How to Recover from Blaster virus [was Updated W32.Blaster.worm Alert]

This article wraps everything up quite nicely, including how to remove
the infection without wiping out your system. Good job.

The only thing I would add is that if you can't keep your system up long
enough to read and follow these directions, try killing the msblast.exe
process using Task Manager. This should give you sufficient time. If you
reboot before cleaning, kill it again.

--
Kent W. England, Microsoft MVP for Windows



"Jerry Bryant [MSFT]" wrote in message
...
PSS Security Response Team Alert - New Virus: W32.Blaster.worm Update

SEVERITY: CRITICAL
DATE: August 12, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
Windows NT
4.0, NT 4.0 Terminal Services Edition

Update: PSS Security has updated the recovery procedures in this
bulletin.
Windows 9X operating systems are not affected by this virus.
************************************************** ********************

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
Windows NT
4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this
alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026
should
prevent infection from this worm.

Date discovered: August 11, 2003. Customers who had previously
applied the
security patch MS03-026 are protected. To deterimine if the virus is
present on your machine see the technical details below.

IMPACT OF ATTACK:
Spread through open RPC ports. Customer's machine gets re-booted or
the file
"msblast.exe" exists on customer's system.

TECHNICAL DETAILS:
This worm scans a random IP range to look for vulnerable systems on
TCP port
135. The worm attempts to exploit the DCOM RPC vulnerability patched
by
MS03-026.

Once the Exploit code is sent to a system, it downloads and executes
the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at
all. A
typical symptom is the system is rebooting every few minutes without
user
input. Customers may also see:

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from
your
anti-virus vendor and scan your machine.

For additional information on recovering from this attack please
contact
your preferred anti-virus vendor.

RECOVERY:
Security best practices suggest that previously compromised machines
be
wiped and rebuilt to eliminate any undiscovered exploits that can lead
to a
future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise.
http://www.cert.org/tech_tips/win-UN...ompromise.html

However, many Anti-Virus companies have written tools to remove the
known
exploit associated with this particular worm. To download the removal
tool
from your antivirus vendor follow procedures outlined below.

For Windows XP
1. First, enable the built in firewall such as Internet Connection
Firewall
(ICF) in Windows XP: http://support.microsoft.com/?id=283673
--In Control Panel, double-click "Networking and Internet
Connections", and
then click "Network Connections".
--Right-click the connection on which you would like to enable ICF,
and then
click "Properties".
--On the Advanced tab, click the box to select the option to "Protect
my
computer or network".

2. Second, download the MS03-026 security patch from Microsoft:

Windows XP (32 bit)

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP (64 bit)

http://download.microsoft.com/downlo...0-ia64-ENU.exe

3. Third, install or update your antivirus signature software
4. Then, download the worm removal tool from your antivirus vendor.

For Windows 2000 systems, where Internet Connection Firewall (ICF) is
not
available, the following steps will help block the affected ports so
that
the system can be patched. These steps are based on a modified excerpt
from
the article; HOW TO: Configure TCP/IP Filtering in Windows 2000.
http://support.microsoft.com/?id=309798

1. Configure TCP/IP security on Windows 2000:
--Select "Network and Dial-up Connections" in the control panel.
--Right-click the interface you use to access the Internet, and then
click
"Properties".
--In the "Components checked are used by this connection" box, click
"Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click
"Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only" option.
--Click OK.

2. Download the MS03-026 security patch for Windows 2000 from
Microsoft at:

http://download.microsoft.com/downlo...80-x86-ENU.exe

3. Install or update your antivirus signature software
4. Then, download the worm removal tool from your antivirus vendor.

For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please
visit
the following links:

Network Associates:

http://us.mcafee.com/virusInfo/defau...virus_k=100547

Trend Micro:

http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

Symantec:

http://securityresponse.symantec.com...ster.worm.html

Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please
visit
this link:
http://www.microsoft.com/technet/security/virus/via.asp

As always, please make sure to use the latest Anti-Virus detection
software
signature from your Anti-Virus vendor to detect new viruses and their
variants.

PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server
2003) or
use a third party firewall to block TCP ports 135, 139, 445 and 593;
UDP
port 135, 137,138; also UDP 69 (TFTP) and TCP 4444 for remote command
shell.

