MSBlast (LovSan) Virus Attacks - Steps to Prevent and Kill the Virus

From the AP Wires- A “webworm” virus that was the subject of urgent US government and industry warnings has spread rapidly across the internet, causing computers to mysteriously restart and coordinating an electronic attack against the Microsoft organisation. Security experts said the infection, which exploits a flaw in Windows software, was not yet seriously disrupting internet traffic but was expected to continue spreading quickly.

Researchers discovered it at about 3pm on Monday and reported tens of thousands of infected computers in universities, businesses and homes.

Infected computers were programmed to automatically launch an attack on a website operated by Microsoft. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent these types of infections.

Microsoft offers a free patch on the website to protect Windows users.

The infection was quickly dubbed “LovSan” because of a love note left behind on vulnerable computers: “I just want to say LOVE YOU SAN!” Researchers discovered another message hidden inside the infection that appeared to taunt the Microsoft chairman, Bill Gates: “Billy Gates why do you make this possible? Stop making money and fix your software!”

Steps to Disinfect LovSan/MSBlast Virus from your system

Physically disconnect the machine from the Internet.

Since LovSan spreads automatically, this step should help minimize the risk of infecting other computers online.

Kill the “msblast.exe” process in the Task Manager.

Simultaneously press the “CTRL,” “ALT,” and “DELETE” keys on your keyboard.
Click the “Task Manager” button.
Select the “Processes” tab.
Highlight “msblast.exe.”
Click “End Process” button (note that this will bring up a Warning dialog box, to which a user needs to answer “Yes”).
Delete any files named “msblast.exe” on the machine.
Click “Start” on the Windows Taskbar, then “Search,” then “Find Files or Folders.”
Search for “msblast.exe.”
For each match, right-click on the item, then select “delete.”
Disable DCOM on all affected machines.
Run Dcomcnfg.exe.

If you are running Windows XP or Windows Server 2003, perform these additional steps:
*Click on the Component Services node under Console Root.
*Open the Computers sub-folder.
*For the local computer, right click on My Computer and choose Properties.
*For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.
Choose the Default Properties tab.
Select (or clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe. Enable ICF:
From http://support.microsoft.com/default.aspx?scid=kb;en-us;283673
In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
Right-click the connection on which you would like to enable ICF, and then click Properties.
On the Advanced tab, click the box to select the option to Protect my computer or network.
If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.
Reboot the machine and reconnect to the network.
Install the patch from Windows Update, or MS03-026.

You can do this from either this link:

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Or, using Internet Explorer, go to:

http://www.windowsupdate.com

WebAdvantage.net, a full-service emarketing agency, specializing in Online Media Buying & Planning, Search Engine Optimization Services, Pay Per Click Management Services and E-Mail Marketing Strategy.

 back to top