Removal of blaster worm

[taliesin]

Blaster, also known as LovSan, began spreading early Monday afternoon Eastern time and quickly gained momentum. The worm exploits the RPC DCOM (Distributed Component Object Model) vulnerability in all of the current versions of Windows, except ME. The worm scans the Internet and attempts to connect to TCP port 135. After establishing a connection, Blaster spawns a remote shell on port 4444 and then uses TFTP (Trivial File Transfer Protocol) to download the actual binary containing the worm. The worm is self-extracting and immediately begins scanning for other machines to infect.

For users who cannot free up enough bandwidth to download the patch from Microsoft Corp., CERT recommends an alternative remedy. Users should physically disconnect the infected machine from the Internet or network. Then, kill the running copy of "msblast.exe" in the Task Manager utility. Users should then disable DCOM and reconnect to the Internet and download the patch.

 

[leo_G]

I have removed the worm from my system ...but now my system fails to respond to shutdown or retstart..Does anyone else have this problem and how can I fix it without using the system recovery????

 

[roho]

Does this help?

Disable System Restore (just turn it off) in System Properties (Windows key & Pause/Break together) .

Then go:

Start> Run> type"services.msc" into the Run box and enter >Double-click on "Remote Procedure Call (RPC)" > right click/ Properties/ Recovery/Choose "Take no action" from all the combo boxes>OK>close the window

hth

 

[Apokalipse]

go to http://securityresponse.symantec.com/avcenter/FixBlast.exe for a removal tool for the worm

 

[Apokalipse]

and http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp to prevent your system from catching the virus