The information below was compiled by David Stuart of collegebuys.org/schoolbuys.org from two security bulletins e-mailed by Microsoft.
 
SUMMARY
 
On August 11, 2003, Microsoft began investigating a report of a worm, known as W32.Blaster.Worm, that exploits the vulnerability addressed by Microsoft Security Bulletin MS03-026. Microsoft released this critical security bulletin and corresponding patch for Windows operating systems on July 16, 2003. While some customers may not notice the presence of the worm infection at all on their computer systems, typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input or Windows NT4 and Windows 2000 systems becoming unresponsive.
 
If you applied security patch MS03-026 prior to the discovery of the Blaster worm, your system is secure from the vulnerability that W32.Blaster is using. For the most current information on determining if your systems are infected and how to recover from the infection, please go to the following Web site and perform the prescribed steps: http://go.microsoft.com/?linkid=222109. This site will be updated as more information regarding the W32.blaster worm becomes available.
 
Our goal is to provide you with the information and tools you need to help run your company safely and reliably. When we become aware of these types of vulnerabilities, it is our goal to share protection and remediation information with you as quickly as is possible. In order to help protect your computing environment from security vulnerabilities, we encourage you to use the Windows Update service by going to http://go.microsoft.com/?linkid=222110 and also subscribe to Microsoft's security notification service at http://go.microsoft.com/?linkid=222111. By using these two services you will automatically receive information on the latest software updates and the latest security notifications, thereby improving the likelihood that your computing environment will be safe from the worms and viruses that occur.
 
DETAILED INFORMATION
 
Who Is Affected?
Users of the following products are affected:
                - Microsoft® Windows NT® 4.0
                - Microsoft Windows® 2000
                - Microsoft Windows XP
                - Microsoft Windows ServerT 2003
 
The worm was discovered August 11. Customers who had previously applied the security patch MS03-026 are protected. 
 
To determine if the worm is present on your machine, see the technical details below.
 
Actions for Network Administrators
Managers of networked computers should read the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance: http://go.microsoft.com/?linkid=220822
 
Technical Details:
This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026: http://go.microsoft.com/?linkid=220823
Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
 
Symptoms of the Virus:
Some customers may not notice any symptoms at all. A typical symptom is the system reboots every few minutes without user input. Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
 
To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest antivirus software signature from your antivirus vendor and scan your machine.
For additional information on recovering from this attack, please contact your preferred antivirus vendor.
 
Recovery:
Many antivirus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor, follow the procedures outlined below.
 
For Windows XP
1. If your computer reboots repeatedly, please unplug your network cable from the wall.
2. First, enable Internet Connection Firewall (ICF) in Windows XP: http://go.microsoft.com/?linkid=220824
                --In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".
                --Right-click the connection on which you would like to enable ICF, and then click "Properties".
                --On the Advanced tab, click the box to select the option to "Protect my computer or network".
3. Plug the network cable back into the wall to reconnect your computer to the Internet
4. Download the MS03-026 security patch from Microsoft and install it on your computer:
 
Windows XP (32 bit)
http://go.microsoft.com/?linkid=220825
 
Windows XP (64 bit)
http://go.microsoft.com/?linkid=220826
 
5.Install or update your antivirus signature software and scan your computer
 
6.Download and run the worm removal tool from your antivirus vendor.
 
For Windows 2000 systems, where Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://go.microsoft.com/?linkid=220827
 
1. Configure TCP/IP security on Windows 2000:
                --Select "Network and Dial-up Connections" in Control Panel.
                --Right-click the interface you use to access the Internet, and then click "Properties".
                --In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".
                --In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".
                --Click the "Options" tab.
                --Click "TCP/IP filtering", and then click "Properties".
                --Select the "Enable TCP/IP Filtering (All adapters)" check box.
                --There are three columns with the following labels:
                TCP Ports
                UDP Ports
                IP Protocols
                --In each column, you must select the "Permit Only" option.
                --Click OK.
 
2. Download the MS03-026 security patch for Windows 2000 from Microsoft and install it on your computer from: http://go.microsoft.com/?linkid=220828
 
3. Install or update your antivirus signature software and scan your computer
 
4. Then, download and run the worm removal tool from your antivirus vendor.
 
For additional details on this worm from antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA), please visit the following links:
 
Network Associates:
http://go.microsoft.com/?linkid=220829
 
Trend Micro:
http://go.microsoft.com/?linkid=220830
 
Symantec:
http://go.microsoft.com/?linkid=220831
 
Computer Associates:
http://go.microsoft.com/?linkid=220832
 
For more information on Microsoft's Virus Information Alliance, please visit this link:
http://go.microsoft.com/?linkid=220833
 
Please contact your antivirus vendor for additional details on this virus.
 
Prevention:
1. Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third-party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138; also UDP 69 (TFTP)and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://go.microsoft.com/?linkid=220834
                --In Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".
                --Right-click the connection on which you would like to enable ICF, and then click "Properties".
                --On the Advanced tab, click the box to select the option to "Protect my computer or network".
 
This worm utilizes a previously announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security Bulletin MS03-026. http://go.microsoft.com/?linkid=220835.
 
2. Install the patch MS03-026 from the Microsoft Download Center:
Windows NT 4 Server & Workstation
http://go.microsoft.com/?linkid=220836
 
Windows NT 4 Terminal Server Edition
http://go.microsoft.com/?linkid=220837
 
Windows 2000
http://go.microsoft.com/?linkid=220838
 
Windows XP (32 bit)
http://go.microsoft.com/?linkid=220839
 
Windows XP (64 bit)
http://go.microsoft.com/?linkid=220840
 
Windows 2003 (32 bit)
http://go.microsoft.com/?linkid=220841
 
Windows 2003 (64 bit)
http://go.microsoft.com/?linkid=220842
 
3. As always, please make sure to use the latest antivirus detection from your antivirus vendor to detect new viruses and their variants.
 
Related Knowledge Base Articles:
http://go.microsoft.com/?linkid=220843
 
Related Microsoft Security Bulletins:
http://go.microsoft.com/?linkid=220844
 
If you have any questions regarding this alert, please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the United States; outside of the United States please contact your local Microsoft Subsidiary.
 
 
Microsoft Communities is your launching pad for communicating online with peers and experts about Microsoft products, technologies, and services:
http://go.microsoft.com/?linkid=220819
 
 
THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO THIS PROGRAM ARE FOR INFORMATIONAL PURPOSES ONLY. The information type should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND. The user assumes the entire risk as to the accuracy and the use of this document.
microsoft.com newsletter e-mail may be copied and distributed subject to the following conditions:
1. All text must be copied without modification and all pages must be included
2. All copies must contain Microsoft's copyright notice and any other notices provided therein
3. This document may not be distributed for profit