Home>Tips & Articles>Remove Worms & Virus>
Remove Worm.MsBlast.A
About MsBlast.A
The MSBLAST.A worm infects machines via network connections. The worm targets only Windows 2000 and Windows XP machines.It exploits the DCOM RPC vulnerability that is described in Microsoft Security Bulletin MS03-026. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Remove this worm virus using McAfee Virus Scan 2004!
Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input, or Windows NT 4.0 and Windows 2000 systems becoming unresponsive.
How to Remove MsBlast.A?
Follow these steps to remove the MsBlast.A worm.
1. You must first download and install the patch. In many cases, you will need to do this before continuing with the removal instructions, download and install the patch using the links below:
Windows XP: DCOM/RPC Exploit patch
Windows 2000: DCOM/RPC Exploit patch
2. Disconnect your computer from the local area network or Internet
3. End the running program
- Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
- Locate one of the following programs (depending on variation), click on it and End Task or End Process
MSBLAST.EXE
PENIS32.EXE
TEEKIDS.EXE
MSPATCH.EXE
MSLAUGH.EXE
ENBIEI.EXE
4. Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"
5. Remove the Registry entries
- Click Start| Run, type "Regedit" and click OK. The Regedit dialog opens.
- In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
- In the right panel, right-click and delete the following entry
”windows auto update" = MSBLAST.EXE (variant A)
”windows auto update" = PENIS32.EXE (variant B)
”Microsoft Inet xp.." = TEEKIDS.EXE (variant C)
"Nonton Antivirus"=MSPATCH.EXE (variant E)
"Windows Automation" = "mslaugh.exe" (variant F)
"www.hidro.4t.com"="enbiei.exe" (variant G)
- Exit the Registry Editor
6) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
- Click Start, point to Find or Search, and then click Files or Folders.
- Search files msblast*.* in C:\WINDOWS directory.
- Delete the displayed files in search results.
- Empty the Recycle bin, the worm can reinfect even if the files are in the recycle bin.
7) Reboot the computer, reconnect the network, and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
Remove other worms & virus:
