Sophos

W32/Blaster-E

Aliases
  • Worm.Win32.Lovesan
  • W32.Blaster.Worm
  • WORM_MSBLAST.GEN
Category
Type
What to do
Prevalence low high

Summary

 
Included in our products from October 2003 (3.74)
Protection available since 28 September 2003 09:47:14 (GMT)
Detected by All Sophos products

Action

Windows 95/98/Me and Windows NT/2000/XP/2003

Perform as many of the following steps as is feasible before disinfection.

  • Install Microsoft patch MS03-026.
  • The Windows program tftp.exe is used by the worm. If tftp.exe is on your network, and you have no business need for it, rename it. Do not delete it as future legitimate software may require it.
  • Network administrators should block incoming traffic on the following ports:
    tcp/69 (used by the TFTP process) tcp/135 (used by RPC remote access) tcp/4444 (used by this worm to connect)
    Implement this primarily on your internet firewall. Where appropriate, you should also block outgoing traffic from potentially infected non-trusted networks to those ports.
To start disinfection
  • press Ctrl+Alt+Del
  • in Windows NT/2000/XP/2003 click Task Manager and select the Processes tab
  • look for a process named mslaugh.exe in the list
  • click the process to highlight it
  • click the 'End Process' (in Windows 95/98/Me 'End Task') button
  • close Task Manager.
Search for the file mslaugh.exe in the Windows system folder (usually a subfolder of Windows or WINNT) and delete it.

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

  • At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
  • Before you edit the registry, you should make a backup. If in doubt, contact your network administrator. Incorrect editing of the Windows Registry can cause system failure.
  • Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run. In the righthand pane select windows auto update = mslaugh.exe and delete it if it exists.
  • Close the registry editor.
Reboot your computer and repeat the above process to ensure all traces of the worm have been removed from your system.

If you have any problems removing W32/Blaster-E after following these instructions, please contact technical support.

Other platforms

To remove W32/Blaster-E on other platforms please follow the instructions for removing worms.

More Information

W32/Blaster-E is functionally equivalent to W32/Blaster-A, except for the following changes:


  • The registry entry used has been changed to
    HKLM\Software\Microsoft\Windows\CurrentVersion\
    Run\Windows Automation
  • The target for the Distributed Denial-of-Service attack has been changed to kimble.org
  • The internal message has been changed to
    "I dedicate this particular strain to me ANG3L -
    hope yer enjoying yerself and dont forget the
    promise for me B/DAY !!!!."

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer