Recovery Advice for MSBlast.exe

From: Christopher Haun (a-chaun_at_NOSPAMmicrosoft.com)
Date: 01/12/04


Date: Sun, 11 Jan 2004 23:56:36 GMT


When that shutdown warning occurs, you can type in START > RUN > Shutdown -a
to abort the shutdown.

You should run Windowsupdate.microsoft.com to get all critical patches.
Specifically you'll need at least one of these patches (preferably the more
recent one) to protect against the worm.
824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run
malicious programs
823980 MS03-026: Buffer overrun in RPC may allow code execution

Also please consider using this tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;833330
Windows Blaster Worm Removal Tool (KB833330)

If you were considering reloading your operating system and programs, it
may be a good idea to do that now. There is no way to guarantee that your
security hasn't been compromised further than mere worm infection. Some
would say this is good advice and others would say this is extreme. The
choice is yours.

There's also some more insight and other good (if but antiquated) advice
below...

Hope that helps.

[Standard disclaimer: These suggestions given without warranty, guarantee,
and/or the conveyance of any rights.]

----------------------------------------------------------------------------
-------------

4-Step process to deal with the blaster worm:

 
OVERVIEW:

Get the computer to stop rebooting
Install the MS03-026 Patch
Run the Symantec “Fixblast.exe” tool
Return RPC service recovery responses to normal
 

DETAILS:

1. To prevent the machine from rebooting we have three options:
             
            A. BEST OPTION
     Click the START button > select RUN > Open: Services.msc [ENTER].
This will open the list of services.
     Locate the Remote Procedure Call service (not the Remote Procedure
Call Locator) and double-click it.
                 Select the Recovery Tab and change all three failure
responses from “restart the computer” to
                 “Take no action.” This will prevent the computer from
rebooting.

            B. SIMPLEST OPTION
      When warned that shutdown will occur in sixty seconds, immediately
click the START button,
     Select RUN, and in the Open box enter this command: shutdown -a
     You may end up having to do this every two or three minutes. This
tells the computer to abort the shutdown.

C. TEMPORARY OPTION:
     right-click the taskbar, select Taskmanager from menu, select process
tab, look for MSBlast.exe,
                 right-click MSBlast.exe and select “end process” on it.
This will take the worm out of memory but
                 will not remove it entirely from your system. This should
be enough to prevent the computer from
     rebooting unless another blaster worm finds your computer while it is
on the www. (If that happens,
     use the “shutdown –a” command (discussed above) to abort the shutdown.

 

2. Download and Install the Microsoft MS03-026 Patch by clicking this
link:
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a9
83f01/WindowsXP-KB823980-x86-ENU.exe
            Save it to your desktop and, once it is fully downloaded,
install it by double-clicking it.
            When it is done it will reboot your computer.
            Once the computer is rebooted, you are no longer vulnerable to
any future intrusions of any of the blaster worms.
            When it is finished, you are successfully patched.
 

3. Run the Symantec “Fixblast.exe” tool
         http://securityresponse.symantec.com/avcenter/FixBlast.exe
            Please save it to your desktop and rename it from “Fixblast.ex”
to “Fixblast.exe”
            Double-click Fixblast.exe and click its Start button.
            This tool may take 10-15 minutes to scan your system for all
signs of the Worm.
            This tool will remove the worm and repair the damage it has
done.
            When it is finished, your system is successfully “fixed.”

4. Run the Symantec “FixWelsh.exe” tool
           info:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.rem
oval.tool.html
           tool: http://symantec.com/avcenter/FixWelch.exe

5. Return the RPC service to its original state
            [This is only for those that chose option A in step number 1]
            Click START button > RUN > Open: Services.msc [ENTER]

Locate the Remote Procedure Call service (not the Remote Procedure Call
Locator) and double-click it.
            Select the Recovery Tab.

Change all three failure responses from “Take no action” to “Restart the
Computer.”

 

For more information about the blaster worm and the Microsoft patch:
http://www.microsoft.com/security/incident/blast.asp
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532
-3DE40F69C074&displaylang=en

For further critical updates I highly recommend running windowsupdates
every week (or scheduling it for automatic updates):
http://windowsupdate.microsoft.com

 

For further information about the Fixblast tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.rem
oval.tool.html

 

For more information about protecting your system with a Firewall:
http://www.microsoft.com/security/protect/firewall.asp
http://www.microsoft.com/security/protect/default.asp