Article ID: 833330
Article Last Modified on 9/5/2007
APPLIES TO
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP Tablet PC Edition
- Microsoft Windows XP Media Center Edition 2002
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
Notice
This tool is no longer available. It has been replaced by the Microsoft Windows Malicious Software Removal Tool. For additional information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:
890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000
SYMPTOMS
After you install the 823980 security update or the 824146 security update on a computer that is infected with the Blaster worm or the Nachi worm, the computer may continue to generate network traffic on the affected Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports, and over Internet Control Message Protocol (ICMP), in an attempt to spread the virus infection to other vulnerable computers.
For additional information about the Blaster worm and the Nachi worm, click the following article numbers to view the articles in the Microsoft Knowledge Base:
826955 Virus alert about the Blaster worm and its variants
826234 Virus alert about the Nachi worm
For additional information about the 823980 security update and the 824146 security update, click the following article numbers to view the articles in the Microsoft Knowledge Base:
824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs
823980 MS03-026: Buffer overrun in RPC may allow code execution
CAUSE
This behavior occurs because your computer remains infected with the Blaster worm or the Nachi worm. In addition to using a firewall and to installing the 823980 security update or the 824146 security update, you must also remove the Blaster worm and the Nachi worm from any infected computers. A firewall, the 823980 security update, and the 824146 security update prevent these worms from infecting your computer, but you must also take steps to remove any infection that existed before you implemented these preventive measures.
RESOLUTION
Microsoft has released the Microsoft Windows Blaster Worm Removal Tool (KB833330), a tool that removes the Blaster worm and the Nachi worm from a computer that is running any one of the products that are listed in the "Applies to" section of this article.
Note Many antivirus companies also provide tools to remove these worms, and most up-to-date antivirus programs also remove these worms.
Download and setup information
To run the Windows Blaster Worm Removal Tool, visit the following Microsoft Web site, and then install the KB833330 critical update if it is available:
http://windowsupdate.microsoft.com Release Date: January 13, 2004
Note If you use Automatic Updates, this update will be automatically installed if it is needed. You do not have to take any additional action. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
294871 Description of the Automatic Updates feature in Windows
This tool can also be deployed by using Microsoft Software Update Services (SUS), Microsoft Systems Management Server (SMS), and other systems management software. For additional information about how to deploy software update packages by using Microsoft SUS or Microsoft SMS, visit the following Microsoft Web sites:
Software Update Services Deployment White Paper
http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx
Patch Management Using Microsoft Systems Management Server 2003 Introduction
http://www.microsoft.com/technet/solutionaccelerators/cits/mo/swdist/pmsms/2003/pusmscg1.mspx
Important When you use Microsoft SMS or other systems management software to deploy this update, it is a good idea to test the installation and the removal of the update on several test computers before you extend the deployment to your whole organization. In particular, Microsoft recommends that you verify that the %WINDIR%\$NTUNINSTALLKB833330\Blastcln folder is created with the appropriate permissions. Domain administrators must have full control of the %WINDIR%\$NTUNINSTALLKB833330\Blastcln folder. If necessary, assign these permissions by using your deployment script after the KB833330 critical update package is installed. For example, use the Xcacls.exe command-line tool to modify the NTFS file system permissions for the %WINDIR%\$NTUNINSTALLKB833330\Blastcln folder. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
318754 How to use Xcacls.exe to modify NTFS permissions
Network administrators can download this tool from the Microsoft Download Center or from the Microsoft Windows Update Catalog to deploy to multiple Microsoft Windows XP-based computers or to multiple Microsoft Windows 2000-based computers. If you want to install this tool later on one or more computers, search for article ID number 323166 by using the Advanced Search Options feature in the Windows Update Catalog. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
323166 How to download Windows updates and drivers from the Windows Update Catalog
For additional information about the command-line switches that network administrators can use to install this tool, click the following article number to view the article in the Microsoft Knowledge Base:
262841 Command-line switches for Windows software update packages
Prerequisites
KB833330.exe requires the following:
- You must be running Windows 2000 Service Pack 2 (SP2) or later or a 32-bit version of Windows XP. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
827218 How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system
- You must log on as a Computer Administrator or as a member of the administrators group.
- You must have the 823980 security update or the 824146 security update installed. During the installation of KB833330.exe, Setup verifies that one of these security updates is installed by checking the version of the Rpcss.dll file on your computer. If the version of this file on your computer is earlier than the version that is documented in Microsoft Knowledge Base article 823980, the installation does not succeed.
