Net Xpress: Newest Windows worm has wreaked havoc locally, across the country

August 17, 2003|Sheila J. Clark

Well, it looks like the analysts were right last month when they predicted that someone would wreak havoc using the RPC flaw in Windows. The havoc goes by the name of MSBlast, Blaster or LoveSan. It is the latest worm that is spreading with a great frenzy throughout the Internet.

The RPC flaw was detected in mid-July and it affects all versions of Windows. The worm, however, only affects users of Windows XP and Windows 2000.

The main intent of this worm was not to do end users harm, but rather its target is to cause a calculated denial of service attack on Microsoft's Windows Update site. An attack of this nature could cause Microsoft's computer to crash and ultimately cause access to it for updating your system nearly impossible. The attack was scheduled to begin on Aug. 16 and then reoccur on the 16th of each month for the rest of the year.


Locally, the worm has found its way into some of our manufacturing plants and businesses. Our local computer repair shops also are staying quite busy with an increase of customers needing to rid their systems of MSBlast infections as well.

The worm is getting a lot of media attention, as major networks such as CNN, TechTV and others are airing information on how computer users can protect themselves. This worm operates slightly different from other worms because it doesn't rely on spreading via e-mail. It looks for unpatched systems and either crashes them or infects them.

How can you tell if you've been infected by MSBlast? A couple of signs to look for include your system crashing, spontaneously rebooting or finding a file or process running on your system named msblast.exe or teekids.exe.

For a manual cleanup of the worm, follow the following instruction:

To stop your computer from spontaneous reboots, click on "Start," select "Run" and type in "cmd" (without quotes). At the Command Prompt, type "shutdown -a" (type without quotes and with a space between shutdown and -a). This will tell your system to abort the shutdown process.

To find files, simply click on "Start," select "Search" and then select "All Files and Folders." Next, type in the file name you are looking for - in this case, msblast.exe - and then click on the "Search" button. If you find the file, right-click on the filename and select delete to remove it.

To find processes, do a ctrl-alt-del combination keystroke and then click on the "Task Manager" button. Select the "Processes" tab and look for msblast.exe or teekids.exe. If you find an instance of either file, select it and click "End Process," then click "Yes."

After this, I recommend that you immediately go online to Windows Update at and install the RPC patch. Next, get the latest virus definitions for your virus protection software. Also, consider installing a free firewall, such as ZoneAlarm. Visit for more details.

Windows users, please remember this simple rule of the thumb, whenever you hear of Microsoft releasing a patch for their software. Do yourself a favor and patch your system right away.

For more details on the MSBlast worm, visit Cert at

Net buzzz

* has launched a new LindowsOS Consultants program to aid organizations that are considering deploying products. Learn more at At the beginning of the month, the company launched KooBox, an all-in-one box computer system that included a LCD flat monitor, full system and speaker for under $450. Learn more at

E-mail me at; fax me at (859) 236-9566; or write me snail-mail at The Advocate-Messenger, P.O. Box 149, Danville, KY 40423-0149.

Central Kentucky News Articles