Document Heading

If your computer is experiencing a nasty bout of “RPC terminated unexpectedly” errors initiated by NT AUTHORITYSYSTEM, then you computer might well be infected with the latest Microsoft targeted worm MSBlaster a.k.a. LoveSan. What’s unique about this worm is that it doesn’t spread through emails!

Symptoms include a warning issued by your computer that due to the Remote Procedure Call being terminated unexpectedly, you’ve got 1 minute to save your work and restart your computer.

I may not be a full-fledged sysop or security expert, but as far as I know… this worm is pretty fucked up. The ironic thing is, Micro$oft issued a patch in JULY but did many of us take heed? Hmm… I can reasonably expect a zero show of hands. I shall not bore you with the technicalities of the worm, as you can read all about it here at eWeek.

Right… now to solve the problem. As a temporary measure you might just want to input “shutdown -a” at the run (Start > Run) menu to disable the stupid countdown. If you are running XP, then get the patch here from Microsoft’s website. Do not be alarmed if you cannot use the traditional WindowsUpdate feature on your XP box to download the patch though. MSBlaster eats up bandwidth and amongst its primary targets is the WinUpdate website to incapacitate the ability for users to download the necessary patch.

[Edit: 14.08.03 @ 6:28am]

That’s not the end of it though. The next thing to do is to remove MSBlaster from your compie. Go to Start > Run > msconfig then go to the Startup tag. UNCHECK all entries with msblaster.exe on it then reboot.

After rebooting, do a system search Start > Find > Files or Folders for msblaster then delete them. Also remember to empty your rubbish bin. They will most likely be in your C:windowssystem32 and C:windowsprefetch folders (where I found mine).

We at td.com strongly recommend getting a firewall and/or a port monitor (to particularly shut down port 135) AND anti-virus software to ensure your compie stays clean. Ayooo… cheap what only RM5 hehehehe…