RE: Purging Blaster.worm

We've had a crush of systems coming in the last 2 days in our small store/shop, and yes, the Symantec removal tool works great. I think the key is booting the system up in safe mode, running the removal tool, then rebooting and connecting directly to http://symantec.com and following the link there on the left side of the page to http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm .html. That will have a link directly to Microsoft's patch for this worm,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS03-026.asp. Download the patch, install it, and the system is back out the door. I've personally done about 15-20 of these repairs over the last 2 days. Hasn't left much time for motherboard replacements, OS reloads, etc, but it's been easy money :-)

I've seen some speculation here about possible reinfection between the short time you're connected to the web after running the removal tool but before the patch is installed. That hasn't been my experience here at all, but the fact that we're running a broadband connection behind a pretty good firewall has probably mitigated that possibility considerably. This infection doesn't seem to be able to get past a properly configured firewall, with ports 4400 and 135 locked down, which could be why it's been so widespread, eh? ;-) What does that tell us?

Regards,
Bob

-----Original Message-----

From: Jose Guevarra [mailto:jose@iquest.ucsb.edu] Sent: Tuesday, August 12, 2003 7:07 PM
To: security-basics@securityfocus.com
Subject: Purging Blaster.worm

Hi,

 Has anyone successfully purged the MSBlaster worm. There is a tool out there that can do it but is it reliable?

thanx,