Secure Most Provide you most reliable security utilities!
Home Articles File Center Privacy Contact us Links
Now Position: Home>Tech Articles>Free Invasion from Worms
How to Detect and Remove MSBLAST.EXE Worm?
What is the MSBLAST.EXE?

Also known as: aka Blaster.A, LoveSan, Msblast.A or MSBlaster

The MSBLAST.A worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines and exploits the DCOM RPC Vulnerablity. MSBLAST can also cause widespread system instability including but not limited to Windows Blue screens, out of memory errors, changes to Control Panel, inability to use functions in browser, and many more oddities.

Download the Windows patches for this vulnerability by clicking on the links below:

Windows XP: DCOM/RPC Exploit patch
Windows 2000: DCOM/RPC Exploit patch

These Windows vulnerabilities are patched by using Windows Update to download all the critical updates for your system. 

What is the DCOM Vulnerability?

The DCOM vulnerability in Windows 2000 and XP can allow an attacker to remotely compromise a computer running Microsoft® Windows® and gain complete control over it. The worm causes a buffer overrun in the Remote Procedure Call (RPC) service. When this service is terminated the virus infects the machine and then tries to infect other machines.

What are the Symptoms of the MSBLAST worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will read

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly.

systemshutdown.jpg (7899 bytes)

You can disable this shutdown by following the steps below during the countdown

  1. Click on Start, Run
  2. Type in CMD and press ENTER
  3. Type in the following command and press Enter

    SHUTDOWN -A

This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does MSBLAST Infect My Computer?
  1. The worm creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
  2. Adds the value:

    "windows auto update" = MSBLAST.EXE (variant A)
    "windows auto update" = PENIS32.EXE (variant B)
    "Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
    "Nonton Antivirus=mspatch.exe" (variant E)
    "Windows Automation" = "mslaugh.exe" (variant F)
    "www.hidro.4t.com"="enbiei.exe" (variant G)

    to the registry key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    so that the worm runs when you start Windows.
  3. Calculates the IP address, based on the following algorithm, 40% of the time:

    Host IP: A.B.C.D
    sets D equal to 0.
    if C > 20, will subtract a random value less than 20.
    Once calculated, the worm will start attempting to exploit the computer based on A.B.C.0, and then count up.
    This means the Local Area Network will be infected almost immediately and become become saturated with port 135 requests prior to exiting the local subnet.

  4. Calculates the IP address, based on many random numbers, 60% of the time:

    A.B.C.D
    set D equal to 0.
    sets A, B, and C to random values between 0 and 255.

  5. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability to allow the following actions to occur on the vulnerable computer:

    Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.

    NOTE: Due to the random nature of how the worm constructs the exploit data, it may cause computers to crash if it sends incorrect data. This can cause blue screens, out of memory errors, etc.

  6. Listens on UDP port 69. When the worm receives a request, it will return the Msblast.exe binary.
  7. Sends the commands to the remote computer to reconnect to the infected host and to download and run Msblast.exe.

  8. If the current month is after August, or if the current date is after the 15th, the worm will perform a DoS on "windowsupdate.com."

    With the current logic, the worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.

The worm contains the following text, which is never displayed:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Windows 2000 Machines

On Windows 2000 machines, I have seen the Control Panel icons switch to the left pane, functions like FIND in the browser stop working, and many other oddities.

How to Remove the MSBLAST worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects MSBLAST during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the MSBLAST or MSBLASTER worm.

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

  • Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
  • Locate one of the following programs (depending on variation), click on it and End Task or End Process

MSBLAST.EXE
PENIS32.EXE
TEEKIDS.EXE
MSPATCH.EXE
MSLAUGH.EXE
ENBIEI.EXE

  • Close Task Manager

3) Install the patches for the DCOM RPC Exploit, you can download the patches from the links below before disconnecting

Windows XP Pro/Home Edition
Windows 2000
Windows NT Server 4.0 and Windows NT Workstation 4.0
Windows NT Server 4.0, Terminal Server Edition 
Windows XP (64 bit) (server edition)
Windows 2003 (32 bit)
Windows 2003 (64 bit)

If you receive a "cryptographic service" error when you try to apply the patch, please read the following excellent article on how to fix this error:
http://www.updatexp.com/cryptographic-service.html

4) Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

  • TCP Port 135, "DCOM RPC"
  • UDP Port 69, "TFTP"

5) Remove the Registry entries

  • Click on Start, Run, Regedit
  • In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

  • In the right panel, right-click and delete the following entry

"windows auto update" = MSBLAST.EXE (variant A)
"windows auto update" = PENIS32.EXE (variant B)
"Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
"Nonton Antivirus"=MSPATCH.EXE (variant E)
"Windows Automation" = "mslaugh.exe" (variant F)
"www.hidro.4t.com"="enbiei.exe" (variant G)

  • Close the Registry Editor

6) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:
    msblast*.* (or other filenames listed above)
  • Click Find Now or Search Now.
  • Delete the displayed files.
  • Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.

7) Reboot the computer and run a thorough virus scan using your favorite antivirus program. If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

  1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with MyDoom.B, click Delete.
How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

  1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
  2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
  3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  4. Keep your permanent antivirus protection enabled at all times.
Detect and Removal Instruction for Other Worms - 'M':
More Detection and Removal Instructions for Worms
Sign up for free up-to-date messages about your PC's security & privacy:
              Email
Confirm email
     Your Name    
 Anti-Keylogger  Password Pecovery
 Anti-Spam  PC Monitoring
 Anti-Spyware  Personal Firewall
 Anti-Virus  System Tools
 Online Privacy    
PQ DVD to iPod Video Suite
PQ DVD to iPod Video Suite (PQ DVD to iPod + iPod Video Converter) is a One-Click, All-In-One solution to convert DVD, Tivo, DivX, MPEG, WMV, AVI, RealMedia and many more to iPod Video ...
Kaspersky Internet Security
Internet Security processes all incoming and outgoing data on your computer, including email, Internet traffic and network interaction, without the need for additional security applications ...
Cucusoft MPEG/AVI to DVD/VCD/SVCD Converter Pro
It enables you to convert and burn any video file directly to VCD, DVD, SVCD, MPEG1 and MPEG2 format. Pro version included all the features of the lite version ...
FREE Spyware Scan! SpyNoMore
SpyNoMore scans, cleans and blocks spyware as well as any other good anti-spyware product, but with one big advantage, Custom Fix (patent pending). Spyware programs are growing more sophisticated by the day ...
Copyright ©2003-2009 SecureMost.com. All other trademarks are the sole property of their respective owners.