RE: worm is on home computer

From: Curtis Koenig [MSFT] (ckoenig_at_online.microsoft.com)
Date: 08/13/03 

Date: Wed, 13 Aug 2003 16:58:03 GMT

HI Carri,

You can use the following instructions to remove the worm

1. Remove the infected computer from the network and reboot into Safe Mode.

2. Locate the files below, plus the Value "windows auto update" under the
Run registry key and deleted them all:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
MSBLAST.EXE under the "C:\Windows\system32" folder

MSBLAST.EXE-1c3a3376.PIF under the "C:\Windows\prefetch" folder
 
2a. If you are running Windows XP (any version) it is also recommended that
the Internet Connection Firewall be enabled to prevent re-infection when
connecting to the internet.

3.Contact your Antivirus provider for assistance in using any removal tools
they are providing or you can use one that Symantec is providing.
Symantec's Removal tool
<http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.re
moval.tool.html>.

4. If the OS continues to shut down when trying to connect to
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp, with the
dialog box stating the OS will be shutting down in 30 seconds.

Set the RPC Service to "Take No Action" and reboot, this should allow you
to download the patch and install it.

Disclaimer:
While this may remove the worm in the short term it is advisable to backup
any data and then format and reinstall the computer. Once infected by a
virus, worm or other malicious program it is not possible to verify that
another program that could compromise the system has not been left by the
original infection.

Third party products mentioned in this posting are the sole responsobility
of the vendor providing them and in no way should this be considered an
endoresement by Microsoft. 

--
Curtis Koenig
Support Professional
Microsoft Clustering Technologies Support
MCSA, MCSAS,MCSE, MCSES
This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit.  Thanks!
--------------------
>Sender: "Carri" <crice@porterbrandenburg.com>
>Subject: worm is on home computer
>Date: Wed, 13 Aug 2003 07:00:42 -0700
>
>I have the worm on my home computer.  If I'm not able to 
>get onto the internet or even stay booted up(my computer 
>keeps shuting down), how can I fix the problem? 
>

Relevant Pages

  • Re: CodeGreen beta release (idq-patcher/antiCodeRed/etc.)
    ... What scares me about how folks are reacting to this code, ... The process of dealing with internet smap, abuse, virus attacks, etc, is ... > Passive infection / retalitory action will ease this problem. ... >>so does this worm. ...
    (Vuln-Dev)
  • Re: My Doom Creators - incomprehensible
    ... your project is not a target; a worm has ... Usenet newsgroup using what appears to be a valid email address. ... e-mail for virus infection. ... the worm can harvest a lot of e-mail addresses to send itself to. ...
    (microsoft.public.security.virus)
  • Re: Sophisticated Bogus Microsoft Patch SPAM
    ... Below is a description of the 'swen' worm and its effects. ... e-mail for virus infection. ... I must empty my mailbox every 5 minutes, ... ISP; send them this URL ...
    (microsoft.public.security.virus)
  • Re: Watch out for this
    ... The 'swen' worm and its effects, ... there is not much you can do to stop the flood. ... e-mail for virus infection. ... You can use a remote virus scan from one of the antivirus program ...
    (microsoft.public.security.virus)
  • RE: question
    ... Your system appears to be infected by the msblast worm you can use the ... Remove the infected computer from the network and reboot into Safe Mode. ... original infection. ... Microsoft Clustering Technologies Support ...
    (microsoft.public.windowsxp.security_admin)