Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

Linux-based approach to fixing MSBlaster Worm infection

I was watching the news the other night … amused a bit by technically-impaired broadcasters who were suggesting that to fix your infected machine, you had to find a friend with the patch, or hire some geek gurus to come fix it for you … because you can’t get online nor keep your machine from rebooting.

I think Mike Wendland summed up the paradoxical problem with this virus best when he wrote: “The thing with MSBlaster that drives users nuts is the computer keeps restarting. How can you fix it if it keeps shutting down?” As always, Mike has some other good technical advice on how to solve the problem manually.

To me, the solution is simple. Make sure you have a copy of Knoppix handy. Of course, if you can’t get to the Internet, this advice won’t help … but for those of you who read and then heeded my July 18th advice entitled “Knoppix – Delightfully Distracting” … by downloading and then burninating a CD … you’re all set.

In other words, when I tell you about a Linux solution that can boot from the CD, it means you should keep a copy nearby so when your Windows machine crashes or locks you out, you have a means of circumventing the problem and affecting a solution. Or in plain English, you should keep a copy of Knoppix duct-taped to the side of your PC as an emergency boot disk.

This is because Knoppix contains all sorts of applications, including several useful Internet applications for dialing-up an ISP, connecting via PPPoE, connecting via your router, sniffing your network, and a few other gems. In other words, you have on this CD the tools you need to:

  1. boot-up your machine from the Knoppix CD
    • right click on icon for Floppy Disk
    • select properties
    • select permissions tab
    • enable write permission for group
  2. connect to the Internet
  3. download the Symantec fix (preferably to a floppy … e.g. “/mnt/floppy/FixBlast.exe”)
  4. download the Microsoft Patch – to a non-NTFS disk (floppy, zip, FAT partition)
  5. reboot machine in Windows safe mode
  6. run Symantec fix (please read all documentation FIRST)
  7. reboot machine
  8. install Windows patch
  9. reboot machine
  10. pray it doesn’t happen again …

Of course, again, this advice is useless if you don’t have a Knoppix CD handy. Nor is it going to help if you haven’t practiced and documented this contingency at least once before you needed to. In other words, regardless of whether you boot from Knoppix and use Mozilla, or boot from safe mode and use WGet … you need written documentation on how to connect to your ISP, and need to know how to use it via your alternative methods so you’re not fumbling around during an actual emergency.

Sorta like having and then PRACTICING how you’re going to get out of your house during a fire.

UPDATE – btw, here is a most excellent article I found after writing this post entitled “Computer First Aid Using Knoppix,’ … or what I like to call, “everything you wanted to know about fixing your Windows System using Knoppix, but were afraid to try …” It includes among other good things, tutorials on how-to dial-up and connect to the Internet and how-to get around your Windows file systems. I would suggest printing it out somehow affixing the 11 pages along side your Knoppix CD you should already have duct-taped to the side of your CD. I might also write on the back of the printout any ISP information (other than passwords) you need to get connected.

UPDATE 2 – I’m flattered to see my site linked-up at NewsForge! Thank’s Chuck! I’m also glad to see that someone brought up the subject of NTFS, both there and here. Here is the bottom line. The systems effected by the MSBlaster worm are generally NTFS. While I did find documentation on how to mount an NTFS partition for a regular user … I also found stern warnings NOT TO WRITE TO AN NTFS partition in a discussion on fixing one’s boot record. A post that starts with the sage advice of backing-up your data. Which can be done if you merely mount an NTFS partition for read-only access … though on my system, my NTFS hard drive is read-only accessible merely by double clicking on the drive icon … your mileage may vary.

UPDATE 3 – One more quick note in response to some comments and emails:

  • The Windows NT, Windows 2000 and Windows XP patches from Microsoft are indeed small enough to copy to a floppy (807kb, 898kb and 1,261kb respectively).
  • For Windows 2003, you’re going to have to use some other medium as the patch file is 1,454kb in size.
  • The Symantec fix is a mere 140kb in size so you only need one floppy, though I always prefer a suspenders/belt combo.
  • As for why not just run Linux all the time? Or why not have a dual boot system? Well, because some of us have situations at work where we are not allowed to install a second O/S.
  • Why not use a Windows Emergency Boot disk? You can, but I prefer to have a complete operating system with all the trimmings and software I need available when the need arises
  • Complicated? A bit, but again, its good to have a complete operating system available when the need arises
  • How can I install Windows patch under Linux? You can’t, but you can download the fixes and patches Mozilla, then reboot in Window safe mode.

