In this section

• Home
• Support
• Virus disinfection

• Global support information
• Contact support
• Knowledgebase
• Virus disinfection
• Downloads and updates
• Documentation
• Software lifecycle
• Send a sample

• Global Support Services
• Technical Support
• Professional Services
• Technical Training

W32/Blaster-A disinfection instructions and FAQ

At the time of writing, W32/Blaster-A (also known as: W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A) is spreading in the wild. W32/Blaster-A is a worm that scans networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. On finding a suitable victim the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe in the Windows system folder.

1. How do I prevent W32/Blaster-A spreading on my network?
2. How do I remove W32/Blaster-A automatically?
3. How do I remove W32/Blaster-A manually?
4. Which systems are affected?
5. How did my computer become infected?
6. My computer is continuously rebooting, how can I download RESOLVE?
7. Why am I getting errors associated with SVCHOST.EXE even if my computer is not infected with W32/Blaster-A?
8. Why is InterCheck preventing RESOLVE from running?
9. I am having trouble finding the Microsoft patch. Is there any way of making this easier?

1. How do I prevent W32/Blaster-A spreading on my network?

Network administrators are strongly advised to perform the following operations to limit the impact of the worm:

• Download and deploy Microsoft patch MS03-039
  W32/Blaster-A exploits a vulnerability that can be patched. To read more about the vulnerability and download the patch for deployment, view Microsoft Security Bulletin MS03-039. On standalone computers, update with all relevant security patches from Windows update.
  Administrators are advised to deploy the patch to internet enabled workstations and internal company networks, paying particular attention to proxy/gateway computers.
• Rename tftp.exe
  The worm utilises tftp.exe, a Windows native program. If tftp.exe exists on your network, and you have no business need for it, rename it (e.g. to tftp-exe.old). You should not delete it as future legitimate software may require it.
• Block traffic to certain ports on your firewall
  Administrators should block incoming traffic on the following ports:
  • tcp/69 (used by the TFTP process)
  • tcp/135 (used by RPC remote access)
  • tcp/4444 (used by this worm to connect)
  This should primarily be implemented on your internet firewall. Where appropriate, you should also block access to these ports to prevent access from potentially infected non-trusted networks.

2. How do I remove W32/Blaster-A automatically?

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

W32/Blaster-A can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Note: When disinfecting variants not listed above, use the recovery instructions in the appropriate virus analysis.

Windows disinfector

BLASTGUI is a disinfector for standalone Windows computers

• open BLASTGUI
• run it
• then click GO.

If you are disinfecting several computers, download it, save it to floppy disk and run it from there.

After removing the worm you should install the patch mentioned above.

Command line disinfector

BLASTSFX is a self-extracting archive containing BLASTCLI, a Resolve command line disinfector for use on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

After removing the worm you should install the patch mentioned above.

Other platforms

To remove W32/Blaster-A on other platforms please follow the instructions for removing worms.

3. How do I remove W32/Blaster-A manually?

To remove W32/Blaster-A manually on Windows 95/98/Me and Windows NT/2000/XP:

• ensure you have installed Microsoft patch MS03-039 and implemented as many of the steps mentioned above as is feasible.
• press Ctrl+Alt+Del
• in Windows NT/2000/XP click Task Manager and select the Processes tab
• look for a process named msblast.exe in the list
• click the process to highlight it
• click the 'End Process' (in Windows 95/98/Me 'End Task') button
• close Task Manager.

Search for the file msblast.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

• At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
• Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
• Locate the HKEY_LOCAL_MACHINE entry:

  HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  in the righthand pane select

  windows auto update = msblast.exe

  and delete it if it exists.
• Close the registry editor.

You should reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.

If you have any problems removing W32/Blaster-A after following these instructions, please contact technical support.

To remove W32/Blaster-A on other platforms please follow the instructions for removing worms.

4. Which systems are affected?

• Windows NT/2000/XP computers are vulnerable.
• Windows 95/98/Me computers can become infected if a W32/Blaster-A file is run manually.
• Apple-based workstations, Unix and other platforms (including PDAs and games consoles) cannot be infected with W32/Blaster-A.

If a W32/Blaster-A file is found on a computer, it has been dropped there by an infected computer, or it has been executed locally.

5. How did my computer become infected?

W32/Blaster-A scans the internet and local networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit. When it finds one it causes the remote computer to use TFTP to download a copy of the worm. This is saved as msblast.exe in the Windows system folder and the registry on that computer is changed so that the worm will be run when the computer restarts.

6. My computer is continuously rebooting, how can I download RESOLVE?

Often when a computer is infected with W32/Blaster-A it restarts every few minutes, usually with a message similar to "Windows must now restart because the Remote Procedure Call (RPC) Terminated Unexpectedly". This prevents the required patches and files from being downloaded.

To stop this on Windows XP, select Start|Run, then type:

shutdown -a

to abort the shutdown. You will then be able to disinfect automatically or manually as described above.

Where possible, download the RESOLVE W32/Blaster-A self-extractor on another computer. Save it to floppy disk and run the self-extractor on the affected computer.

If you cannot download on another computer, disable Distributed COM to prevent this rebooting.

Windows XP

• Select Start|Run and type

  dcomcnfg.exe.

• Select Console Root|Component services.
• Open the Computers subfolder.
• Right-click on My Computer|Properties.
• Click the Default Properties tab.
• Deselect 'Enable distributed COM', click Apply then click OK.
• Restart the computer.

Set the options back to normal after applying relevant patches and IDEs.

Windows NT/2000

• Select Start|Run and type

  dcomcnfg.exe.

• Select the Default Properties tab.
• Deselect 'Enable distributed COM on this computer', click Apply then click OK.
• Restart the computer.

Set the options back to normal after applying relevant patches and IDEs.

Windows 95/98/Me

Clean boot or go into DOS Mode (Windows 95/98) and use SWEEP with the W32/Blaster-A IDE to disinfect.

Use a firewall or disable 'File and print sharing' to protect the computer from further infection.

7. Why am I getting errors associated with SVCHOST.EXE even if my computer is not infected with W32/Blaster-A?

If a vulnerable computer is probed by W32/Blaster-A, even if infection is not successful, the svchost service will fail. This will cause a variety of problems with other software.

To recover from these problems install the patch at Microsoft Security Bulletin MS03-039 and restart the svchost service.

8. Why is InterCheck preventing RESOLVE from running?

The InterCheck client will prevent the RESOLVE disinfector from accessing worm files if the W32/Blaster-A IDE has been installed.

On Windows NT/2000/XP:

• log in as local administrator
• at the taskbar, select Start|Programs|Sophos Anti-Virus
• select the IC Client tabbed page
• click STOP
• run RESOLVE
• after you have removed the worm, in the IC Client tabbed page click GO.

On Windows 95/98/Me:

• rename the W32/Blaster-A IDE (BLASTERA.IDE) to BLASTERA.TXT
• reboot the computer locally (press Escape if asked to log in)
• run RESOLVE
• after removing the worm, change the IDE name back to BLASTERA.IDE and reboot again.

9. I am having trouble finding the Microsoft patch. Is there any way of making this easier?

Provided you have administrator status on your computer you can download patches from Windows Update instead.

Windows Update will query your computer and will tell you which patches it considers you should use. Those marked Critical Update are the most important. The reference number of the patch for the vulnerability exploited by W32/Blaster-A is 823980.

If you are using an old version of Internet Explorer, the recommended download may be huge. If your internet link is slow, you may find it easier to upgrade Internet Explorer from a computer magazine CD first, and then use Windows Update.

Note: Windows Update only works in conjunction with Internet Explorer 5 and higher.