The Blaster worm
Use these links for brief descriptions of the three major worms, links to more detailed descriptions, and instructions on patches to fix these issues. Although we are making every effort to combat the effect of these worms, we need to ask for your help. We need you to patch your machines to reduce and hopefully eliminate the effects of these worms.
W32.Blaster.Worm
W32.Blaster.Worm is a worm that exploits in vulnerability Windows 2000 and Windows XP operating systems, and to some extend Windows NT operating system. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not have a mass-mailing functionality. Details available here:
- What You Should Know About Microsoft Security Bulletin MS03-026: A security issue that could allow an attacker to compromise a computer running Microsoft® Windows® and gain control over it. You can help protect your computer by installing this update from Microsoft.
- If you are printing this page for reference: this is the "url" of the link in the above bullet: http://www.microsoft.com/security/security_bulletins/ms03-026.asp
The worm also attempts to perform a Denial of Service on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability. Symantec Security Response has developed a removal tool to clean the infections of W32.Blaster.Worm. Available here.
- W32.Blaster.Worm Removal Tool: Symantec Security Response has developed a removal tool to clean the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm infections.
- If you are printing this page for reference: this is the "url" of the link in the above bullet: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
We strongly urge you to download and use the Removal Tool. It's a good idea to be prepared to print out the instructions from the Symantec site and read them thoroughly before you begin the process.
The W32.Blaster.Worm Removal Tool does the following:
- Terminates the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm viral processes.
- Deletes the W32.Blaster.Worm, W32.Blaster.B.Worm, and W32.Blaster.C.Worm files.
- Deletes the dropped files.
- Deletes the registry values that have been added.
For COMMAND LINE instructions, go to the Removal Tool page and scroll down the page.
W32.Blaster.Worm Variants
W32.Blaster.B.Worm variation attempts to download the penis32.exe file to the %WinDir%\System32 folder, and then execute it. This worm does not have any mass-mailing functionality. It is also known as WORM_MSBLAST.B, Win32.Poza.C, W32/Lovsan.worm.c, Worm.Win32.Lovesan and affects Windows 2000 operating systems, Windows XP operating systems. For more detailed information about the W32.Blaster.B.Worm Variant, go to the Symantec Security Response page.
W32.Blaster.C.Worm variation attempts to download the Teekids.exe file to the %WinDir%\System32 folder, and then execute it. This worm does not have any mass-mailing functionality. W32.Blaster.C.Worm may have been distributed in a package that also contained a Backdoor Trojan. It also attempts to perform a Denial of Service on the Microsoft Windows Update Web server that attempts to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
| 
