|
A tool is available to remove Blaster worm and Nachi worm infections from
computers that are running Windows 2000 or Windows XP
Notice
This tool is no longer available. It has been replaced by the Microsoft
Windows Malicious Software Removal ToolSYMPTOMS
After you install the 823980 security update or the 824146 security update
on a computer that is infected with the Blaster worm or the Nachi worm,
the computer may continue to generate network traffic on the affected
Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports, and
over Internet Control Message Protocol (ICMP), in an attempt to spread the
virus infection to other vulnerable computers.
For additional information about the Blaster worm and the Nachi worm,
click the following article numbers to view the articles in the Microsoft
Knowledge Base:
826955 Virus alert about the Blaster worm and
its variants
826234 Virus alert about the Nachi worm
For additional information about the 823980 security update and the 824146
security update, click the following article numbers to view the articles
in the Microsoft Knowledge Base:
824146 MS03-039: A buffer overrun in RPCSS could
allow an attacker to run malicious programs
823980 MS03-026: Buffer overrun in RPC may allow
code execution
CAUSE
This behavior occurs because your computer remains infected with the
Blaster worm or the Nachi worm. In addition to using a firewall and to
installing the 823980 security update or the 824146 security update, you
must also remove the Blaster worm and the Nachi worm from any infected
computers. A firewall, the 823980 security update, and the 824146 security
update prevent these worms from infecting your computer, but you must also
take steps to remove any infection that existed before you implemented
these preventive measures.
RESOLUTION
Microsoft has released the Microsoft Windows Blaster Worm Removal Tool
(KB833330), a tool that removes the Blaster worm and the Nachi worm from a
computer that is running any one of the products that are listed in the "Applies
to" section of this article.
Note Many antivirus companies also provide tools to remove these
worms, and most up-to-date antivirus programs also remove these worms.
Download and setup information
To
run the Windows Blaster Worm Removal Tool, visit the following Microsoft
Web site, and then install the KB833330 critical update if it is
available:
http://windowsupdate.microsoft.com/ Release
Date: January 13, 2004
Note
If you use Automatic Updates, this update will be automatically installed
if it is needed. You do not have to take any additional action. For
additional information, click the following article number to view the
article in the Microsoft Knowledge Base:
294871 Description of the Automatic Updates
feature in Windows
This tool can also be deployed by using Microsoft Software Update Services
(SUS), Microsoft Systems Management Server (SMS), and other systems
management software. For additional information about how to deploy
software update packages by using Microsoft SUS or Microsoft SMS, visit
the following Microsoft Web sites:
Software Update Services
Deployment White Paper
http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx
Patch Management Using
Microsoft Systems Management Server 2003 Introduction
http://www.microsoft.com/technet/itsolutions/MSM/swdist/pmsms/2003/pmsms031.asp
Important
When you use Microsoft SMS or other systems management software to deploy
this update, it is a good idea to test the installation and the removal of
the update on several test computers before you extend the deployment to
your whole organization. In particular, Microsoft recommends that you
verify that the %WINDIR%\$NTUNINSTALLKB833330\Blastcln folder is created
with the appropriate permissions. Domain administrators must have full
control of the %WINDIR%\$NTUNINSTALLKB833330\Blastcln folder. If
necessary, assign these permissions by using your deployment script after
the KB833330 critical update package is installed. For example, use the
Xcacls.exe command-line tool to modify the NTFS file system permissions
for the %WINDIR%\$NTUNINSTALLKB833330\Blastcln folder. For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base:
318754 How to use Xcacls.exe to modify NTFS
permissions
Network administrators can download this tool from the Microsoft Download
Center or from the Microsoft Windows Update Catalog to deploy to multiple
Microsoft Windows XP-based computers or to multiple Microsoft Windows
2000-based computers. If you want to install this tool later on one or
more computers, search for article ID number 323166 by using the Advanced
Search Options feature in the Windows Update Catalog. For additional
information, click the following article number to view the article in the
Microsoft Knowledge Base:
323166 How to download Windows updates and
drivers from the Windows Update Catalog
For additional information about the command-line switches that network
administrators can use to install this tool, click the following article
number to view the article in the Microsoft Knowledge Base:
262841 Command-line switches for Windows
software update packages
Prerequisites
KB833330.exe requires the following:
|
• |
You must be running
Windows 2000 Service Pack 2 (SP2) or later or a 32-bit version of
Windows XP. For additional information, click the following article
number to view the article in the Microsoft Knowledge Base:
827218
How to determine whether your computer is running a 32-bit version
or 64-bit version of Windows XP |
|
• |
You must log on as
a Computer Administrator or as a member of the administrators group. |
|
• |
You must have the
823980 security update or the 824146 security update installed.