If any one of these prerequisites is not met, the installation does not succeed, and you will receive an appropriate error message. For additional information about the failure, check the %windir%\KB833330.log log file.
Note On some 64-bit operating systems, the installation may not succeed, and you may receive an inaccurate error message. For example, the message may indicate that you must install the 823980 security update even if it is already installed.
Usage information
During the installation of KB833330.exe, Setup checks your computer for the necessary prerequisites. If the prerequisites are met, Setup automatically copies Blastcln.exe to the %WINDIR%\$NtUninstallKB833330$\Blastcln folder and then runs Blastcln.exe to check for the Blaster infection and for the Nachi infection. If infection is present, Blastcln.exe disables these worms and removes them. When Blastcln.exe runs, it performs the following tasks without displaying any dialog boxes or other user interface:
- Blastcln.exe checks for evidence of a Blaster infection and a Nachi infection in memory. If it finds an infection, it either ends the worm process, or it stops and deletes the service, or both.
- Blastcln.exe checks for known Blaster files and for known Nachi files on the disk, and it checks for entries in the Run keys in the registry. If it finds them, it deletes the worm files, and it removes the registry entries. It is possible for other tools (or worms) to delete the worm files on disk without deleting the registry values. In this situation, where a Blaster registry value no longer points to a file on the disk (and is, therefore, essentially harmless), Blastcln.exe does not remove the "orphaned" registry value.
Note Because KB833330.exe Setup automatically runs Blastcln.exe if the prerequisites are met, you do not have to run Blastcln.exe manually. However, you can run Blastcln.exe manually from the %WINDIR%\$NtUninstallKB833330$\Blastcln folder. Use the -v switch to output the log information to the console. For example, type blastcln -v at the command prompt.
Blastcln.exe will only run on computers that meet the prerequisites. For additional information, see the "Prerequisites" section of this article.
Blastcln.exe creates a log file that is named Blastcln.log in the %WINDIR%\Debug folder. If no infection is found, Blastcln.exe logs the following line to Blastcln.log:
If an infection is found, Blastcln.exe logs the following line to Blastcln.log:
Restart requirement
You do not have to restart your computer after you install this tool.
Removal information
To remove this tool, use the Add or Remove Programs tool in Control Panel to remove the Windows Blaster Worm Removal Tool (KB833330). System administrators can use the Spunist.exe utility to remove this tool. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB833330$\Spuninst folder. Spuninst.exe supports the following Setup switches:
- /? Show the list of installation switches.
- /u Use Unattended mode.
- /f Force other programs to quit when the computer shuts down.
- /z Do not restart when the installation is complete.
- /q Use Quiet mode (no user interaction).
MORE INFORMATION
Blastcln.exe can only remove the Blaster worm and the Nachi worm. Other known worms that generate remote procedure call (RPC)/DCOM exploit traffic are not removed. Additionally, Blastcln.exe cannot remove future RPC/DCOM exploits or multiple-exploit worms that generate RPC/DCOM exploit traffic. To prevent other known worms that generate RPC/DCOM exploit traffic, future RPC/DCOM exploits, or multiple-exploit worms that generate RPC/DCOM exploit traffic, use a firewall and an up-to-date antivirus program, and keep your Windows-based computer up to date with the latest security updates. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
129972 Computer viruses: description, prevention, and recovery
Frequently asked questions
Q1: Does this tool provide my computer with protection against a Blaster virus infection?
A1: No. This tool removes an infection from a computer that has the 823980 security update or the 824146 security update installed. To prevent an infection, you must install the 824146 security update. For additional information about the 823980 security update and about the 824146 security update, click the following article numbers to view the articles in the Microsoft Knowledge Base:
824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs
823980 MS03-026: Buffer overrun in RPC may allow code execution
Q2: What variants of the Blaster virus does this tool remove?
A2: This tool removes Blaster variants A-F and Nachi/Welchia.
Q3: How does this tool work?
A3: This tool is provided in a standard Microsoft Windows software update package (KB833330.exe). When you run KB833330.exe, it extracts the Blastcln.exe file to the %WINDIR%\$NtUninstallKB833330$ folder and then runs it. Blastcln.exe removes any copies of the Blaster virus or the Nachi virus on your computer, if they exist. If your computer is not infected, Blastcln.exe takes no action. When Blastcln.exe has performed these actions, the software update package installation closes. Blastcln.exe and the associated files remain on your computer in the same way as any Windows software update.
