Tips on Removing the LovSan Net Bug

By
ABC News
January 7, 2006, 7:57 AM ET
4 min read

Aug. 12, 2003 -- Security experts are warning that the latest online threat, dubbed MSBlaster or LovSan, is rapidly infecting thousands of computers around the globe.

Like previous Internet worms such as Code Red or Slammer, LovSan doesn't need a user to open a suspect e-mail that contains the malicious virus code.

Instead, it infects computers by exploiting a vulnerability in so-called remote procedure call, or RPC, found in Microsoft's Windows XP, Windows 2000, and Windows NT software. RPC allows one computer to access another for certain functions — such as to share files or use a printer.

But a flaw in the RPC code, discovered last month, allows a malicious program like LovSan to flood the RPC process and grant the worm complete access to the computer.

Once LovSan has access to a computer, it will install a program called MSBlast.exe. That program then goes on to search systematically for other unprotected computers on the Net and infect them with LovSan.

To prevent the spread of the Internet worm, security experts advise computer users to ensure they have the latest updates to their Windows operating system by running "window update" on their PC. Users can also proceed directly to the fixes, or patches, to this security flaw by going to Microsoft's Web site:

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Commercial antivirus software makers have also updated their products to guard against the LovSan worm. Users should contact the appropriate company's Web sites and download the latest protection software onto their PCs.

De-worming Your PC

If you suspect your computer is infected by the LovSan worm, the CERT Coordination Center at Carnegie Mellon University in Pittsburgh recommends users follow these steps:

Physically disconnect the machine from the Internet.Since LovSan spreads automatically, this step should help minimize the risk of infecting other computers online.

Kill the "msblast.exe" process in the Task Manager. To do so:

Simultaneously press the "CTRL," "ALT," and "DELETE" keys on your keyboard. Click the "Task Manager" button. Select the "Processes" tab. Highlight "msblast.exe." Click "End Process" button (note that this will bring up a Warning dialog box, to which a user needs to answer "Yes").

Delete any files named "msblast.exe" on the machine.

Click "Start" on the Windows Taskbar, then "Search," then "Find Files or Folders." Search for "msblast.exe." For each match, right-click on the item, then select "delete."

Disable DCOM on all affected machines.

Click "Start," then click "Run" and type "Dcomcnfg.exe" (without the quotes) in the field that appears.

Click "OK."

If you are running Windows XP or Windows Server 2003, perform these additional steps:

Click on the Component Services node under Console Root.

Open the Computers sub-folder.

For the local computer, right click on My Computer and choose Properties.

For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.

Choose the Default Properties tab.

Select (or clear) the Enable Distributed COM on this Computer check box.

If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.

Enable ICF: From http://support.microsoft.com/default.aspx?scid=kb;en-us;283673

In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.

Right-click the connection on which you would like to enable ICF, and then click Properties.

On the Advanced tab, click the box to select the option to Protect my computer or network.

If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.

Reboot the machine and reconnect to the network.

Install the patch from Windows Update, or MS03-026. You can do this from either this link:

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Or, using Internet Explorer, go to:

http://www.windowsupdate.com

and follow the instructions there to install any available patches.

Read and apply the clean up measures outlined in MS03-026.

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp

Commercial security sites such as Symantec and Trend Micro also offer automatic removal tools on the Web.

F-Secure:

ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip

Symantec:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Trend Micro:

http://www.trendmicro.com/download/tsc.asp