Microsoft has stated that a worm, dubbed "Blaster," will attack computers running Windows 2000, Windows XP, Windows NT, and Windows Server 2003 operating systems. This worm is also known as "LoveSan" or "MSBlaster."

Your computer is at risk the if you have not installed security patch MS03-026 from Microsoft.

Below is a summary of the actions required to eliminate the effects of the virus. When the actions are complete, you should be able to access Microsoft Windows Update for the fix and prevention updates. You should also be sure your anti-virus software is up to date.

The best way to ensure a complete removal of the virus and elimination of all residual effects is the complete reimage of the system. Doing a reinstall of the system CD will leave you vulnerable to a reinfection even if you had previously run the Microsoft update. If you choose to do a complete reinstall, the steps enabling the Internet Connection Firewall should be followed after the reimage and before any connection to an ISP or LAN is established.

Steps to eliminate effects of the virus (below we have provided specific instructions for the following actions):

• Remove all connections to outside access (this includes IP as well as LAN)
• Boot the system into safe mode
• Delete the Windows Registry Value that launches the "MSBlast.exe" worm
• Reboot the system normally (do not reconnect to external access prior to this step)
• Enable the Internet Connection Firewall
• Reconnect to external access, phone or LAN
• Access Microsoft and install the latest available of the update for your OS
• Use tools available through links from Microsoft to clean the infected files from your computer
• Update your anti-virus software and run a complete scan

Detailed instructions:

• Turn the computer off.
• Unplug your modem cable or network cable from the computer. If you use a Wireless connection, turn off the wireless antenna or unplug the card if using a PCMCIA Wireless card.
• Start the computer in Safe Mode:

Shut the computer down, then Power on the computer, and press the [F8] key while you see the red Toshiba label.

This should bring up the Windows Boot Menu.

Choose "Safe Mode" from the menu, then press [Enter].

Choose the "Administrator" account to log in.

The computer will start up in Safe Mode, and notify you that it has done so. Click "Yes" to clear the notification dialog box.

• Delete the Windows registry value that launches the MSBLAST.EXE virus file:

WARNING: Using the Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Toshiba cannot guarantee that problems resulting from the incorrect use of the Registry Editor can be solved. Use the Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.

From the Start menu, click Run

In the Run dialog box, type: Regedit. Click OK

In the Registry Editor window, locate the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• Delete the following entry, if present: "Windows Auto Update" = "msblast.exe"

Click to select the registry name "Windows Auto Update"

From the Edit menu, click "Delete"

In the Confirm Value Delete dialog box, click "Yes"

In the Registry Editor window, from the File menu, click Exit

Note: for variants of the MSBlast worm that are now showing up, the "Windows Auto Update" = may point to a different file, delete this entry.

Some other variations of this may be:

 "Microsoft Inet Xp.."="teekids.exe"

 

• Use the Start/Shutdown to restart the computer.

Let the computer start normally and log into an account that has Administrator privileges.

If you only have one account, log in as you normally do.

Click on Start/Control Panel

Click on Network and Internet Connections, or Network Connections if your Control Panel is set to the Classic view setting

Click on Network Connections

You should have a view of the connections that your computer is set up to use.

If you use a modem to connect to the internet, right click on the dial up icon and choose "Properties"

Click on the "Advanced" tab in the window that pops up.

Click on the selection box in the "Internet Connection Firewall" section to enable the firewall.

Click "OK" to exit the properties window.

If you use a network cable connection to connect to the internet, right click on the Local Area Connection and choose "Properties"

Click on the "Advanced" tab in the window that pops up.

Click on the selection box in the "Internet Connection Firewall" section to enable the firewall.

Click "OK" to exit the properties window.

If you use a wireless connection (WiFi or 802.11) to connect to the internet, right click on the Wireless Network Connection and choose "Properties"

Click on the "Advanced" tab in the window that pops up.

Click on the selection box in the "Internet Connection Firewall" section to enable the firewall.

Click "OK" to exit the properties window.

• Connect your network or modem cable or turn on the wireless.

Patching Windows to prevent similar attacks and Cleaning the virus:

Microsoft has detailed instructions on how you can patch your system and remove the infection.

Please go online to:

http://microsoft.com/

And follow the indicated links.

Or go directly to:

http://microsoft.com/security/incident/blast.asp

Follow the steps indicated to clean up the infection and prevent reinfection.

------------------

Many people who have been hit by the msblast.exe worm have subsequently had an error message regarding the cryptographic service, when you try to apply the Microsoft patch 823980

If this is happening on your computer, please try the following steps:

First check that the Cryptographic Services is actually running on your machine.

To do this:
Click Start, then Control panel.
Start the Administrative Tools utility in Control Panel.
 If you cannot see the Administrative Tools, click on the link on the left side of the control panel to enable "Classic View"
Double-click Services.
Right-click Cryptographic Services, and then click Properties.
Click Automatic for Startup type, and then click Start.

You can now try to reinstall security patch 823980

If it FAILS again...
Click Start menu, and then click the Run icon.
In the small box that Opens, type the three letters:  cmd  then click the OK button.
In the command prompt window that just opened, type the following commands, pressing the ENTER key on your keyboard after each line:

net stop cryptsvc
ren %systemroot%\system32\catroot2 oldcatroot2
net start cryptsvc

Now type exit to close the command prompt window, and then try to security patch 823980. It should now work... You may in some rare instances have to reboot your machine again first, so give this a try if it fails again...

If it failed again, please take the following additional steps.

Click Start menu, and then click the Run icon.
In the small box that Opens, type the three letters:  cmd  then click the OK button.
In the command prompt window that just opened, type the following commands, pressing the ENTER key on your keyboard after each line:

net start cryptsvc
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll

Now type the word: exit  and the window will close.
Now Reboot and try and reply the Microsoft Patch again...