Trend Micro Home & Home Office Security Products

You are here: FAQs > Stop constant shutdowns or rebooting

Wizcrafts Computer Services

Specializing in Computer Networking, Security and Troubleshooting

Computer Shutdowns or Rebooting from MS Blaster or Zotob Worm Infections

Identifying Windows 2000, XP, and Server 2003 RPC exploits causing shutdowns/rebooting after 1 minute

In August of 2003 the MS Blaster Worm was set loose on the mostly unprepared worldwide owners of Windows 2000 and XP computers. The Blaster Worm took advantage of a vulnerability in the Windows 2000 and XP Remote Procedure Call (RPC) subsystems, and was spread entirely by TCP connections, which is how computers interface with the Internet. The Blaster Worm and similar exploits that followed it exploit Microsoft RPC and DCOM subsystem vulnerabilities that were actually first patched via Windows Updates, over a month before the Blaster Worm was loosed. Earlier that summer the people who had Automatic Windows Updates turned on, or who manually ran Windows Updates on the day they were released were protected against the Blaster Worm. So were folks who had a firewall protecting their computers against unsolicited incoming TCP and UDP traffic.

Unbelievably, in 2006 the MS Blaster Worm and it's later variants are still propagating across the Internet and are still infecting unpatched Windows 2000 and XP computers worldwide, which in turn send out a constant stream of TCP probes, looking for more unpatched machines to infect.

Infected machines may suffer from constant shutdowns or rebooting, within approximately one minute of booting into the Windows Desktop, as the RPC (Remote Procedure Call) system fails due to the hostile activity of this class of (Blaster type) Worms. In unpatched systems the default action for a failure in the RPC system is to try to instantly restart the service (possibly twice), but if that fails, to restart (reboot) the computer after 60 seconds.

If your computer is infected with this worm you may experience some or all of the following symptoms:

The computer may shut down, or may restart repeatedly, at random intervals. On a Windows XP-based or on a Windows Server 2003-based computer, a dialog box may appear that gives you the option to report the problem to Microsoft. If you are using Windows 2000 or Windows NT, you may receive a Stop error message.

You may find a file that is named Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll in the Windows\System32 folder.

You may find unusual TFTP* (Tiny FTP server) files on your computer.

Read what you should do to stop the constant shutdowns

These worms exploit critical security vulnerabilities in Windows XP, 2000, and Server 2003 operating systems and can infect an unpatched computer that connects to the Internet within a just few seconds of being online. Since the discovery of the Blaster Worm in 2003 Microsoft has released many critical security patches and one major service pack update, to address these and other Windows operating system vulnerabilities that have been and continue to be discovered.

New vulnerabilities targeting computers running Microsoft Windows and Internet Explorer are discovered all the time, since they represent the majority of the Operating Systems and browsers in common use around the World. There is very little lead time from the announcement of a major vulnerability until an outbreak exploiting it occurs. In fact, "Zero Day" exploits have been emerging since the fall of 2005, and into 2006, where the public announcement of a vulnerability and the release of exploit codes coincide.

To protect your computer from these constantly emerging sudden threats it is extremely important that home and small office PC users set their computers to download and install Windows Updates automatically, at a time when the PC is known to be powered on and is online (the default setting is 2 AM). This is the best way to obtain critical patches and updates (including Windows XP Service Pack 2 and any future security rollups), as they are released by Microsoft. Companies with Domain or Internet Servers still need to test patches before deploying them, as was discovered with the troublesome release of the MS05-051 HotFix on October 11, 2005.

If you cannot, or choose not to enable Automatic Windows Updates you can still get these critical patches and updates manually, from the Microsoft Windows Update website, using an account running with Administrator Privileges (on Windows 2000, 2003, or XP). Be aware that you will have to validate your copy of Windows 2000 or XP once to obtain manual Windows Updates. If your copy does not validate your only option is to use Automatic Updates. Users of the Windows XP operating system who have not already updated their system to the Service Pack 2 level, should do so at the first opportunity. Windows XP SP-2 plugs many security holes, and turns on the Windows Firewall by default (it was off by default in XP and XP-SP-1).

It is also a good practice for Internet Explorer users to place a check in the checkbox for the Internet Options setting (under the Advanced tab) to "Empty the Temporary Internet Files folder when browser is closed." This will flush out any potentially harmful files or hostile program installers that you may have unknowingly downloaded while browsing the Internet. These files are often downloaded silently ("Driveby Downloads") by Internet Explorer browsers, by visiting websites containing hostile scripts that exploit unpatched vulnerabilities in your browser, or through loose Internet Zone security settings related to ActiveX Controls and file downloads.

While not vulnerable to RPC type exploits, people who are still using computers running on Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me) are still in danger from other online exploits and should routinely visit the Windows Update site, for as long as Microsoft continues to make patches available for you. Paid incident support for Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me) is available through June 30, 2006. Critical security updates will be provided on the Windows Update site through June 30, 2006. After that date your operating system will receive no further support from Microsoft, according to this document.

