W32.Blaster.Worm Removal Tool

Discovered on: August 11, 2003
Last Updated on: August 12, 2003 12:01:58 PM PDT

Symantec Security Response has developed a removal tool to clean the W32.Blaster.Worm infections.

Obtaining and running the tool locally at LDEO

What the tool does

The W32.Blaster.Worm Removal Tool does the following:

  1. Terminates the W32.Blaster.Worm viral processes.
  2. Deletes the W32.Blaster.Worm files.
  3. Deletes the dropped files.
  4. Deletes the registry values that the worm added.


Obtaining and running the tool

NOTE: You need administrative rights to run this tool on Windows 2000, or Windows XP.
  1. Download/Apply the OS Patches:

    Locally at LDEO:
    Windows 98 are not effected
    Windows2000 (service pack level 2 is required):     Windows2000-KB823980-x86-ENU.exe
    WindowsXP: WindowsXP-KB823980-x86-ENU.exe
    Windows NT 4.0: NT4Q823980i.EXE
  2. Download the FixBlast.exe file from:
    Locally at LDEO:FixBlast.exe

    From Symantec: http://securityresponse.symantec.com/avcenter/FixBlast.exe

  3. Save the file to a convenient location, such as your downloads folder or the Windows Desktop (or removable media that is known to be uninfected, if possible).

  4. Close all the running programs before running the tool.
  5. Double-click the just down loaded executable file to start the removal tool.
  6. Click Start to begin the process, and then allow the tool to run.

    NOTE: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe mode. Shut down the computer, turn off the power, and wait 30 seconds. Restart the computer in Safe mode and run the tool again. All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document "How to start the computer in Safe Mode."

  7. Restart the computer.
  8. Run the removal tool again to ensure that the system is clean.
  9. If you are running Windows XP, then re-enable System Restore.
  10. Run LiveUpdate to make sure that you are using the most current virus definitions.

When the tool has finished running, you will see a message indicating whether W32.Blaster.Worm infected the computer. In the case of a worm removal, the program displays the following results:
  • Total number of the scanned files
  • Number of deleted files
  • Number of terminated viral processes
  • Number of fixed registry entries