W32.Blaster.Worm Removal

It is assumed that you are running Windows XP or Windows 2000.

1. Print this document
2. Click Start, Run.  Type "cmd" in the box and hit enter.  If you get the warning that your computer is about to shutdown, go back to this window and type "shutdown /a" and hit enter. "shutdown /a" aborts a shutdown.
3. Download the following files:
   For Windows XP:
   • WindowsXP-KB823980-x86-ENU.exe
   • FixBlast.exe
   For Windows 2000:
   • Windows2000-KB823980-x86-ENU.exe
   • FixBlast.exe
   For other operating systems, go to Microsoft's security bulletin, scroll down to "Patch availability" and download the appropriate patch.
4. Unplug the internet cable from the back of the computer as soon as you have the files.
5. Run the first program you downloaded, "WindowsXP-KB823980-x86-ENU.exe" if you use Windows XP, or "Windows2000-KB823980-x86-ENU.exe" if you use Windows 2000. This patches your system to remove the security hole.  Now you need to remove the worm that was installed.
6. If you are running Windows XP, you'll need to disable "System Restore". System Restore is a feature that backs up your system's configuration. It will prevent FixBlast.exe from removing the worm and may reinstall it if you restore an infected backup. To do this you'll need to logon as Administrator.  If you aren't already logged on as administrator, click Start, Log Off, and logon again as Administrator. Now do the following to turn on "System Restore".

   To turn off Windows XP System Restore:

   1. Click Start.
   2. Right-click My Computer, and then click Properties.
   3. Click the System Restore tab.
   4. Select "Turn off System Restore" or "Turn off System Restore on all drives" check box
   5. Click Apply.  A message appears.
   6. As noted in the message, this will delete all existing restore points. Click Yes to do this.
   7. Click OK.
   8. Restart your computer.
7. Close any programs that are running.
8. Run the second program you downloaded, "FixBlast.exe"
9. Click "Start" on the window that pops up.
10. Restart the computer.
11. Run "FixBlast.exe" again to ensure that your system is clean.
12. Make sure that you are logged on as Administrator. Now reenable "System Restore" by doing the following:

    To turn on Windows XP System Restore:

    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Clear the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
    5. Click Apply, and then click OK.
13. If you have virus scanning software, update to the most current virus definitions, and run a full scan.  You may have secondary or tertiary virii or worms.
14. To be extra secure, you should disable DCOM. DCOM allows COM objects on your computer to talk to COM objects on other computers. I personally don't know how often DCOM is used or why it is used. Disabling it might cause some interesting problems. If so, simply reenable it. This is not necessary. The choice is yours.

    To disable DCOM

    1. Click Start, Run, type "dcomcnfg.exe", and hit enter.
    2. If you are running Windows XP, do the following:
    1. Click on the Component Services node under Console Root.
    2. Open the Computers sub-folder.
    3. Right click on My Computer and choose Properties.
    3. Choose the Default Properties tab.
    4. Clear the Enable Distributed COM on this Computer check box.
    5. Click "Ok"
15. Now, you should probably turn on a firewall, if you haven't already. I believe WinXP and Win2000 include firewalling software. If not, install Linux, and be done with it. I'm not sure how to use Windows firewalls. Google knows. Microsoft's security bulletin listed in the bibliography contains a list of the ports you should block.

Bibliography:

• Microsoft's security bulletin
• Symantec's security bulletin

Copyright © 2003-2005 Adam Tomjack