Computer viruses are always a threat. What makes them even more annoying is that they continue to evolve, change and new ones are created every day. The W32 Blaster Worm is a virus that connects to the Internet from your computer, downloads a file named “msblast.exe” from a vulnerable host and performs DDoS attacks on Microsoft’s “windowsupdate.com” website. You might not even know you have it, but if your antivirus software missed it, here is how you can manually remove it from your computer.
Who is Vulnerable?
The W32 Blaster Worm has several variants, but the original virus affects older Windows computers. Windows 2000 and Windows XP are the main targets. Older Windows operating systems do not have the firewall and virus definition protection. Most people do not update their software definition files, so they are not protected from newer viruses. This means that while you might have antivirus installed on your computer (whether it’s a Windows internal antivirus or a third-party), you aren’t protected against the latest virus attacks. Viruses are written every day, so if your antivirus can’t detect it, you’re not protected even with the best antivirus software.
Older operating systems that aren’t supported by Microsoft anymore are mostly vulnerable, because the W32 Blaster Worm connects to the Internet and newer operating systems have internal firewall software installed. If you have a firewall installed, it should detect the attempt to connect to the Internet and download the malicious file.
Removing the Virus
The virus needs access to the Internet. In the case of slower Internet connections, the virus affects your speed and performance online. The virus needs specific ports open. These ports include 135, 139, 445 or 593. If you have a firewall application running, you should get an alert and the firewall blocks the connection automatically. However, you still want to remove the virus or it will continue the attempt to connect to the Internet. If you disable the firewall at any point for any reason, it could succeed and download the malicious file.
The initial problem is in the Windows registry. The Windows registry contains a key named “Run” and “RunOnce” buried in the operating system saved settings. These two keys run software when your computer boots. The keys are supposed to be used for software you want to run in the background like booting configuration software every time you turn on the computer. However, it’s also used for running malicious software by virus makers.
The W32 Blaster Worm uses the Run key. The following registry value is affected:
To open the Windows registry, click the “Start” button and type “regedit” in the text box. Navigate to the Run key to view the stored values. Look for any suspicious files. Look for the values “mspatch.exe” or “mslaugh.exe.” These two are the most popular, but the virus also sometimes uses “teekids.exe” or “enbiei.exe.”
When these files are set in the registry, the next time you boot your computer, the virus runs and attempts to make a connection to the Internet. You can manually delete these values in the registry. Make sure you delete only files that you know are related to the virus or you don’t need, and also make sure that you are looking at the above registry key. Deleting files from the registry can wipe your computer’s ability to boot and you’ll need to reinstall the operating system before you can use your computer again.
You can also download software that will clean up the virus for you. For instance, Symantec offers a file download that will clean up the virus.
One issue to note is the flood of traffic that comes from the PC. The virus uses a buffer overflow specific to the Windows operating system. Microsoft acknowledged this vulnerability and offered a patch for the operating system.
What is a DoS?
Denial of service attacks are not new. The concept takes advantage of specific outgoing TCP ports on your computer. Transmission control protocol is one of the rules for networking transmission across the Internet.
While Internet web servers can handle a lot of traffic, they do have limits. Current technology makes it harder for DoS to be effective, but older servers couldn’t handle too much web traffic. After all, a web server is only good enough as its CPU, memory and network card. These are the three most important resources when managing a web server (and the hard drive, but a hard drive is more about storage for massive servers).
With a few hundred requests at one time, your web server is fine. However, if the web server gets thousands of web requests within a few minutes, it can overload the server’s resources and crash it. This is the main idea for a DoS. With the Blaster Worm, your computer is a part of a DoS without you even knowing it. The worm sends multiple requests to the Microsoft server in an attempt to crash it. The hacker needs more than just your computer, though. He needs multiple servers. This is why the attacker created the virus. The virus infects thousands of computers, and these computers send requests to Microsoft servers. The result is too much resources needed to serve up results and the server crashes.
Microsoft knows about the worm, so the company has taken precautions against the attacks. The result is that your network and computers suffer performance issues. The Microsoft firewall software blocks the TCP ports by default, so typical installations of the operating system aren’t harmed other than the software running on your computer. Some network administrators open these ports, and the flood of traffic will affect your network’s performance for the infected computer and other users on the network even if they aren’t infected.
Download the software needed to clean up the virus and make sure you update the operating system. Also, update your virus definition files regularly to stop these attacks.