During the installation of KB833330.exe, Setup verifies that one of
these security updates is installed by checking the version of the
Rpcss.dll file on your computer. If the version of this file on your
computer is earlier than the version that is documented in Microsoft
Knowledge Base article 823980, the installation does not succeed. |
If
any one of these prerequisites is not met, the installation does not
succeed, and you will receive an appropriate error message. For additional
information about the failure, check the %windir%\KB833330.log log file.
Note On some 64-bit operating systems, the installation may not
succeed, and you may receive an inaccurate error message. For example, the
message may indicate that you must install the 823980 security update even
if it is already installed.
Usage information
During the installation of KB833330.exe, Setup checks your computer for
the necessary prerequisites. If the prerequisites are met, Setup
automatically copies Blastcln.exe to the
%WINDIR%\$NtUninstallKB833330$\Blastcln folder and then runs Blastcln.exe
to check for the Blaster infection and for the Nachi infection. If
infection is present, Blastcln.exe disables these worms and removes them.
When Blastcln.exe runs, it performs the following tasks without displaying
any dialog boxes or other user interface:
|
1. |
Blastcln.exe checks
for evidence of a Blaster infection and a Nachi infection in memory.
If it finds an infection, it either ends the worm process, or it
stops and deletes the service, or both. |
|
2. |
Blastcln.exe checks
for known Blaster files and for known Nachi files on the disk, and
it checks for entries in the Run keys in the registry. If it finds
them, it deletes the worm files, and it removes the registry
entries. It is possible for other tools (or worms) to delete the
worm files on disk without deleting the registry values. In this
situation, where a Blaster registry value no longer points to a file
on the disk (and is, therefore, essentially harmless), Blastcln.exe
does not remove the "orphaned" registry value. |
Note
Because KB833330.exe Setup automatically runs Blastcln.exe if the
prerequisites are met, you do not have to run Blastcln.exe manually.
However, you can run Blastcln.exe manually from the
%WINDIR%\$NtUninstallKB833330$\Blastcln folder. Use the -v switch
to output the log information to the console. For example, type
blastcln -v at the command prompt.
Blastcln.exe will only run on computers that meet the prerequisites.
Blastcln.exe creates a log file that is named Blastcln.log in the
%WINDIR%\Debug folder. If no infection is found, Blastcln.exe logs the
following line to Blastcln.log:
No
Blaster/Nachi infection found.
If
an infection is found, Blastcln.exe logs the following line to
Blastcln.log:
Worm_Name
found and removed.
Restart requirement
You do not have to restart your computer after you install this tool.
Removal information
To
remove this tool, use the Add or Remove Programs tool in Control Panel to
remove the
Windows Blaster Worm Removal Tool (KB833330).
System administrators can use the Spunist.exe utility to remove this tool.
The Spuninst.exe utility is located in the
%Windir%\$NTUninstallKB833330$\Spuninst folder. Spuninst.exe supports the
following Setup switches:
|
• |
/?
