[khulja]

W32/Blaster Recovery Tips

(Accompanying CERT Advisory CA-2003-20)
Steps to recover from W32/Blaster

These instructions are designed for Windows XP. Under some circumstances, these instructions may not completely disable the worm or protect the system from re-infection.

1.
2. Physically disconnect the computer from the network (remove phone/network cable, wireless card).
3. Kill the worm process using Task Manager. Known variants of this worm may show up as "msblast.exe", "teekids.exe", or "penis32.exe".
1. Press Ctrl-Alt-Delete key combination.
2. Click "Task Manager" button.
3. Select "Processes" tab.
4. Highlight "msblast.exe".
5. Click "End Process" button, answer "Yes" to warning dialog.
6. Repeat previous two steps for "teekids.exe" and "penis32.exe".
4. Delete any files named "msblast.exe", "teekids.exe", or "penis32.exe" on the computer.
1. Click "Start", "Search", and select "All files and folders".
2. Search for "msblast.exe".
3. Right-click each file and delete it.
4. Repeat previous two steps for "teekids.exe" and "penis32.exe".
5. Enable Internet Connection Firewall (ICF).
From Microsoft Knowledge Base Article 283673:
1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
4. If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.
6. (Optional) Disable DCOM.
From MS03-026:
1. Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003 perform these additional steps:
* Click on the Component Services node under Console Root.
* Open the Computers sub-folder.
* For the local computer, right click on My Computer and choose Properties.
* For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.
2. Choose the Default Properties tab.
3. Select (or clear) the Enable Distributed COM on this Computer check box.
4. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.
7. Reboot your computer and reconnect to the network.
8. Install the patch from Windows Update or MS03-026.
1. Using Internet Explorer, go to Windows Update and follow the instructions there to install any available patches.
2. After installing the patch, reboot your computer.
9. Read and apply the clean up measures outlined in MS03-026.
1. If you disabled DCOM in step 5, you will probably want to re-enable it.W32/Blaster Recovery Tips