Q4: May I redistribute KB833330.exe?
A4: No. All customers must download KB833330.exe from the Microsoft Web site.
Q5: May I redistribute Blastcln.exe?
A5: No. Redistribution of Blastcln.exe is not supported.
Q6: After I install KB833330.exe and after Blastcln.exe runs, can I run Blastcln.exe again?
A6: The removal tool was not designed to run repeatedly on a single computer. However, you can run Blastcln.exe from the %WINDIR%\$NtUninstallKB833330$\Blastcln folder if the installation fails (see below) or if you are asked to do so by a support professional.
Q7: Why did Microsoft not distribute a stand-alone version of Blastcln.exe that does not use the Windows software update package installer?
A7: When you use the Windows software update package installer, you can easily keep an inventory of installed items on your computer.
Q8: Is the tool digitally signed by Microsoft?
A8: Yes. Both the Windows software update package and Blastcln.exe are digitally signed.
Q9: Do I need this tool if I already have the 824146 security update installed?
A9: Yes. Your computer may have been infected before you installed the 824146 security update. In this case, your computer remains infected after you install the 824146 security update. Blastcln.exe is designed to detect and remove the infection from computers that already have the 824146 security update installed.
Q10: Does this tool make any changes to my computer's configuration?
A10: No. This tool removes the Blaster virus (if present) and copies Blastcln.exe and the associated files to your hard disk. No other changes are made to your computer's configuration.
Q11: How do I install this tool?
A11: See the "Download and setup information" section of this article.
Q12: Can this tool be removed (uninstalled)?
A12: Yes. See the "Removal information" section of this article.
Q13: I am running Windows 2000 Service Pack 1 (SP1). Can I install this tool?
A13: No. The 823980 security update or the 824146 security update for the RPC vulnerability that Blaster exploits requires Windows 2000 Service Pack 2 (SP2), and this tool requires that the 823980 security update or that the 824146 security update is installed.
Q14: I am running Microsoft Windows Server 2003. Do I need to install this tool?
A14: No. The current versions of Blaster and Nachi do not directly infect Windows Server 2003-based computers.
Q15: I am running a 64-bit version of Windows XP. Can I install this tool?
A15: No. This tool currently only supports 32-bit operating systems.
Q16: I am running Microsoft Windows NT 4.0. Do I need to install this tool?
A16: No. The current versions of Blaster and Nachi do not directly infect Windows NT 4.0-based computers.
Q17: Is there a Windows Installer package for this tool?
A17: No, this tool uses the standard Windows software update package installer (Update.exe).
Q18: I ran the Blaster removal tool from my antivirus vendor. Do I need to install KB833330.exe also?
A18: Generally, no. Removal tools that are provided by antivirus vendors should remove any Blaster infections. However, installing KB833330.exe on an uninfected computer should have no negative effects.
Q19: Does this tool gather information from my computer and send it to Microsoft?
A19: No information is sent back to Microsoft when you install or run this tool.
Q20: I ran this tool and later found Msblast.exe running on my system. Why did this tool not remove the Msblast.exe file?
A20: This tool removes known, prevalent Blaster variants. There may be some worm instances that this tool will not remove.
Q21: If this tool does not remove the Blaster virus from my computer, what must I do?
A21: Run an up-to-date antivirus program on your computer.
Q22: Does this tool display any messages to let me know whether an infection was found or was removed?
A22: No.
Q23: Does this tool create a log file to let me know whether an infection was found or was removed? If so, what is the name of the log file? Where is the log file located?
A23: For information about the log file, see the "Usage information" section of this article.
Q24: How do I know when this tool is finished running on my computer?
A24: When the KB833330 Setup wizard is completed, Blastcln.exe has finished running. Blastcln.exe runs silently (without any user interface). You can verify the results of running Blastcln.exe by reviewing the Blastcln.log log file. See the "Usage information" section of this article for additional information.
Q25: I receive a fatal error during installation of this tool. What does that mean?
A25: For information about errors, review the Blastcln.log log file. For additional information about Blastcln.log, see the "Usage information" section of this article. Some common fatal errors include:
- Out of memory when trying to allocate or when creating a small internal journal for the log
- Failure of file deletion and failure to set the attribute to delete the file on the next restart
- Failure to enumerate processes
Q26: Can I run this tool instead of installing the 823980 security update or the 824146 security update?
