|This Critical Virus alert has been sent by the Interactive Gaming Security Network (IGSN).|
Alias: msblast.exe, tftp, W32.Blaster.Worm (Symantec), Win32.Poza (CA), WORM_MSBLAST.A (Trend)
Affected Systems: Windows 2000, Windows XP
Non Affected Systems: Linux, Macintosh, OS/2, UNIX, Windows 95, Windows 98, Windows Me
CVE Identification: CAN-2003-0352
The worm initiates a Denial of Service attack against windowsupdate.com.
The worm is able to execute without any action by the user -it does this by exploiting an unplugged hole in windows. The worm alows an attacker to remotely access and run arbitrary commands on the infected system.
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
Due to the nature of the worm, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. Here are a couple suggestions:
- If you run Windows XP try activating the Windows XP firewall, to do this:
step 1: unplug the network connection
step 2: reboot
step 3: Login to your computer
step 4: Click the Start button and select Control Panel. Double-click the Network Connections icon
step 5: On the Advanced tab, under Internet Connection Firewall, select the following:
'Protect my computer and network by limiting or preventing access to this computer from the Internet' check box
*** For additional help, please see: http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp
- For both Windows 2000 and XP, changing the settings for the Remote Call Procedure (RPC) Service may allow you to connect to the Internet without the computer shutting down, follow these steps:
Windows 2000 users, right-click the My Computer icon on the Windows desktop and then click Manage. The Computer Management window opens
Windows XP users, click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.
Step 2: In the left pane, double-click Services and Applications and then select Services. A list of services appears.
Step 3: In the right pane, locate the Remote Procedure Call (RPC) service.
Step 4: Right-click the Remote Procedure Call (RPC) service and click Properties. Click the Recovery tab.
Step 5: Using the drop-down lists, change First failure, Second failure, and Subsequent failures to 'Restart the Service.'
Step 6: Click Apply and then OK
Symantic has provided a removal tool that can be found here:
Manual Removal Instructions:
To remove this virus manually, follow these steps:
1) Apply the MS03-026 patch located here:
2) Terminate the process msblast.exe. Instructions can be found here:
3) Delete the msblast.exe file from your WINDOWS SYSTEM32 directory
(typically c:\windows\system32 or c:\winnt\system32)
4) Edit the registry. Help can be found here:
5) Delete the 'windows auto update' value from:
Additional Windows ME/XP removal considerations can be found here:
***For an alternate in depth method, please see the following link:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html (under Removal Instructions)
1) McAfee: http://us.mcafee.com/virusInfo/default.asp?id=lovsan#indications
2) Symantic: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
3) Microsoft: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
We respect your privacy, and honor all requests to be removed from our contact list.
Click on this link to be removed from all further contacts https://www.igsn.com/emailReports/removecontact.cfm?UserID=1531