The Web


Home > Rediff Guide To The Net > Features

How to kick a worm's ass

MSBlast picks on vulnerable computers. Donít fall prey!

Vidya Srinivasa Rao | August 13, 2003 15:43 IST

An Internet worm that exploits a security flaw in Microsoft Windows operating systems is quickly spreading to computers throughout the world.

Dubbed MSBlast, or 'blaster worm', the malicious code is crashing computers and causing a serious slowdown of Internet traffic.

Are you at risk?

Yes, you are, if your computer connects to the Internet. However, MSBlast only infects computers running Windows XP, Windows 2000, Microsoft Server 2003 and Windows NT 4.0.

Don't panic, Rediff Guide to the Net brings you this quick set of instructions to prevent, detect or remove the worm.

[Forward this to a friend]

How does MSBlast work

Unlike most Internet worms, MSBlast does not require user action for the infection to happen. The worm does not spread via email. It scans the Internet for vulnerable computers and when it finds any it downloads a file called msblast.exe on to the computer.

Moreover, the worm makes changes to PC settings such that it gets loaded each time you restart your machine. More specifically, MSBlast updates the system registry with the following line so as to run whenever the machine is rebooted:

Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

The culprit is a commonly open 'port' in Windows. Microsoft identified this serious flaw on July 16 and issued a security patch to stop malicious computer hackers exploiting the problem.

This worm is also preparing to launch a denial-of-service, or DoS, attack on August 16, on the Microsoft's Windows Update site where you can download software patches that address Windows vulnerabilities.

Are you infected?

Right click on the 'task bar' and select 'Task Manager'. Click on the 'Processes' tab. If you can find a process called msblast.exe, then your system is infected.

Squish it!

The worm is relatively easy to remove. This simple article from ZDNet gives detailed instructions.

If you use anti-virus software, look up the relevant site for updated signature files to include this worm. This will stop the infection upon contact. In some cases this will also remove the infection.

For more information check out these pages from F-Secure, McAfee and Symantec.

Prevent it

If your machine has not been affected yet, it's best you quickly take the proper steps to ensure safety. The best prevention is to install a patch from the Microsoft site. Users who have not yet patched their Windows 2000, NT, and XP systems should download the security patches immediately.

Links to security patches:

Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition
Windows Server 2003 32-bit Edition
Windows Server 2003 64-bit Edition

Advise on prevention and cleaning MSBlast worm
Blaster worm updates

Article Tools

Email this Article

Printer-Friendly Format

Letter to the Editor

Share your comments

 What do you think about the story?

Read what others have to say:

Number of User Comments: 16

Sub: Rediff needs to be congratulated for this article.

Not only is the article informative about the jantoo, but it also leads the reader to the relevant police station to get a cop to ...

Posted by chanakya

Sub: Windows networking

I'm guessing that corporate boxes behind a firewall are not going to be hit too hard, as the firewalls usually block NetBIOS ports. The real ...

Posted by rieka

Sub: me too

My situation is exactly like yours any help would save me.

Posted by duane

Sub: Linux???

Come on Linux isn't the most secure thing ever, the main reason you hear more about Microsoft, is that the vast majority of desktops run ...

Posted by chris

Sub: Thank you

Thank you for your article :D

Posted by wefiu98


Copyright © 2003 India Limited. All Rights Reserved.