Show the list of installation switches. |
|
• |
/u
Use Unattended mode. |
|
• |
/f
Force other programs to quit when the computer shuts down. |
|
• |
/z
Do not restart when the installation is complete. |
|
• |
/q
Use Quiet mode (no user interaction). |
MORE
INFORMATION
Blastcln.exe can only remove the Blaster worm and the Nachi worm. Other
known worms that generate remote procedure call (RPC)/DCOM exploit traffic
are not removed. Additionally, Blastcln.exe cannot remove future RPC/DCOM
exploits or multiple-exploit worms that generate RPC/DCOM exploit traffic.
To prevent other known worms that generate RPC/DCOM exploit traffic,
future RPC/DCOM exploits, or multiple-exploit worms that generate RPC/DCOM
exploit traffic, use a firewall and an up-to-date antivirus program, and
keep your Windows-based computer up to date with the latest security
updates.
Frequently asked questions
Q1: Does this tool
provide my computer with protection against a Blaster virus infection?
A1: No. This tool removes an infection from a computer that has the
823980 security update or the 824146 security update installed. To prevent
an infection, you must install the 824146 security update. For additional
information about the 823980 security update and about the 824146 security
update, click the following article numbers to view the articles in the
Microsoft Knowledge Base:
824146 MS03-039: A buffer overrun in RPCSS could
allow an attacker to run malicious programs
823980 MS03-026: Buffer overrun in RPC may allow
code execution
Q2: What variants of the Blaster virus does this tool remove?
A2: This tool removes Blaster variants A-F and Nachi/Welchia.
Q3: How does this tool work?
A3: This tool is provided in a standard Microsoft Windows software
update package (KB833330.exe). When you run KB833330.exe, it extracts the
Blastcln.exe file to the %WINDIR%\$NtUninstallKB833330$ folder and then
runs it. Blastcln.exe removes any copies of the Blaster virus or the Nachi
virus on your computer, if they exist. If your computer is not infected,
Blastcln.exe takes no action. When Blastcln.exe has performed these
actions, the software update package installation closes. Blastcln.exe and
the associated files remain on your computer in the same way as any
Windows software update.
Q4: May I redistribute KB833330.exe?
A4: No. All customers must download KB833330.exe from the Microsoft
Web site.
Q5: May I redistribute Blastcln.exe?
A5: No. Redistribution of Blastcln.exe is not supported.
Q6: After I install KB833330.exe and after Blastcln.exe runs, can I run
Blastcln.exe again?
A6: The removal tool was not designed to run repeatedly on a single
computer. However, you can run Blastcln.exe from the
%WINDIR%\$NtUninstallKB833330$\Blastcln folder if the installation fails
(see below) or if you are asked to do so by a support professional.
Q7: Why did Microsoft not distribute a stand-alone version of
Blastcln.exe that does not use the Windows software update package
installer?
A7: When you use the Windows software update package installer, you
can easily keep an inventory of installed items on your computer.
Q8: Is the tool digitally signed by Microsoft?
A8: Yes. Both the Windows software update package and Blastcln.exe
are digitally signed.
Q9: Do I need this tool if I already have the 824146 security update
installed?
A9: Yes. Your computer may have been infected before you installed
the 824146 security update. In this case, your computer remains infected
after you install the 824146 security update. Blastcln.exe is designed to
detect and remove the infection from computers that already have the
824146 security update installed.
Q10: Does this tool make any changes to my computer's configuration?
A10: No. This tool removes the Blaster virus (if present) and
copies Blastcln.exe and the associated files to your hard disk. No other
changes are made to your computer's configuration.
Q11: How do I install this tool?
A11: See the "Download
and setup information" section of this article.
Q12: Can this tool be removed (uninstalled)?
A12: Yes. See the "Removal
information" section of this article.
Q13: I am running Windows 2000 Service Pack 1 (SP1). Can I install this
tool?
A13: No. The 823980 security update or the 824146 security update
for the RPC vulnerability that Blaster exploits requires Windows 2000
Service Pack 2 (SP2), and this tool requires that the 823980 security
update or that the 824146 security update is installed.
Q14: I am running Microsoft Windows Server 2003. Do I need to install
this tool?
