View Full Version : Beware on fresh installs

10-28-2003, 11:17 AM
We got talking about installing Windows XP and it came up about the MSBlast worm that is plague-ing the internet since mid-July. This also applies to installing Windows 2000 - ALL versions, Windows NT, and 2003 Server (but not 98 or ME).

Please note : when either installing a fresh copy of your OS or simply doing a repair installation, Windows is vulnerable to infection by the Blaster Worm simply by being connected to the internet!

A repair install wipes out all the updates you might have applied, and of course a new copy doesn't have any patches yet either.
According to TrendMicro here : http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A , The risk for infection and also damaged caused by this malicious infection is rated at the highest category of danger.

I am aware of quite a few people who have gotten this bug before even firing up their browsers, in fact - as soon as windows became functional - and we are talking seconds here.
You must plan ahead!! Make sure you have a copy of the patch on a seperate partition or on a CD-R/RW before installing your OS. You can find the links to all versions of the patch from this Microsoft TechNet page, ( exactly half way down ) http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-026.asp .

Make sure to burn a copy, for as far as I know, the patch is 1.47 MB in size (for XP anyways) and will not fit on a floppy disc. Then make sure that you disconnect your computer from the internet BEFORE running the installation procedure. When windows boots up - and of course floods you with requests to "Take a Tour of Windows!" - then install the patch and reboot. Then you can safely (99.9% sure) hook up to the net (and get flooded with request to sign up for a .NET passport through Messenger etc etc) and do your updates. I always install my anti-virus first thing, even before doing updates.

I have had to talk to people on the phone to debug their computers from this one, and it is not fun. It is very aggressive and causes your computer to shut down and reboot before you can remove it from the registry.
Okay, here is an easier way - download the removal tool here (Symantec) http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html .

(I am very tired now and must go lay down - it has taken me 45 minutes to type this!)

I have a copy of the first patch that is 1.23MB and will fit on a floppy, so feel free to contact me and we will arrange an e-mail transfer or such, if you can't burn a copy of the 1.47MB one.
(Whew!)(You can also phone me collect (number on my contact page) if you need help, I might want a link one day though! (o: LOL )


10-28-2003, 12:41 PM
Disabling RPC ports in XP built-in "firewall" also works to block this worm enough to connect to the Internet and download the patch.

10-29-2003, 11:43 AM
Great info! Thanks...

10-29-2003, 11:48 AM

I've been informed that downloaded verstions of XP are infected.

Make sure you use only a legal version.

10-29-2003, 02:43 PM
Hi mikmik,
We just loaded XP to two of our computers last week.
How can I tell if I have it and what should I down load to keep from getting it if I do not.

10-29-2003, 03:06 PM
I would do all the windows updates. Also using a firewall to block those ports would be smart.

10-29-2003, 04:51 PM
The easiest way is to get hold of the specific critical update which plugs the security hole. You can apply this offline.

Also install a firewall (or make sure the XP one is running).

Then go online to Windows Update and do as redcircle says.

You can get the standalone download here:


It is also worth downloading Stinger from McAfee (or the two Symantec standalones) to remove the worms should they be on the system.

If you can avoid it, don't go online unless you are certain the critical patch has been applied.

If you can't avoid that (though that link I gave has the critical patch that you can burn to CD), go online and install all the patches. Then get hold of stinger or whatever and make sure no worms installed themselves.

I reconnected a system this evening for a client and it went troublefree by virtue of having patched it before going online.