2003-08-11
Killing The RPC-DCOM worm:
- If you're on a LAN, disconnect the machine from the network before you boot up, to prevent other infected machines from rebooting you again.
- Right-click on My Computer, select Manage, then under the Services and Applications branch pick Services.
- Right-click on Remote Procedure Call (RPC) in the list on the right, and select Properties. On the Recovery tab, change the 3 combo boxes from "Restart the computer" to "Take no action". Click OK to close the dialog.
- You're still vulnerable but your machine won't reboot, giving you time to go online and get the patch. Reconnect your network cable, or establish your normal dial-up connection. Go to http://support.microsoft.com/?kbid=823980 to grab the patch for your machine. As soon as you've got it, disconnect your network connection/cable, and run the patch. BUT don't reboot when prompted!
- Open RegEdit and browse to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the "windows auto update" value, which starts the worm when Windows starts. Now restart Windows and you should be free of the worm.
- To finish the cleaning process, delete C:\WINDOWS\SYSTEM32\MSBLAST.EXE