How to beat the webworm
Step-by-step guide to removing the MS Blast worm from your PC. "This system is being shut down in 60 seconds by NT Authority/System due to an interrupted Remote Procedure Call (RPC)," says your PC.
"This system is being shut down in 60 seconds by NT Authority/System due to an interrupted Remote Procedure Call (RPC)," says your PC.
Congratulations: you have picked up the latest worm on the net, commonly known as MS Blast, Blaster, or LovSan. (We don't know who San is, but the worm's writer says he loves her.) It exploits a long-standing "buffer overrun" flaw in Microsoft's RPC (Remote Procedure Call) code.
The solution is to go to Microsoft's website and download a patch that was posted on July 16. Microsoft Security Bulletin MS03-026 has patches for the seven "new technology" versions of Windows affected, from the antique NT4 via Windows XP to the latest 64-bit server software. All you have to do is install the update and you're almost done.
The catch, of course, is that your PC may close down or reboot before you have time to do it. The solution is to go to the Start menu, select Run, type the command
shutdown -a
in the box and click OK. This aborts the shutdown process. Then you can download the patch and restart your PC.
There are some more complicated alternatives. One is to get a friend with an unaffected version of Windows, such as Windows Me, to download the patch to a floppy disk for you. Another is to disable the RPC feature by turning off its life support, as described in Microsoft Knowledge Base Article 825750.
Once you have the patch installed, you can remove the worm code. This is a three-step process.
First, press Ctrl-Alt-Del and click on the button to select the Task Manager. Look through the list of Processes for msblast.exe and click End Process to stop it running.
Second, use Windows Explorer to search for a file called msblast.exe and delete it. It should be in the Windows system directory. In fact, do a search even if you don't think you have MS Blast.
Third, go back to Start|Run and type regedit in the box to run the Registry Editor. Go to the HKEY_LOCAL_MACHINE section, open SOFTWARE, and keep going until you get to he entry for Microsoft|Windows|CurrentVersion|Run|windows auto update.
Delete that entry.
In this case there are some simpler alternatives. If you use an anti-virus checker, update the virus signatures and it should be able to find and remove the worm for you. Or - and perhaps even easier - you could use one of the special tools that anti-virus companies have made available to delete the worm.
F-Secure has posted one on its site. (I have F-Secure to thank for the "shutdown -a" command. I did not know it either. . . .)
Now, how did you get caught by MS Blast? You could have avoided it by downloading and installing the patch earlier, by using Windows XP's "auto update" feature to install the patch for you, by updating your anti-virus program earlier, or by using a firewall that stopped the worm from entering one of your PC's unguarded internet ports.
If you don't have an anti-virus checker, you can download AVG, free for home users, from Grisoft. There are also several places where you can run a virus check online.
Examples include HouseCall and the Symantec Security Check.
If you have Windows XP, turn on its built-in firewall. Or, better still, download either the free Sygate Personal Firewall or Zone Alarm or something similar.
The sad thing is that this whole saga has been all too predictable. On July 29, for example, I posted a note to the Onlineblog headed Windows world due for devastating attack.
What made it inevitable was not the flaw in Windows, which has been around for ages (Windows NT4 was launched in 1996) but the fact that samples of "exploit code" became available. If any idiot can use that to write a worm, it is a safe bet that some idiots will.
But looking on the bright side, perhaps we should be grateful to our humorous, San-loving author. He has released an "exploit" that will make sure most people patch their vulnerable versions of Windows - something that is clearly beyond Microsoft, anti-virus companies and the press - and he hasn't done anything really nasty to their hard drives.
If you fell victim to MS Blast, consider yourself lucky. A really malicious worm-writer could have done something much worse.
Congratulations: you have picked up the latest worm on the net, commonly known as MS Blast, Blaster, or LovSan. (We don't know who San is, but the worm's writer says he loves her.) It exploits a long-standing "buffer overrun" flaw in Microsoft's RPC (Remote Procedure Call) code.
The solution is to go to Microsoft's website and download a patch that was posted on July 16. Microsoft Security Bulletin MS03-026 has patches for the seven "new technology" versions of Windows affected, from the antique NT4 via Windows XP to the latest 64-bit server software. All you have to do is install the update and you're almost done.
The catch, of course, is that your PC may close down or reboot before you have time to do it. The solution is to go to the Start menu, select Run, type the command
shutdown -a
in the box and click OK. This aborts the shutdown process. Then you can download the patch and restart your PC.
There are some more complicated alternatives. One is to get a friend with an unaffected version of Windows, such as Windows Me, to download the patch to a floppy disk for you. Another is to disable the RPC feature by turning off its life support, as described in Microsoft Knowledge Base Article 825750.
Once you have the patch installed, you can remove the worm code. This is a three-step process.
First, press Ctrl-Alt-Del and click on the button to select the Task Manager. Look through the list of Processes for msblast.exe and click End Process to stop it running.
Second, use Windows Explorer to search for a file called msblast.exe and delete it. It should be in the Windows system directory. In fact, do a search even if you don't think you have MS Blast.
Third, go back to Start|Run and type regedit in the box to run the Registry Editor. Go to the HKEY_LOCAL_MACHINE section, open SOFTWARE, and keep going until you get to he entry for Microsoft|Windows|CurrentVersion|Run|windows auto update.
Delete that entry.
In this case there are some simpler alternatives. If you use an anti-virus checker, update the virus signatures and it should be able to find and remove the worm for you. Or - and perhaps even easier - you could use one of the special tools that anti-virus companies have made available to delete the worm.
F-Secure has posted one on its site. (I have F-Secure to thank for the "shutdown -a" command. I did not know it either. . . .)
Now, how did you get caught by MS Blast? You could have avoided it by downloading and installing the patch earlier, by using Windows XP's "auto update" feature to install the patch for you, by updating your anti-virus program earlier, or by using a firewall that stopped the worm from entering one of your PC's unguarded internet ports.
If you don't have an anti-virus checker, you can download AVG, free for home users, from Grisoft. There are also several places where you can run a virus check online.
Examples include HouseCall and the Symantec Security Check.
If you have Windows XP, turn on its built-in firewall. Or, better still, download either the free Sygate Personal Firewall or Zone Alarm or something similar.
The sad thing is that this whole saga has been all too predictable. On July 29, for example, I posted a note to the Onlineblog headed Windows world due for devastating attack.
What made it inevitable was not the flaw in Windows, which has been around for ages (Windows NT4 was launched in 1996) but the fact that samples of "exploit code" became available. If any idiot can use that to write a worm, it is a safe bet that some idiots will.
But looking on the bright side, perhaps we should be grateful to our humorous, San-loving author. He has released an "exploit" that will make sure most people patch their vulnerable versions of Windows - something that is clearly beyond Microsoft, anti-virus companies and the press - and he hasn't done anything really nasty to their hard drives.
If you fell victim to MS Blast, consider yourself lucky. A really malicious worm-writer could have done something much worse.
Use the feedback form below to submit your comments.
Use the form below to email this article to your friends.
- Google's New Platform Chrome Aims to Show Microsoft's Windows the Door
- Google's Power-hungry Data Centres
- Web Providers Must Limit Internet's Carbon Footprint, Say Experts
- iTunes Blocked After Tibetan Album Goes Online
- Half a Million Computers Infected With 'malware' in Just Seven Days
- Outlook Brightens for Weather Channel
- YouTube Rejects Calls to Monitor Videos
- Wikipedia Takes on the World
- Japan's Cyber-suicide Trend Takes Bizarre Twist
- Google Urges Un to Set Global Internet Privacy Rules