A14: No. The current versions of Blaster and Nachi do not directly
infect Windows Server 2003-based computers.
Q15: I am running a 64-bit version of Windows XP. Can I install this
tool?
A15: No. This tool currently only supports 32-bit operating
systems.
Q16: I am running Microsoft Windows NT 4.0. Do I need to install
this tool?
A16: No. The current versions of Blaster and Nachi do not directly
infect Windows NT 4.0-based computers.
Q17: Is there a Windows Installer package for this tool?
A17: No, this tool uses the standard Windows software update
package installer (Update.exe).
Q18: I ran the Blaster removal tool from my antivirus vendor. Do I need
to install KB833330.exe also?
A18: Generally, no. Removal tools that are provided by antivirus
vendors should remove any Blaster infections. However, installing
KB833330.exe on an uninfected computer should have no negative effects.
Q19: Does this tool gather information from my computer and send it to
Microsoft?
A19: No information is sent back to Microsoft when you install or
run this tool.
Q20: I ran this tool and later found Msblast.exe running on my system.
Why did this tool not remove the Msblast.exe file?
A20: This tool removes known, prevalent Blaster variants. There may
be some worm instances that this tool will not remove.
Q21: If this tool does not remove the Blaster virus from my computer,
what must I do?
A21: Run an up-to-date antivirus program on your computer.
Q22: Does this tool display any messages to let me know whether an
infection was found or was removed?
A22: No.
Q23: Does this tool create a log file to let me know whether an
infection was found or was removed? If so, what is the name of the log
file? Where is the log file located?
A23: For information about the log file, see the "Usage
information" section of this article.
Q24: How do I know when this tool is finished running on my computer?
A24: When the KB833330 Setup wizard is completed, Blastcln.exe has
finished running. Blastcln.exe runs silently (without any user interface).
You can verify the results of running Blastcln.exe by reviewing the
Blastcln.log log file. See the "Usage
information" section of this article for
additional information.
Q25: I receive a fatal error during installation of this tool. What
does that mean?
A25: For information about errors, review the Blastcln.log log
file. For additional information about Blastcln.log, see the "Usage
information" section of this article. Some
common fatal errors include:
|
• |
Out of memory when
trying to allocate or when creating a small internal journal for the
log |
|
• |
Failure of file
deletion and failure to set the attribute to delete the file on the
next restart |
|
• |
Failure to
enumerate processes |
Q26: Can I run this tool
instead of installing the 823980 security update or the 824146 security
update?
A26: No. This tool requires that the 823980 security update or that
the 824146 security update is installed.
Q27: Can I run this tool on a remote computer on my network?
A27: No.
Q28: What command-line switches can I use with Blastcln.exe?
A28: For information about switches, see the "Usage
information" section of this article.
Q29: Is this tool a replacement for an antivirus product?
A29: No. Install and use an up-to-date antivirus program.
Q30: How do I know if this tool removed Blaster or Nachi?
A30: Review the Blastcln.log log file for these entries:
|
• |
"No Blaster/Nachi
infection found" indicates that no infection was found. |
|
• |
"Virus_Name
found and removed" indicates that
Virus_Name
was found and removed. |
|
• |
"Virus_Name
found and will be removed at next reboot" indicates that
Virus_Name
was found and will be removed when you restart your computer. |
Q31: Will my antivirus
program interfere with this tool?
A31: If your antivirus program is running on an infected computer
when Blastcln.exe runs, the antivirus program may detect the Blaster virus
or the Nachi virus and may prevent Blastcln.exe from removing it. In this
case, you can use your antivirus program to remove Blaster or Nachi.
Blastcln.exe does not contain a virus and should not, by itself, trigger
your antivirus program. However, if the Blaster worm or the Nachi worm
infected your computer before an up-to-date antivirus program was
installed and if scheduled (or background) virus scanning is disabled,
your antivirus program may not be made "aware" of the worm until
Blastcln.exe tries to remove it. Other than this scenario, this tool
should not conflict with or interfere with your antivirus program. You do
not have to disable or to remove your antivirus program when you install
this tool.