To enable the Internet Connection Firewall in Windows:
http://support.microsoft.com/?id=283673

-In Control Panel, double-click Networking and Internet Connections,
and
then click Network Connections.
-Right-click the connection on which you would like to enable ICF, and
then
click Properties.
-On the Advanced tab, click the box to select the option to "Protect
my
computer or network".

This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in
Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/sec.../MS03-026.asp.

Install the patch MS03-026 from Windows Update:

Windows NT 4 Server & Workstation

http://download.microsoft.com/downlo...a/Q823980i.EXE

Windows NT 4 Terminal Server Edition

http://download.microsoft.com/downlo...9/Q823980i.EXE

Windows 2000

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP (32 bit)

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP (64 bit)

http://download.microsoft.com/downlo...0-ia64-ENU.exe

Windows 2003 (32 bit)

http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows 2003 (64 bit)

http://download.microsoft.com/downlo...0-ia64-ENU.exe

As always, please make sure to use the latest Anti-Virus detection
from your
Anti-Virus vendor to detect new viruses and their variants.

RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/sec...n/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp

If you have any questions regarding this alert please contact your
Technical
Account Manager or Application Development Consultant.

PSS Security Response Team
If you have any questions regarding this alert please contact your
Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US,
outside of
the US please contact your local Microsoft Subsidiary. Support for
virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsof...ecurity.virus.

PSS Security Response Team


--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no
rights.

If you are having trouble staying up.
When the shutdown prompt appears,go to start/run and type
shutdown -a to abort the shutdown process to allow you to stay up and
online.

http://www.kellys-korner-xp.com/xp_qr.htm#rpc

There are 2 more variants out now.
The exes for the variants are teekids.exe and penis32.exe
Kelly's script kills all 3 variants.


--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone - www.microsoft.com/windowsxp/expertzon
"Kent W. England [MVP]" wrote in message
...
This article wraps everything up quite nicely, including how to remove
the infection without wiping out your system. Good job.

The only thing I would add is that if you can't keep your system up long
enough to read and follow these directions, try killing the msblast.exe
process using Task Manager. This should give you sufficient time. If you
reboot before cleaning, kill it again.

--
Kent W. England, Microsoft MVP for Windows



"Jerry Bryant [MSFT]" wrote in message
...
PSS Security Response Team Alert - New Virus: W32.Blaster.worm Update

SEVERITY: CRITICAL
DATE: August 12, 2003
PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
Windows NT
4.0, NT 4.0 Terminal Services Edition

Update: PSS Security has updated the recovery procedures in this
bulletin.
Windows 9X operating systems are not affected by this virus.
************************************************** ********************

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003,
Windows NT
4.0, NT 4.0 Terminal Services Edition

WHAT IS IT?
The Microsoft Product Support Services Security Team is issuing this
alert
to inform customers about a new worm named W32.Blaster.Worm which is
spreading in the wild. This virus is also known as: W32/Lovsan.worm
(McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer
Associates). Best practices, such as applying security patch MS03-026
should
prevent infection from this worm.

Date discovered: August 11, 2003. Customers who had previously
applied the
security patch MS03-026 are protected. To deterimine if the virus is
present on your machine see the technical details below.

IMPACT OF ATTACK:
Spread through open RPC ports. Customer's machine gets re-booted or
the file
"msblast.exe" exists on customer's system.

TECHNICAL DETAILS:
This worm scans a random IP range to look for vulnerable systems on
TCP port
135. The worm attempts to exploit the DCOM RPC vulnerability patched
by
MS03-026.

Once the Exploit code is sent to a system, it downloads and executes
the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm
creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
"windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at
all. A
typical symptom is the system is rebooting every few minutes without
user
input. Customers may also see:

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest anti-virus software signature from
your
anti-virus vendor and scan your machine.

For additional information on recovering from this attack please
contact
your preferred anti-virus vendor.

RECOVERY:
Security best practices suggest that previously compromised machines
be
wiped and rebuilt to eliminate any undiscovered exploits that can lead
to a
future compromise. See Cert Advisory:
Steps for Recovering from a UNIX or NT System Compromise.
http://www.cert.org/tech_tips/win-UN...ompromise.html

However, many Anti-Virus companies have written tools to remove the
known
exploit associated with this particular worm. To download the removal
tool
from your antivirus vendor follow procedures outlined below.

