Microsoft Blaster WORM

This security advisory applies only to Windows XP, 2000, and NT 4.0. Users with other systems can disregard this notice.

Sep 12, 2003 There has been a new patch released. Even if you have installed the previous patch 823980, you must install the new patch 824146 below to protect your computer.

There has been a recent security vulnerability discovered in Windows XP, Windows 2000, and Windows NT 4.0 that allows a remote computer to take control of a computer running one of these operating systems. Since Monday a WORM called Microsoft Blaster that takes advantage of this vulnerability has been rapidly spreading throughout the Internet. It often causes computers to shut down while on the Internet with an error mentioning RPC/Remote Procedure Call.

The following details the procedure for removing the MSBLAST worm from your computer.

1, Terminate the WORM process

Open the Windows Task Manager by pressing CTL+SHIFT+ESC (i.e., hold down both the Ctrl and Shift keys on the keyboard, then press the Esc key once, then release Ctrl and Shift). In the Task Manager, click on the Processes tab at the top. Look in the list of processes for one named msblast. Click once on this to select it, then press the End Process button. Then press Yes to end the process. If you do not see msblast in the process list, your computer is probably not infected.

Note that this has only deactivated the WORM — your computer is still infected.

2. Remove the WORM from your computer

If you have a virus scanner, connect to the Internet and use to download the latest virus database, and then to scan and clean your computer. The exact steps for this depend on the software.

If you do not have a virus scanner, search your hard drive for a file named msblast.exe and delete it.

3. Install Windows patch 824146

Go to Microsoft web site and download patch 824146. Run the downloaded file to install the patch, then reboot your computer.