Tuesday, August 12, 2003
More about Blaster
After the initial update, I spent a couple of hours helping people clean their systems at work. Here is a quick list of things you can do to diagnose and protect yourself.
Worm Info - This link provides a ton of information about the worm
Worm Cleanup - provides a link to patches to protect your system from the worm
The worm is pretty smart - it infects your machine by exploiting a vulnerability in Windows 2000, XP and Server 2003 - all three OS versions are susceptible to the attack. The worm has also targetted the Microsoft site providing the patch so the download times for the patch might be high and if you have trouble downloading the patches, send me email and I'll email the fix to you.
Lines of Defence:
1. Your first line of defence should be to look for any suspicious exe running on your system by inspecting the list of processes in Task Manager. 2 likely candidates are:
This also installs an entry into the registry under HKLM\Software\Microsoft\Windows\Current Version\Run - Windows Auto Update - msblast.
You can access and delete this value by following these steps:
1. You need to open the registry: Start -> Run -> regedit.exe -> Ok
2. The registry is organized like a tree - Find HKEY_LOCAL_MACHINE (HKLM) - Click on the plus to the left of HKLM
3. Now, like you would in Windows Explorer - navigate the tree under HKLM to find the path Software\Microsoft\Windows\Current Version\Run
4. When you've found Run, click/highlight Run - you should see a list of names, the first being Default
5. Find the entry for mblast.exe - Select it and press Delete - Confirm the deletion by clicking "Yes" in the dialog that pops up after you've decided to delete the key
Monfiles.exe resides in it's program files folder under %programfiles%\monfiles - and has an uninstall exe - use it to first uninstall and then delete the entire folder by hand
2. Download and install the patch on your system - this takes approximately 10-15 minutes. Then update your computer through Windows Update -
The irony is this vulnerability was patched on the 17th of July 2003 but the worm is spreading like wild fire. Update your systems and save atleast 1 hour of your time...