A surge in Blaster worm infections prompted the Computer Emergency Response Team and other experts to recommend the following remediation steps for infected machines:
--Physically disconnect from the network.
--If you can't stop your system from rebooting, use the shutdown timer: click Start, Run and Shutdown-a.
--Kill the "msblast.exe" process in the Task Manager by pressing "CTRL-ALT-DELETE," click "Task Manager" button, select the "Processes" tab, highlight "msblast.exe," and click the "End Process" button (CERT notes that this will bring up a Warning dialog box which a user needs to answer "Yes").
--Delete "HKey_Local_Machinesoftwaremicrosoftwindowscurrentversionrunwindowsautoupdate."
--Search the machine for any files named msblast.exe, p-e-n-i-s32.exe (without hyphens), teekids.exe and root32.exe." For each match, right-click and select delete.
--Disable DCOM on all affected machines, but not until all effects have been fully tested. (
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
http://microsoft.com/technet/security/bulletin/MS03-026.asp).
--Reboot the machine and reconnect to the network.
--Install the patch from Windows Update or MS03-026 (http://microsoft.com/technet/security/bulletin/MS03-026.asp).
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Computers not out of Blaster woods"
SearchSecurity.com news exclusive: "Blaster variants shouldn't be major headache"
Microsoft security bulletin MS03-026