MSBlast (alias Lovsan, Blaster, and Posa) is an Internet worm that takes advantage of the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface buffer overflow flaw. Although Microsoft issued a patch on July 17, 2003, many people have yet to patch their systems.

Ironically, the worm threatens to shut down the windowsupdate.com site, the source of Microsoft security patches.

While the DCOM vulnerability affects Windows NT4, Windows 2000, Windows XP and Windows Server 2003, the worm only infects Windows 2000 and XP.

Because the method by which the vulnerability is exploited varies between the two operating systems, there have been numerous confirmed reports of the worm "crashing" systems. This happens when a worm uses a Windows 2000 exploitation technique on an XP machine and vice versa. The worm will use the Windows XP method 80 percent of the time, and the remaining attempts are directed at Windows 2000.

It is worth noting that an updated version of the worm could affect other Microsoft operating systems, so it is recommended that all of our readers patch their systems against the DCOM vulnerability.

How it works
MSBlast does not spread via e-mail. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.

MSBlast contains a denial-of-service (DoS) attack aimed at Microsoft's windowsupdate.com. The attack will start on August 15 and continues throughout the end of the year. MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.

Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

Detection
The worm is very easily detected by users. Pressing control-alt-delete, then clicking on "Task Manager" and selecting the "Processes" tab will bring up a list of processes running on the machine. Clicking on "Image Name" will sort the processes alphabetically. If there is a process named "msblast.exe" running on the system, then it has been infected by the worm. Prevention
The best prevention is to install the patch from Microsoft. Users who have not yet patched their Windows 2000, NT, and XP systems should do so.

• Windows NT 4.0 Server
  
• Windows NT 4.0 Terminal Server Edition
  
• Windows 2000
  
• Windows XP 32-bit Edition
  
• Windows XP 64-bit Edition
  
• Windows Server 2003 32-bit Edition
  
• Windows Server 2003 64-bit Edition
  

Removal
The worm is relatively easy to clean up after detection.

Step one is to patch the infected system against the vulnerability that allowed the worm to "get in" in the first place. This process requires the user of the computer to have administrator level access to the system.

Once the user is logged in again with administrator rights, what they need to do is load up Internet Explorer, and direct the browser to windowsupdate.microsoft.com. The user will be prompted by some pop up windows, directed through a fairly easy to understand and intuitive process.

The next step is to reboot the system.

After the system has rebooted it will be necessary to delete the worm's executable file, msblast.exe. However, its process must be stopped before it can be deleted.

Once the user logs back in with administrator rights, they should load up the "Task manager" again as described above. Click on the "Image Name" field under the "Processes" tab and click once on the "msblast.exe" process. Press "End Process" to stop it from running.

The worm's executable file will be found in the system32 directory, which is a subdirectory of (by default) the "winnt" directory in Windows 2000 machines, and the "windows" directory in Windows XP installations.

Use Windows Explorer to navigate to the system32 directory, locate the mblast.exe file and delete it. Reboot your system. Done!

The final step, removing the registry key created by the worm, is optional. It isn't really that important -- the key simply causes the worm to start every time the system is re-booted, but once the worm file itself is deleted it's redundant anyway.

This is done manually by using the registry editor. It is important to note that making incorrect changes to the registry can have catastrophic consequences.

Load the registry editor by clicking on the start button, navigating to "Run..." and typing in "regedit". Run regedit and navigate to the following "key".

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right hand section of the registry editor, the following value will be found:

"windows auto update"="msblast.exe"

Delete it.

Reboot. Done!

A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Symantec, and Trend Micro.

ZDNet Australia wishes to thank Hamish O'Dea and Jakub Kaminski from Computer Associates, Paul Ducklin from Sophos, and Grant Slender from Internet Security Systems for their assistance in preparing this guide.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.