These instructions are designed for Windows XP. Under some circumstances, these instructions may not completely disable the worm or protect the system from re-infection. See Notes.
In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
Right-click the connection on which you would like to enable ICF, and then click Properties.
On the Advanced tab, click the box to select the option to Protect my computer or network.
If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the Settings button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.
Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003 perform these additional steps:
Click on the Component Services node under Console Root.
Open the Computers sub-folder.
For the local computer, right click on My Computer and choose Properties.
For a remote computer, right click on the Computers folder and choose New then Computer. Enter the computer name. Right click on that computer name and choose Properties.
Choose the Default Properties tab.
Select (or clear) the Enable Distributed COM on this Computer check box.
If you will be setting more properties for the machine, click the Apply button to enable (or disable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe.
If you are unable to run the Task Manager (step 2) or the Search function (step 3), type the following at a command prompt:
taskkill.exe /im msblast.exe
del %windir%\system32\msblast.exe
Replace "msblast.exe" with other process/file names as necessary.
You may not find the processes (step 2) and files (step 3) listed above, in which case your computer is not infected. If you are connected to the network, your computer may still be rebooting due to scan/attack traffic. If you do not find the processes and files, continue with step 4.
The worm may exist as processes and files with names other than "msblast.exe", "teekids.exe", or "penis32.exe.".
It may be necessary to disable System Restore in order to successfully delete worm files.
Save yourself the trouble next time by blocking 135, 137, 138, 139, and 445 tcp and udp inbound and outbound. This will block most MS networking traffic. Leaving ICF enabled will stop unsolicited inbound network traffic. Unless it breaks something, leave ICF enabled.
Another type of host-based or network firewall can be used to block 135/tcp.
Use anti-virus software and maintain updated signatures. Many anti-virus vendors have developed removal tools for this worm.
The worm is started by a registry key in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. The key is typically named "windows auto update" or "Microsoft Inet xp.." and has a value of "msblast.exe", "teekids.exe", or "penis32.exe". If you are comfortable editing the registry, delete this key.
Disabling DCOM may break things and may be unnecessary (assuming that the worm is completely disabled and ICF is enabled).
It has been reported that AOL network connections do not display an option to use ICF.