As always, understand that your mileage may vary … which is why earlier I stated, you should always plan, practice and document contingencies before needing them.

9 Comments

  1. of course you have the issue of file-system… blaster/lovesan affects win2k, xp. these are 2 microsoft OS’s that default to NTFS. so that would mean that you’d either need a fat/fat32 partition available to download to (of course remount r/w). or a floppy diskette available… yuck. of course that’s assuming that the symantec fix and microsoft patch fit in floppies. it probably does, but when was the last time you had a floppy?

  2. If knoppix was your OS (25min install) you wouldnt
    need to duct tape the CD to your PC.

  3. This morning I just went through a process which would have eliminated the MSblaster worm … although I went through it for entirely different reasons (no worm on my computer!). I just happen to have a hot spare for my HD (can’t have it fail in field work) which was initially created via dd and with the data files kept up-to-date via other Linux tools. Windows went screwy thanks to bad software (not necessarily MS) so I just wiped the winnt directory and re-installed off my hot spare. I had a fully functional Windows2000 in under 10 minutes…

  4. I don’t know what is the problem. You go directly to Windows XP/2000, start taskmanager, kill msblast.exe among processes, download & upgrade what you need. I managed to do that more than once in past few days.

    I like and use Linux, but are you getting a little bit complicated?

  5. Great post. Simple and correct. I did that, and I don’t have problem anymore. Thanks. Bye.

  6. I wonder whether you could set up Wine to run from your Windows partition, then run windows update from IE in Wine. Of course if you’re on a system with NTFS, this isn’t so good since it’d write to the disk. And it is probably risky. It’d be neat to try on a system that you didn’t care at all about.

  7. SD, MMC, Sony Memory Stick, Anything small gearless usb and on the go. Why why why do we insist on the beast we call windows machines?
    Easy,lite, portable, pretty. Virri, Trojans, and Wurms frighten End Users, poor net work admins so alone with no friends.
    Linux never recieving due respect. Soloris, HP-AUX, SCO, BSD, and Solaris agrivate my condition. Missing the days of VMS, ashamed of minix finding refuge in GNU.
    So simple was the days when all i had was an fpu. Poking memory with basic on my Atari 400, while reading mad magazine. It is hard to believe I am only 23.
    Linux is my friend, even when my teachers told me OS2 was the end for MS and IBM ruled. Pre 95 slackware on my rig god bless that wretched machine.
    Peace bothers and sisters, some of us out there understand and share your pain.

    A mental Patient
    Paul R. Jones

    FYI
    I am 24
    and gave up IT
    no place for
    us mental cripples
    with love
    Paul

  8. Think of this the next time you have to re-install Windows. Now pay attention. Do you remember the headaches? Do you remember where one of your previous versions of Windows is at right now? You’ll need it if your current version is an upgrade. Did you store the “key” with the disk? You’ll need that too. Know your ISP’s URL right off the top of your head? How about your mail server information? Do you remember every single program you installed with Windows? How long will it take to download/install all of the critical updates? Now start thinking about where you will find all of the programs you use that DIDN’T come with Windows. This is exactly why virus scanning software sells so well.

    For years my favorite program was FORMAT with the /C: switch. I’ve found a better one. “GHOST”.

    Starting with a clean hard-drive, I partition it with at least 2 partitions. Then I install and configure Windows and all of my necessary software. During setup I point the swapfile, e-mail, favorites and anything else I can get away with to the second partition. Post-Windows installations (that will work) also go on the second partition. The idea here is to keep the C: below 640Meg.

    When everything is working properly and known to be “virus free” I kill temp files and cookies and defrag. Next I boot to floppy and run “Ghost”. I create an image of the C: partition and place it on the second partition. Next I boot back to Windows and write a CD with the image file.

    Now I can install anything I want to without worrying about it overwriting a needed DLL with a crippled one. No more worries about virii. Test as many programs as I want without being stuck with parts of them forever. When (not if) something goes wrong I simply boot to the floppy and run Ghost. I flash the image back to the first partition and within 5-minutes I’ve installed and configured everything exactly the way it was the moment I made the image.

    Go buy “Ghost” and quit worrying about the next virus. I hear the current version even works on Linux.

  9. Pingback: JoeBlog