Guys,
Pls see the following, sorry for large content, but very important!!
**Important Security Update: Actions for the Blaster
Worm**
For the most recent news about Blaster, it is very
important that you visit the Security page:
http://go.microsoft.com/?linkid=221246 You will also find tips for helping Friends, family,
and colleagues.
In This Newsletter:
- Who Is Affected
- Impact of Attack
- Actions to Take
- Technical Details
- Recovery
- Related Knowledge Base
- Related Microsoft Security Bulletins
- Tips for Helping Friends, Family, and Colleagues
At 11:34 A.M. Pacific Time on August 11, Microsoft
began investigating a worm reported by Microsoft
Product Support Services (PSS). Several antivirus
companies have responded and written tools to remove
the Blaster worm.
Who Is Affected?
Users of the following products are affected:
- Microsoft® Windows NT® 4.0
- Microsoft Windows® 2000
- Microsoft Windows XP
- Microsoft Windows ServerT 2003
The worm was discovered August 11. Customers who had
previously applied the security patch MS03-026 are
protected.
To determine if the worm is present on your machine,
see the technical details below.
Actions for Network Administrators
Managers of networked computers should read the
Microsoft Product Support Services (PSS) Security
Response Team alert for technical guidance:
http://go.microsoft.com/?linkid=221247 Technical Details:
This worm scans a random IP range to look for
vulnerable systems on TCP port 135. The worm attempts
to exploit the DCOM RPC vulnerability patched by
MS03-026:
http://go.microsoft.com/?linkid=221248Once the Exploit code is sent to a system, it downloads
and executes the file MSBLAST.EXE from a remote system
via TFTP. Once run, the worm creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just
want to say LOVE YOU SAN!! bill
Symptoms of the virus: Some customers may not notice
any symptoms at all. A typical symptom is the system
reboots every few minutes without user input. Customers
may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS
SYSTEM32 directory
To detect this virus, search for msblast.exe in the
WINDOWS SYSTEM32 directory or download the latest
antivirus software signature from your antivirus vendor
and scan your machine.
For additional information on recovering from this
attack, please contact your preferred antivirus vendor.
Recovery:
Many Antivirus companies have written tools to remove
the known exploit associated with this particular worm.
To download the removal tool from your antivirus vendor
follow the procedures outlined below.
For Windows XP
1. If your computer reboots repeatedly, please unplug
your network cable from the wall.
2. First, enable Internet Connection Firewall (ICF) in
Windows XP:
http://go.microsoft.com/?linkid=221249--In Control Panel, double-click "Networking and
Internet Connections", and then click "Network
Connections".
--Right-click the connection on which you would like to
enable ICF, and then click "Properties".
--On the Advanced tab, click the box to select the
option to "Protect my computer or network".
3. Plug the network cable back into the wall to
re-connect your computer to the Internet
4. Download the MS03-026 security patch from Microsoft
and install it on your computer:
Windows XP (32 bit)
http://go.microsoft.com/?linkid=221250 Windows XP (64 bit)
http://go.microsoft.com/?linkid=221251 5.Install or update your antivirus signature software
and scan your computer
6.Download and run the worm removal tool from your
antivirus vendor.
For Windows 2000 systems, where Internet Connection
Firewall (ICF) is not available, the following steps
will help block the affected ports so that the system
can be patched. These steps are based on a modified
excerpt from the article; HOW TO: Configure TCP/IP
Filtering in Windows 2000.
http://go.microsoft.com/?linkid=221252 1. Configure TCP/IP security on Windows 2000:
--Select "Network and Dial-up Connections" in Control
Panel.
--Right-click the interface you use to access the
Internet, and then click "Properties".
--In the "Components checked are used by this
connection" box, click "Internet Protocol (TCP/IP)",
and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog
box, click "Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click
"Properties".
--Select the "Enable TCP/IP Filtering (All adapters)"
check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only"
option.
--Click OK.
2. Download the MS03-026 security patch for Windows
2000 from Microsoft and install it on your computer
from:
http://go.microsoft.com/?linkid=2212533. Install or update your antivirus signature software
and scan your computer
4. Then, download and run the worm removal tool from
your antivirus vendor.
For additional details on this worm from antivirus
software vendors participating in the Microsoft Virus
Information Alliance (VIA) please visit the following
links:
Network Associates:
http://go.microsoft.com/?linkid=221254 Trend Micro:
http://go.microsoft.com/?linkid=221255 Symantec:
http://go.microsoft.com/?linkid=221256Computer Associates:
http://go.microsoft.com/?linkid=221257 For more information on Microsoft's Virus Information
Alliance please visit this link:
http://go.microsoft.com/?linkid=221258 Please contact your antivirus vendor for additional
details on this virus.
Prevention:
1. Turn on Internet Connection Firewall (Windows XP or
Windows Server 2003) or use a third-party firewall to
block TCP ports 135, 139, 445 and 593; UDP port 135,
137,138;also UDP 69 (TFTP)and TCP 4444 for remote
command shell. To enable the Internet Connection
Firewall in Windows:
http://go.microsoft.com/?linkid=221259- In Control Panel, double-click "Networking and
Internet Connections", and then click "Network
Connections".
- Right-click the connection on which you would like to
enable ICF, and then click "Properties".
- On the Advanced tab, click the box to select the
option to "Protect my computer or network".
This worm utilizes a previously-announced vulnerability
as part of its infection method. Because of this,
customers must ensure that their computers are patched
for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://go.microsoft.com/?linkid=2212602. Install the patch MS03-026 from Windows Update:
Windows NT 4 Server & Workstation
http://go.microsoft.com/?linkid=221261 Windows NT 4 Terminal Server Edition
http://go.microsoft.com/?linkid=221262 Windows 2000
http://go.microsoft.com/?linkid=221263 Windows XP (32 bit)
http://go.microsoft.com/?linkid=221264Windows XP (64 bit)
http://go.microsoft.com/?linkid=221265 Windows 2003 (32 bit)
http://go.microsoft.com/?linkid=221266 Windows 2003 (64 bit)
http://go.microsoft.com/?linkid=221267 3. As always, please make sure to use the latest
antivirus detection from your antivirus vendor to
detect new viruses and their variants.
Related Knowledge Base Articles:
http://go.microsoft.com/?linkid=221268 Related Microsoft Security Bulletins:
http://go.microsoft.com/?linkid=221269THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO
THIS PROGRAM ARE FOR INFORMATIONAL PURPOSES ONLY. The
information type should not be interpreted to be a
commitment on the part of Microsoft and Microsoft
cannot guarantee the accuracy of any information
presented after the date of publication. INFORMATION
PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT
WARRANTY OF ANY KIND. The user assumes the entire risk
as to the accuracy and the use of this document.
microsoft.com newsletter e-mail may be copied and
distributed subject to the following conditions:
1. All text must be copied without modification and all
pages must be included
2. All copies must contain Microsoft's copyright notice
and any other notices provided therein
3. This document may not be distributed for profit
Company Details:
Microsoft Limited
Microsoft Campus, Thames Valley Park, Reading, RG6 1WG
2way@microsoft-contact.co.uk