For Windows XP
1. First, enable the built in firewall such as Internet Connection
Firewall
(ICF) in Windows XP: http://support.microsoft.com/?id=283673
--In Control Panel, double-click "Networking and Internet
Connections", and
then click "Network Connections".
--Right-click the connection on which you would like to enable ICF,
and then
click "Properties".
--On the Advanced tab, click the box to select the option to "Protect
my
computer or network".

2. Second, download the MS03-026 security patch from Microsoft:

Windows XP (32 bit)


http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP (64 bit)


http://download.microsoft.com/downlo...0-ia64-ENU.exe

3. Third, install or update your antivirus signature software
4. Then, download the worm removal tool from your antivirus vendor.

For Windows 2000 systems, where Internet Connection Firewall (ICF) is
not
available, the following steps will help block the affected ports so
that
the system can be patched. These steps are based on a modified excerpt
from
the article; HOW TO: Configure TCP/IP Filtering in Windows 2000.
http://support.microsoft.com/?id=309798

1. Configure TCP/IP security on Windows 2000:
--Select "Network and Dial-up Connections" in the control panel.
--Right-click the interface you use to access the Internet, and then
click
"Properties".
--In the "Components checked are used by this connection" box, click
"Internet Protocol (TCP/IP)", and then click "Properties".
--In the Internet Protocol (TCP/IP) Properties dialog box, click
"Advanced".
--Click the "Options" tab.
--Click "TCP/IP filtering", and then click "Properties".
--Select the "Enable TCP/IP Filtering (All adapters)" check box.
--There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
--In each column, you must select the "Permit Only" option.
--Click OK.

2. Download the MS03-026 security patch for Windows 2000 from
Microsoft at:


http://download.microsoft.com/downlo...80-x86-ENU.exe

3. Install or update your antivirus signature software
4. Then, download the worm removal tool from your antivirus vendor.

For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please
visit
the following links:

Network Associates:

http://us.mcafee.com/virusInfo/defau...virus_k=100547

Trend Micro:


http://www.trendmicro.com/vinfo/viru...WORM_MSBLAST.A

Symantec:


http://securityresponse.symantec.com...ster.worm.html

Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance please
visit
this link:
http://www.microsoft.com/technet/security/virus/via.asp

As always, please make sure to use the latest Anti-Virus detection
software
signature from your Anti-Virus vendor to detect new viruses and their
variants.

PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server
2003) or
use a third party firewall to block TCP ports 135, 139, 445 and 593;
UDP
port 135, 137,138; also UDP 69 (TFTP) and TCP 4444 for remote command
shell.

To enable the Internet Connection Firewall in Windows:
http://support.microsoft.com/?id=283673

-In Control Panel, double-click Networking and Internet Connections,
and
then click Network Connections.
-Right-click the connection on which you would like to enable ICF, and
then
click Properties.
-On the Advanced tab, click the box to select the option to "Protect
my
computer or network".

This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in
Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/sec.../MS03-026.asp.

Install the patch MS03-026 from Windows Update:

Windows NT 4 Server & Workstation


http://download.microsoft.com/downlo...a/Q823980i.EXE

Windows NT 4 Terminal Server Edition


http://download.microsoft.com/downlo...9/Q823980i.EXE

Windows 2000


http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP (32 bit)


http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows XP (64 bit)


http://download.microsoft.com/downlo...0-ia64-ENU.exe

Windows 2003 (32 bit)


http://download.microsoft.com/downlo...80-x86-ENU.exe

Windows 2003 (64 bit)


http://download.microsoft.com/downlo...0-ia64-ENU.exe

As always, please make sure to use the latest Anti-Virus detection
from your
Anti-Virus vendor to detect new viruses and their variants.

RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/sec...n/MS03-026.asp

RELATED KB ARTICLES: http://support.microsoft.com/?kbid=826955
This article will be available within 24 hours.

RELATED LINKS: http://www.microsoft.com/security/incident/blast.asp

If you have any questions regarding this alert please contact your
Technical
Account Manager or Application Development Consultant.

PSS Security Response Team
If you have any questions regarding this alert please contact your
Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US,
outside of
the US please contact your local Microsoft Subsidiary. Support for
virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsof...ecurity.virus.

PSS Security Response Team


--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no
rights.