Don't ignore this Windows worm warning

IF YOU RUN Windows 2000 or XP and you've been ignoring those messages that tell you Microsoft has an Windows Update available, it's time to pay attention.

A nasty worm is making its way around the Internet, creating traffic jams as it tries to find other vulnerable computers, often crashing the PCs it infects. Unlike many viruses, trojan horses and worms, it doesn't require you to do anything stupid, such as opening an unfamiliar e-mail attachment or downloading a program from a Web site.


Instead, it spreads stealthily by using lower-level Internet protocols to find a friendly host, thanks to an obscure flaw in the Windows operating system.

Microsoft knows about the problem and posted a fix on its Web site July 16. Many PCs automatically check the site for updates when they connect to the Internet and ask users if they want to download the latest patches. But some PCs don't check without clicking Windows Update from the Start Menu.


Worse yet, too many customers - including IT departments at large corporations - ignore or put off installing the latest updates even when they've been notified. And they're not entirely unjustified. One reason is that "critical" update warnings are so frequent that Microsoft often sounds like the Boy Who Cried Wolf. I've had a half-dozen notices this summer. Sometimes the updates correct flaws so obscure that they're unlikely to affect average users. Finally, the updates themselves sometimes contain bugs that cause foul-ups. This is a nightmare for corporate support teams.

But many recent fixes involve serious threats - like this one. If you haven't updated your version of Windows recently, do it now at http://windowsupdate-

Now the gory details. The new worm is known variously as MSBlast, Lovsan, W32/Blaster and Win32.Poza. (That's a confusing thing about viruses - each antivirus company gives a bug its own name.) It can infect computers running Windows XP, Windows 2000, Windows NT and Windows Server 2003. It won't infect computers running Windows 95, 98 or ME.

The number of computers infected so far ranges from 180,000 to several million, depending on who's counting. It's hard to tell because dialup Internet users are frequently assigned a different Internet Protocol (IP) address every time they log on. So, one infected machine may show up repeatedly in the trackers' databases.

The worm infects business and home users. In Maryland, notably, it got into the Motor Vehicle Administration's internal system and shut it down for a day.

MSBlast spreads when an infected machine sends out queries to random IP addresses, probing for computers with open "ports." (In network lingo, ports aren't physical things, but communication channels that programs such as Web servers and e-mail clients monitor for contacts from other computers.)

If it finds a vulnerable computer, MSBlast takes advantage of a flaw in a Windows feature known as Remote Procedure Call (RPC), which allows one computer to remotely execute a program on a remote system. By sending an unprotected computer a maliciously coded RPC message, an attacking PC can take control of another machine. That means it can install programs, delete files and contact other machines to spread itself.

MSBlast installs itself on a vulnerable computer and immediately sets to work scanning the Internet or local network, finding other vulnerable computers and installing itself on them. Luckily, experts say, MSBlast wasn't coded very well, so it hasn't spread as fast as it might have. But better-constructed worms using the same techniques are already appearing.


Because the bug is relatively unsophisticated, it may crash an infected computer, generate a series of RPC error messages, or put an infected machine into an endless loop of shutdowns and restarts.

It also contains code that instructs infected PCs to generate a "denial-of-service" (DOS) attack on Microsoft's Windows Update Web site on the 16th of every month. That means flooding the site with bogus connection requests. When multiplied by thousands or even millions of infected PCs, a DOS attack can cripple a Web site. This feature makes MSBlast even more dangerous than most worms, because Microsoft uses that site to distribute fixes. However, Microsoft has had plenty of warning about this attack and has promised to keep its site running.

You can tell if your computer's infected if it slows to a crawl when you connect to the Internet, if it generates error message boxes that contain the term "RPC" or "Remote Procedure Call," or if it starts to reboot constantly.

If you aren't infected, the best thing to do is visit Microsoft's Web site now and download a patch (http://windowsupdate- or www-

In addition, make sure that any home computer connected to the Internet has a firewall program, which would block most unused ports.

Windows XP includes a basic firewall, but you have to turn it on (use Windows Help and search for "firewall"). You also can install a commercial firewall, such as Zone Alarm ( or Norton Internet Security (www.syman- Both do a good job.


If your PC is infected but you can get to the Web on your PC or someone else's, you'll find tips for removing MSBlast at the Web site operated by the Computer Emergency Response Team ( or any of the major antivirus companies (most have specific removal tools posted by now).

If you're completely stuck in an endless reboot cycle, here's a set of Windows XP instructions that will probably work (although it's hard to know for certain in every case because so many hardware and software variations exist):

1. Disconnect the network cable from the back of your PC or unplug the phone cord if you're using a dialup connection.

2. Hit CTRL-ALT-DEL to bring up the Task Manager and select the Processes tab. Find the line labeled msblast.exe, highlight it and click on the End Task button. This will stop the program that's causing the problem.

3. Click on the Start Menu, choose Search, then Files and Folders. Type MSBlast.exe into the top box and click the Search button.

4. If the search finds one or more msblast.exe files, delete them all and then empty the Recycle Bin.


5. Reconnect to your network or ISP and download Microsoft's patch from http://windosupdate-

6. Go to the blackboard and write 500 times, "I will keep my software updated."