|
| Avoiding worms
in your computer is essential if you intend to remain productive or
even enjoy games on your computer. Keeping worms out requires a good
antivirus program that is maintained with regular updates and patches.
Without them your computer will be down often and you will place your
friends and coworkers at risk of viruses. On this page I will describe how to get rid of the msblast worm and how to avoid the new SoBig worm that is so prevalent now. Fortunately, msblast is a malicious worm and not destructive. It seems that msblast is a shot at Microsoft for selling applications with insecure code. This worm may embarrass Microsoft but the real injury is being suffered by the thousands of people that have been inconvenienced. Before listing the steps for getting rid of msblast, let me caution users that the process involves working in DOS mode and editing the Registry. Both of these have the potential to damage your computer seriously. Unlike Windows, which tends to protect you from yourself, DOS will allow you to take destructive actions that could affect the operation of your computer. Editing the Registry can also cause serious problems. At the outset, let me suggest a couple of things. First, if you don’t feel comfortable working in DOS or editing the Registry, don’t do it. Hire the services of a technician. If you decide to proceed, follow the instructions to the letter to avoid damage to your computer. Here are the steps to follow: Create a restore point on XP. I realize that some of you will be saying that you don’t want a restore point with the worm included. However, this will ensure that if something goes wrong your can get back to this point and start the process again. In addition, if you have recently downloaded and installed a service pack and your last restore point is before the service pack, you will not be able to use it without damaging your computer. Start your computer and terminate the msblast.exe process. This is essential to keep your computer running while you are removing the worm. To do this, press Ctrl, Alt and Del at the same time to open the Task Manager. You will find several tabs. Click the Processes tab and select the msblast.exe process from the list. Click on Terminate and you will see a warning about terminating processes. Click OK and the process will be stopped and it will not be able to stop your computer while you are working. Go to the http://www.microsoft.com web site and download and install the msblast patch known as MSO3-026 patch. I suggest that you simply open the file and allow it to handle the entire process from the web site. Now you must delete the msblast.exe file from the computer. The file is found in the WINDOWS SYSTEM32 directory. This is typically c:\windows\system32 or c:\winnt\system32. To delete the file you should use the DOS or command line mode. You get there either by selecting the Command Prompt from the Start, Programs, Accessories or by click Start, Run and then typing CMD and pressing Enter. At the command prompt, type (exactly) cd\windows\system32. This will take you to the correct directory. At the c:\windows\system32 prompt, type (exactly) attrib msblast.exe –r. This will remove the read only status from the msblast.exe file. The worm sets this status to make removal more difficult. Now type (exactly) del msblast.exe and press Enter and the c:\windows\system32 prompt will return. Now type cd\ and press Enter and then finish by typing exit to get out of DOS mode. Now the worm has been removed but you still have to edit the Registry to make certain that it will not return. Editing the Registry is tricky and can cause serious problems for your computer. Getting rid of the auto update feature of this worm is very tricky because you have to drill down deep into the Registry to find and delete the value. To get to the Registry Editor, click Start, Run and type in regedit and then press Enter. The Registry Editor opens and you will see a list of six main Registry Keys. The only key you need to be concerned with is HKEY_LOCAL_MACHINE. Please don’t explore the Registry out of curiosity. One mistake and serious problems can result. Now you have to drill down to the correct folder in this key. Start by clicking the plus sign next to the key in the left window and then click the Software plus sign and then the Microsoft plus sign followed by the Windows plus sign and finally the CurrentVersion plus sign. Now scroll down to the Run folder and click on the folder instead of the plus sign. In the right window you will see a list of values. One of those values will be windows auto update on the left column and msblast.exe on the right column. Right click on this value so it becomes highlighted and then click Delete. Finally, close the Registry Editor and you have completely removed the msblast worm from your computer. One final caution, notice in the Registry instructions that it is unnecessary to save your changes. The Registry is totally unforgiving. If you make changes it assumes that you know what you are doing and the changes take place when you close the Registry Editor. There is no warning or second chance if you do make inappropriate changes. As if msblast were not enough, now we are facing the SoBig worm that has already crippled many computer systems. It is a difficult worm to keep out but a high degree of caution will keep you safe. At work we use McAfee Virus Scan with ePO that automatically updates our workstations and allows me to check regularly to make certain every workstation has been updated. McAfee does an excellent job and the following information about the SoBig worm from their website is very concise and complete. Here is information directly from the McAfee website: A new variant of W32/Sobig, W32/Sobig.f@MM is a High Risk mass-mailing worm. It arrives as an email attachment with a .pif or .scr extension. When run, it infects the host computer, then emails itself (using its own SMTP engine) to harvested email addresses from the victim's machine. In addition, when it propagates, the worm "spoofs" the "from: field", using one of the harvested email addresses. Note: The worm copies itself onto the infected machine as: C:\WINNT\WINPPR32.EXE Caution: An infected email can come from addresses you recognize and may contain the following information: WHAT TO LOOK FOR: Subject: [content varies] - Your details - Thank you! - Re: Thank you - Re: Details - Re: Re: My details - Re: Approved - Re: Your application - Re: Wicked screensaver - Re: That movie Body: [content varies] - See the attached file for details - Please see the attached file for details Attachment: [content varies] - your_document.pif - document_all.pif - thank_you.pif - your_details.pif - details.pif - document_9446.pif - application.pif - wicked_scr.scr - movie0045.pif Notice that this worm will email itself to everyone in your address book. It will change the FROM line so your friends will believe that it came from you. So, if you let it into your computer, you could be infecting all your friends. To avoid it, make certain that your computer has the latest virus definitions and set it to check for updates automatically when you are online. As added insurance, run virus scan at least once a week. Do not open emails with the subjects listed above. Never open an email with RE: in the subject line unless you recently sent that person an email and are expecting a reply. Never open attachments unless you are expecting them. If an attachment arrives unexpectedly, contact the sender to make certain that they sent it. If not, delete it immediately. Do not open it or it could get past your virus scan software and infect your computer. Please remember that it is useless to maintain virus scan software that is not up to date. Carelessness in this effort will not only affect your computer adversely but could also affect all of your friends and business associates. |
 |