My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Msblast.A

HIGH
LOW
6176 (packed with UPX)
(W32.Blaster.Worm (NAV), W32/Blaster-A (Sophos))

Symptoms




Removal instructions:

There are two ways in order to remove Win32.Msblast.A:

  • Using BitDefender Professional/Standard Edition v7.x
    1. Download and install the patch released by Microsoft Windows DCOM RPC vulnerability (the 32 bit version);
    2. If you haven’t installed BitDefender click here to download an evaluation version;
    3. Make sure that you have the latest updates using BitDefender Live!;
    4. Make the following changes in the windows registry:
      Note: Please make sure to modify only the specified values. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

        a. Select Run... from Start, then type regedit and press Enter;
        b. Delete the value "windows auto update" in the registry key:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    5. Reboot the computer;
    6. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Msblast.A (delete the %SYSTEM%\MSBlast.exe file).

    Now you computer is clean from Win32.Msblast.A.

  • Also, you can use the second removal procedure: using the free removal tool for this particular virus that BitDefender Virus Analyze Team has released.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender Antimsblast-EN.exe tool does the following:
    - it detects all the known Win32.Msblast versions;
    - it kills the process from memory;
    - it deletes the files infected with Win32.Msblast;
    - it repairs the Windows registry.

    Now, your computer is clean from Win32.Msblast.

Analyzed By

Mircea Ciubotariu BitDefender Virus Researcher

Technical Description:

Once ran the worm creates a mutex called BILLY to signal its presence in the system, installs itself in %SYSTEM%\MSBlast.exe (e.g. C:\Windows\System32) and creates a new value in the registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

The value is called windows auto update and points to copied file in order to remain in computer’s memory each time it is restarted.

It spreads exploiting Microsoft Windows DCOM RPC vulnerability. When detects a vulnerable system it issues via the exploit a TFTP command on it to fetch a copy of the worm, which afterwards is executed.

As payload the worm initiates denial of service (DoS) attacks on windowsupdate.com after the 15th of August 2003.

In its body there are included two strings, which are not used:
I just want to say LOVE YOU SAN!!
and
billy gates why do you make this possible ? Stop making money and fix your software!!

The worm was written in C and compiled with LCC-Win32.