What to do if you are already infected with a Blaster type RPC Worm:

Ms Blaster Worm Removal Tips

In the event your computer is already infected with W32.Blaster.Worm, you may not be able to use Windows Update, because the worm's activity may cause your computer to reboot every few minutes. A temporary workaround for Windows XP users is to quickly click the START button, then RUN, then type CMD.EXE into the RUN input field. A DOS Window will open. At the command prompt line type: "shutdown -a" (without the quotes), then press ENTER, to stop your computer from shutting down this time.

A more effective method of stopping the unwanted shutdowns, in both Windows XP and 2000, is to click on START > RUN and type "services.msc" (without quotes) in the RUN input box and press ENTER. A windows titled "Services" will open, with the word "Services (local)" in the left panel and a long list of items running as services, in the right panel. Scroll down the right list until you find "Remote Procedure Call (RPC)." You do not want the service that ends in Locator, just (RPC).

The dividers for each column are adjustable in width by dragging the vertical bars separating them, at the top of the right panel. It may help to drag the divider between the Name and Description columns to the right to allow the full names of the services to be displayed.

Right-click the Remote Procedure Call (RPC) service, and then click Properties. Click the Recovery tab. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to either "Take no action" or "Restart the Service." Click Apply, and then OK.

Confirm if your computer is infected by the Blaster Worm by searching for the file msblast.exe, in the WINDOWS SYSTEM32 directory.

  1. Click on Start, then Search and click on Files or Folders
  2. Type msblast.exe into the "Search for files or folders named" field, then press the ENTER key.
  3. The msblast.exe results will appear in the right pane of the search window
  4. Leave the Search window open!
  5. Go to the next steps

Ending the MsBlaster/Lovesan Worm process:

  1. Press Ctrl+Alt+Delete once
  2. Click the Task Manager tab
  3. Click the Processes tab
  4. Click twice on the Image Name column header to alphabetically sort the processes
  5. Scroll through the list and look for Msblast.exe
  6. If you find the file, click it, and then click the End Process button
  7. Click OK on the popup warning box to terminate MsBlast.exe
  8. Exit the Task Manager
  9. Go back to the Search window and right-click on the msblast.exe file(s) listed in the right panel, then click Delete.

If the change you made to the RPC Service has stopped your computer from shutting down and you have terminated the active process as described above, try to go to the Windows Update website (Start > Windows Update) and have it scan for updates. A list of security updates for your computer will appear on the right side of the page. Some of the critical patches or service packs must be installed apart for others. If you see any of these in the list of available updates you may want to remove them from the group to be downloaded, until you are able to install the RPC Buffer Overrun patches, MS03-026 and/or MS03-039, released on July 16 and Sept 10, 2003. Patch MS03-039 patches the original patch for three more flaws that could be exploited, and supercedes it. Remove as many updates from the list as is necessary to obtain the Buffer Overrun patches! Click the Install link, accept the license terms and get the patches installed before doing anything else. Reboot as instructed, the go back to Windows Update and get the rest of the updates, service packs and patches that are available for your computer.

If you are unable to access Windows Update and believe you are infected with the Blaster Worm, go to the Symantec Security Response page at - https://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html. There are instructions there for manually removing the Worm, as well as links to download the FixBlast removal tool from Symantec.

Learn how a firewall can protect your computers against this and similar attack vectors.

Your Windows 2000 computer keeps rebooting or locking up:

If this problem suddenly began occuring on or after August 14, 2005 you have probably been infected with the Zotob or Esbot, or a similar TCP-borne Worm, that exploits a vulnerability in Windows 2000 computers that have not had the critical patch listed in Microsoft Security Bulletin MS05-039 applied. This patch fixes a vulnerability in the Plug and Play subsystem on Windows 2000.

Zotob only targets Windows 2000. Customers who have upgraded to Windows XP—as well as customers who have applied the MS05-039 security update to Windows 2000—are not impacted by this attack. This vulnerability affects the Plug and Play sub-system and once infected causes your computer to lockup or constantly reboot. The Worm is Network Aware, and seeks out all computers connected to a LAN.

Symantec Corp. has published an indepth article on this vulnerability, and has made removal tools available from the Symantec Security Response website.

After Microsoft was informed about this vulnerability, on very short notice, they produced a patch that was made available through Windows Update on August 9, 2005. A hotfix was also made available from Microsoft for companies or individuals who choose to not use Windows Update for patches. Windows 2000 users who had Automatic Updates turned on, with automatic download and install options selected would have been patched against these exploits. The first Zotob attacks began a mere 5 days after the vulnerability and patch was released.

Microsoft has made a no-cost, software-based cleaner tool available that customers can use to automatically remove the Zotob worm and its variants from infected PCs after deploying the security update. The tool is available at: https://www.microsoft.com/malwareremove.

Back to our main FAQs page

(back to top)