Fight the Blaster Worm

By: Andrea Plautz
By: Andrea Plautz

The LovSan worm, also known as Blaster, is making its way to computers across the world. The worm attacks computers with Microsoft Windows NT4, 2000, XP, and Windows Server 2003, causing the infected computer to issue error warnings, shut down, and then mysteriously start up again.

Antivirus software will not prevent infection from this worm because it travels directly from the Internet into the operating system, never triggering a virus scan.

If your computer has been infected, perform the following recommendations to disable the worm:

1. Physically disconnect the system from the network.

2. Kill off the MSBLAST.EXE process by pressing Ctrl+Alt+Del to
bring up the Task Manager.

3. Click the Processes tab, highlight MSBLAST.EXE in the list, and click the End Process button.

4. Launch REGEDIT from the Start menu's Run dialog and navigate to the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
In the right hand pane you should see a value whose name is "windows auto update" and whose data is MSBLAST.EXE. Delete this value. If you were not able to kill off the MSBLAST.EXE process in the preceding step, restart your computer.

5. Use Search from the Start menu to locate all instances of files named MSBLAST.EXE and delete them.

6. Disable DCOM temporarily.

7. Launch DCOMCNFG.EXE from the Start menu's Run dialog. Those running Windows XP or Windows Server 2003 will now need to navigate to Console Root\Component Services\Computers\My Computer, then right-click My Computer and choose Properties. Click the Default Properties tab, un-check "Enable Distributed COM on this computer" and click OK.

8. Now you can reconnect the computer to the network. Even if Blaster were to attack your system again it can't function with DCOM disabled.

9. Download and install a personal firewall. Once the firewall is up and running, you can re-enable DCOM.

10. Install the Microsoft patch that blocks the vulnerability exploited by Blaster.