السلام عليكم ورحمة الله بوركاته
How to Remove MSBLAST.exe worm virus
(updated to include information on Variants A-G)
Read about the Welchia or MSBLAST.D worm
What is the MSBLAST.EXE worm aka Blaster.A, LoveSan or Msblast.A?
The MSBLAST.A worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity. Depending on the system date it will start a Denial of Service attack against windowsupdate.com, this makes it difficult to download the needed patches and allow the worm to infect as many machines as it can before being disabled. However, as of August 15th, Microsoft decided to kill the windowsupdate.com domain to lessen the impact from this denial of service attack. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of memory errors, changes to Control Panel, inability to use functions in browser, and many more oddities.
Download the Windows patches for this vulnerability by clicking on the links below:
Windows XP: DCOM/RPC Exploit patch
Windows 2000: DCOM/RPC Exploit patch
These Windows vulnerabilities are patched by using Windows Update to download all the critical updates for your system. However in some cases, people have reported getting an error 0x800A138F when trying to download updates. If you are receiving an error similar to this, read Marc Liron's excellent article about solving this at his updatexp.com website.
What is the DCOM Vulnerability?
The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.
What are the Symptoms of the MSBLAST worm?
You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will read
Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.
