STEP 1: Physically Disconnect from the Internet
This simple step will stop the error from recurring. Shutdown your computer. While the system is shut down, disconnect any network cable (such as local network, cable modem, DSL, broadband) from the back of the system. Turn on your computer. If using a dial-up (i.e., modem) connection, do not connect to the Internet.
STEP 2: Disable RPC Notification
To disable RPC Notification for your computer, follow the steps below:
Click the Start button, and then click Run.
In the Open box, type: Services.msc
Click the OK button. In the list of services scroll halfway to the bottom and double-click the first Remote Procedure entry.
Click the Recovery tab.
For all the failure dropdowns, click to select Take No Action.
Click the OK button to apply the changes.
Exit the services window by clicking the X in the upper right corner of the window.
NOTE: The RPC Service Notification can be re-enabled after the recommended patches are installed to test for this vulnerability. This step does not remove the virus nor patch the system.
STEP 3: Download Removal Tool and Microsoft Critical Update
Reconnect to the Internet You will need to reconnect to the Internet to download the files listed below.
NOTE: Both the removal tool and patch downloads should be installed after you have disconnected your system from the Internet a second time.
Free stand-alone virus/worm removal programs are available from Anti-Virus software providers such as Sophos, Symantec and McAfee. Click one of the links listed below and save it to your Windows Desktop:
After either of these programs is downloaded, it is necessary to download the Critical Update as outlined below.
Download the Critical Update from Microsoft® Click the file for your OS listed below; and save it to your Windows Desktop:
For Microsoft® Windows® XP: WindowsXP-KB823980-x86-ENU.exe
For Microsoft® Windows® 2000: Windows2000-KB823980-x86-ENU.exe
After both updates have been downloaded, repeat the steps outlined in Physically Disconnect from the Internet above: Disconnect any network cable (such as local network, cable modem, DSL, broadband) from the back of the system. If using a dial-up (modem) connection, do not connect to the Internet.
Once disconnected, you are ready to install the downloaded files.
STEP 4: Install Removal Tools and Critical Update
The final steps in this process involve removing the virus and then patching the system to prevent this specific threat.
Disable System Restore
Before removing the virus, System Restore must be turned off:
Click the Start button, right-click My Computer, and then left-click Properties from the menu.
The System Properties window appears.
Click the System Restore tab.
Click to check Turn Off System Restore.
Click the OK button.
A System Restore window appears.
Click Yes to disable System Restore.
NOTE: After you have removed the virus and applied the patch, repeat these steps to re-enable System Restore. Having this feature enabled allows the system to return to a previous state with little effort.
Run Virus-Cleaning Tool
Find the downloaded file named either: blastsfx.exe, stinger.exe or fixblast.exe
Double-click the file to begin the removal of the virus.
NOTICE: Do not reboot the system or reconnect to the Internet until the Critical Update is installed. Click to deselect Reboot my Computer if that option is presented.
Install the Critical Update
On your desktop, double-click WindowsXP-KB823980-x86-ENU.exe to expand and execute the patch.
For Windows 2000 use Windows2000-KB823980-x86-ENU.exe
Follow the directions in the wizard to complete the installation.
Close all open programs including Internet Explorer.
The security patch should be applied when you restart Windows. After the system has rebooted, you may reconnect to the Internet.
How do I prevent W32/Blaster-A spreading on my network?
Network administrators are strongly advised to perform the following operations to limit the impact of the worm:
Update your anti-virus software with the latest virus definitions
Download and deploy Microsoft patch MS03-026
W32/Blaster-A exploits a vulnerability that can be patched. To read more about the vulnerability and download the patch for deployment, view Microsoft Security Bulletin MS03-026. On standalone computers, update with all relevant security patches from Windows update.
Administrators are advised to deploy the patch to internet enabled workstations and internal company networks, paying particular attention to proxy/gateway computers.
The worm utilises tftp.exe, a Windows native program. If tftp.exe exists on your network, and you have no business need for it, rename it (e.g. to tftp-exe.old). You should not delete it as future legitimate software may require it.
Block traffic to certain ports on your firewall
Administrators should block incoming traffic on the following ports:
tcp/69 (used by the TFTP process)
tcp/135 (used by RPC remote access)
tcp/4444 (used by this worm to connect)
This should primarily be implemented on your internet firewall. Where appropriate, you should also block access to these ports to prevent access from potentially infected non-trusted networks.