David M. Blocker wrote:
The Norton site on this stinks - it gives highly technical steps to follow to block the invasion (e.g. "Block these ports") without any specific directions on how to do it.
David,
This is from CERT, a federally-funded organization attached to CMU - your tax dollars at work! It's bit clearer than SARC's offering, I think.
W32/Blaster Recovery Tips
(Accompanying CERT advisory CA-2003-20 <http://www.cert.org/advisories/CA-2003-20.html>)
Steps to recover from W32/Blaster
These instructions are designed for Windows XP. Under some circumstances, these instructions may not completely disable the worm or protect the system from re-infection. See Notes <http://www.cert.org/tech_tips/w32_blaster.html#notes>.
1. Physically disconnect the machine from the network (remove phone/network cable, wireless card). 2. Kill the "msblast.exe" process using Task Manager. 1. Press Ctrl-Alt-Delete key combination 2. Click "Task Manager" button 3. Select "Processes" tab 4. Highlight "msblast.exe" 5. Click "End Process" button, answer "Yes" to warning dialog 3. Delete any files named "msblast.exe" on the machine. 1. Start -> Search -> Find Files or Folders 2. Search for "msblast.exe" 3. Right-click each file and delete it 4. (Optional) Disable DCOM From MS03-026 <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>:
1. Run Dcomcnfg.exe. If you are running Windows XP or Windows Server 2003 perform these additional steps: * Click on the Component Services node under Console Root. * Open the Computers sub-folder. * For the local computer, right click on My Computer and choose Properties. * For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties. 2. Choose the Default Properties tab. 3. Select (or clear) the Enable Distributed COM on this Computer check box. 4. If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.
The rest below refers to the built-in XP firewall. If you already have a hardware firewall (and you should), the ports described should normally be closed anyway and a hardware firewall in your gateway/router plus a software firewall on your PC should normally suffice. If you're not running XP, ZoneAlarm, downloadable at http://www.zonelabs.com as freeware (look hard) and a regular product, enables you to monitor apps trying to call home on the internet and send e-mail as well as scan e-mail for viruses/scripts.
1.
2. Enable Internet Connection Firewall (ICF) From Microsoft Knowledge Base Article 283673 <http://support.microsoft.com/default.aspx?scid=kb;en-us;283673>: 1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections. 2. Right-click the connection on which you would like to enable ICF, and then click Properties. 3. On the Advanced tab, click the box to select the option to Protect my computer or network. 4. If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration 3. Reboot the machine and reconnect to the network. 4. Install the patch from Windows Update <http://windowsupdate.microsoft.com/>, or MS03-026 <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>.
1. Using Internet Explorer, go to Windows Update <http://windowsupdate.microsoft.com/> and follow the instructions there to install any available patches. 5. Read and apply the clean up measures outlined in MS03-026 <http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp>.
Notes
* The worm may exist as processes and files with names other than "msblast.exe." * It has been reported that AOL network connections do not display an option to use ICF. * Disabling DCOM may break things and may be unnecessary (assuming that the worm is completely disabled and ICF is enabled). * Another type of host-based or network firewall can be used to block 135/tcp. * Save yourself the trouble next time by blocking 135, 137, 138, 139, and 445 tcp and udp inbound and outbound. This will block most MS networking traffic. Leaving ICF enabled will stop unsolicited inbound network traffic. Unless it breaks something, leave ICF enabled.
More Information
<http://www.cert.org/advisories/CA-2003-20.html> <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A>
If you want to know how open your computer and/or network is, one free site is Steve Gibson's "Shields UP!" at https://grc.com/x/ne.dll?bh0bkyd2
Nicky