Q32: How does this tool work with the System Restore feature in Windows
XP?
A32: Like most other Windows software updates, KB833330.exe creates
a restore point when you install it. If this tool removes a virus
infection, your computer can be reinfected if you use this (or a previous)
restore point. Keep this in mind if you use System Restore after you
install this tool.
Q33: Can I use the Microsoft Baseline Security Analyzer (MBSA) to
identify computers that need this tool?
A33: No. You can use MBSA to help determine whether computers have
the 823980 security update or the 824146 security update installed.
However, MBSA cannot identify computers that are infected with the Blaster
virus or the Nachi virus.
Q34: Can I use the KB 824146 Scanning Tool that is documented in
Microsoft Knowledge Base article 827363 to help identify computers that
need this tool?
A34: No. You can use the KB 824146 Scanning Tool to identify
computers that do not have the 823980 (MS03-026) security update or the
824146 (MS03-039) security update installed. However, the KB 824146
Scanning Tool does not identify computers that are infected with the
Blaster virus or the Nachi virus.
Q35: What user rights and other prerequisites are required to run this
tool?
A35: For information about prerequisites, see the "Prerequisites"
section of this article.
Q36: The KB833330 critical update was not installed on my computer by
Automatic Updates. Additionally, when I visit Windows Update and scan for
updates, the KB833330 critical update is not available for me to install.
Why?
A36: For the KB833330 critical update to be available on Windows
Update and through Automatic Updates, your computer must meet the
requirements that are described in the "Prerequisites"
section of this article. Additionally, the KB833330 critical update will
not be available to install from Windows Update or through Automatic
Updates if the KB833330 critical update is already installed or if your
computer does not appear to be infected with the Blaster virus or the
Nachi virus.
Q37: When I try to remove the KB833330 critical update by using Add or
Remove Programs, I receive an "access denied" error. How do I remove the
KB833330 critical update?
A37: To remove the KB833330 critical update in this case, log on
with the same user account that was used to install the tool, and then
remove it by using Add or Remove Programs.
Q38: I downloaded the KB833330 critical update from the Microsoft
Download Center. When I try to install it, I receive an error that
indicates that the Blastcln.exe file is in use. How do I install the tool?
A38: This problem may occur if the KB833330 critical update was
already installed by a different user on your computer. You do not have to
reinstall the KB833330 critical update in this case.
Q39: Will this tool be included with Windows XP Service Pack 2 (SP2)?
A39: Yes, the KB833330 critical update will be run as part of the
Windows XP SP2 installation. However, the KB833330 critical update is not
included with Windows XP SP2 Beta. Additionally, the KB833330 critical
update cannot be installed on Windows XP SP2 Beta.
APPLIES TO
|
• |
Microsoft Windows
XP Home Edition |
|
• |
Microsoft Windows
XP Professional |
|
• |
Microsoft Windows
XP Tablet PC Edition |
|
• |
Microsoft Windows
XP Media Center Edition 2002 |
|
• |
Microsoft Windows
XP Home Edition SP1 |
|
• |
Microsoft Windows
XP Professional SP1 |
|
• |
Microsoft Windows
2000 Advanced Server SP2 |
|
• |
Microsoft Windows
2000 Advanced Server SP3 |
|
• |
Microsoft Windows
2000 Advanced Server SP4 |
|
• |
Microsoft Windows
2000 Service Pack 2 |
|
• |
Microsoft Windows
2000 Service Pack 3 |
|
• |
Microsoft Windows
2000 Datacenter Server SP4 |
|
• |
Microsoft Windows
2000 Service Pack 2 |
|
• |
Microsoft Windows
2000 Service Pack 3 |
|
• |
Microsoft Windows
2000 Professional SP4 |
|
• |
Microsoft Windows
2000 Service Pack 2 |
|
• |
Microsoft Windows
2000 Service Pack 3 |
|
• |
Microsoft Windows
2000 Server SP4 |
|
