, now that you have the Microsoft patch installed, the virus
will not be able to infect the system again.
10) If you have not yet done so, harden your system further by
referring to the VACM "HowTo" articles at:
http://www.apcsnh.com/vacm/
Antivirus software alone is not 100% protection against malware.
Our HowTo articles will help fill in the "holes" that all
antivirus software has.
Best Regards,
Marc Deschenes, VACM Editor
The VACM Project at
Automated PC Solutions
|
*** Be sure to check out the appendix at the end of this alert
******** APPENDIX - Handy How-To Tips ********** * How To Boot into Safe Mode Shut the computer down so that the power is off.
|