Follow these steps in removing the MSBLAST or MSBLASTER worm.
1) Disconnect your computer from the local area network or Internet
2) Terminate the running program
- Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
- Locate one of the following programs (depending on variation), click on it and End Task or End Process
MSBLAST.EXE
PENIS32.EXE
TEEKIDS.EXE
MSPATCH.EXE
MSLAUGH.EXE
ENBIEI.EXE
3) Install the patches for the DCOM RPC Exploit, you can download the patches from the links below before disconnecting
Windows XP Pro/Home Edition
Windows 2000
Windows NT Server 4.0 and Windows NT Workstation 4.0
Windows NT Server 4.0, Terminal Server Edition
Windows XP (64 bit) (server edition)
Windows 2003 (32 bit)
Windows 2003 (64 bit)
If you receive a “cryptographic service” error when you try to apply the patch, please read the following excellent article on how to fix this error:
http://www.updatexp.com/cryptographic-service.html
4) Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
- TCP Port 135, “DCOM RPC”
- UDP Port 69, “TFTP”
5) Remove the Registry entries
- Click on Start, Run, Regedit
- In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
- In the right panel, right-click and delete the following entry
”windows auto update” = MSBLAST.EXE (variant A)
”windows auto update” = PENIS32.EXE (variant B)
”Microsoft Inet xp..” = TEEKIDS.EXE (variant C)
“Nonton Antivirus”=MSPATCH.EXE (variant E)
“Windows Automation” = “mslaugh.exe” (variant F)
“www.hidro.4t.com”=”enbiei.exe” (variant G)
- Close the Registry Editor
6) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
- Click Start, point to Find or Search, and then click Files or Folders.
- Make sure that “Look in” is set to (C:\WINDOWS).
- In the “Named” or “Search for…” box, type, or copy and paste, the file names:
msblast*.* (or other filenames listed above)
- Click Find Now or Search Now.
- Delete the displayed files.
- Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.
7) Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
8) Now check for the worm again, if it returns, complete these steps once more until the virus is gone. With the patch in place, the virus wont be able to exploit the system, but sometimes it is difficult to remove the files for good.
For Automatic Removal of MSBLAST, download the Symantec removal tool, you’ll still need to download the patches above and install them, however this removal tool will stop the MSBLAST program from running, remove the items in the registry, and delete the infected files.
You can find more information about this worm by visiting Symantec’s or TrendMicro’s pages on this worm
Microsoft’s Page on What You Should Know About the Blaster worm
#fix, #remove-virus, #troubleshooting