A26: No. This tool requires that the 823980 security update or that the 824146 security update is installed.
Q27: Can I run this tool on a remote computer on my network?
A27: No.
Q28: What command-line switches can I use with Blastcln.exe?
A28: For information about switches, see the "Usage information" section of this article.
Q29: Is this tool a replacement for an antivirus product?
A29: No. Install and use an up-to-date antivirus program.
Q30: How do I know if this tool removed Blaster or Nachi?
A30: Review the Blastcln.log log file for these entries:
- "No Blaster/Nachi infection found" indicates that no infection was found.
- "
Virus_Namefound and removed" indicates thatVirus_Namewas found and removed. - "
Virus_Namefound and will be removed at next reboot" indicates thatVirus_Namewas found and will be removed when you restart your computer.
Q31: Will my antivirus program interfere with this tool?
A31: If your antivirus program is running on an infected computer when Blastcln.exe runs, the antivirus program may detect the Blaster virus or the Nachi virus and may prevent Blastcln.exe from removing it. In this case, you can use your antivirus program to remove Blaster or Nachi. Blastcln.exe does not contain a virus and should not, by itself, trigger your antivirus program. However, if the Blaster worm or the Nachi worm infected your computer before an up-to-date antivirus program was installed and if scheduled (or background) virus scanning is disabled, your antivirus program may not be made "aware" of the worm until Blastcln.exe tries to remove it. Other than this scenario, this tool should not conflict with or interfere with your antivirus program. You do not have to disable or to remove your antivirus program when you install this tool.
Q32: How does this tool work with the System Restore feature in Windows XP?
A32: Like most other Windows software updates, KB833330.exe creates a restore point when you install it. If this tool removes a virus infection, your computer can be reinfected if you use this (or a previous) restore point. Keep this in mind if you use System Restore after you install this tool.
Q33: Can I use the Microsoft Baseline Security Analyzer (MBSA) to identify computers that need this tool?
A33: No. You can use MBSA to help determine whether computers have the 823980 security update or the 824146 security update installed. However, MBSA cannot identify computers that are infected with the Blaster virus or the Nachi virus.
Q34: Can I use the KB 824146 Scanning Tool that is documented in Microsoft Knowledge Base article 827363 to help identify computers that need this tool?
A34: No. You can use the KB 824146 Scanning Tool to identify computers that do not have the 823980 (MS03-026) security update or the 824146 (MS03-039) security update installed. However, the KB 824146 Scanning Tool does not identify computers that are infected with the Blaster virus or the Nachi virus.
Q35: What user rights and other prerequisites are required to run this tool?
A35: For information about prerequisites, see the "Prerequisites" section of this article.
Q36: The KB833330 critical update was not installed on my computer by Automatic Updates. Additionally, when I visit Windows Update and scan for updates, the KB833330 critical update is not available for me to install. Why?
A36: For the KB833330 critical update to be available on Windows Update and through Automatic Updates, your computer must meet the requirements that are described in the "Prerequisites" section of this article. Additionally, the KB833330 critical update will not be available to install from Windows Update or through Automatic Updates if the KB833330 critical update is already installed or if your computer does not appear to be infected with the Blaster virus or the Nachi virus.
Q37: When I try to remove the KB833330 critical update by using Add or Remove Programs, I receive an "access denied" error. How do I remove the KB833330 critical update?
A37: To remove the KB833330 critical update in this case, log on with the same user account that was used to install the tool, and then remove it by using Add or Remove Programs.
Q38: I downloaded the KB833330 critical update from the Microsoft Download Center. When I try to install it, I receive an error that indicates that the Blastcln.exe file is in use. How do I install the tool?
A38: This problem may occur if the KB833330 critical update was already installed by a different user on your computer. You do not have to reinstall the KB833330 critical update in this case.
Q39: Will this tool be included with Windows XP Service Pack 2 (SP2)?
A39: Yes, the KB833330 critical update will be run as part of the Windows XP SP2 installation. However, the KB833330 critical update is not included with Windows XP SP2 Beta. Additionally, the KB833330 critical update cannot be installed on Windows XP SP2 Beta.
Additional query words: MS03-039-based malware uninstaller Windows Blaster Worm Removal Tool (KB833330)
Keywords: atdownload kbvirus kbinfo KB833330
