Wednesday, April 16, 2008

Viruses, Blaster Worm

Here is the information to protect your computer from the Blaster Worm. You will know you have this virus if your computer keeps reporting errors with svchost.exe

You should also setup a firewall.

PSS Security Response Team Alert - New Worm: W32.Blaster.worm
SEVERITY: CRITICAL

DATE: Updated August 16, 2003 12:51 PDT

PRODUCTS AFFECTED: Windows XP, Windows 2000, Windows Server 2003, Windows NT 4.0 Server, Windows NT 4.0 Terminal Services Edition, Windows NT 4.0 Workstation

Update: Microsoft has released a tool that can be used to scan a network for the presence of systems which do not have the MS03-026 patch installed. More details on this tool are available in Microsoft Knowledge Base article 826369. This tool is designed for enterprise administrators who have had difficulties detecting systems in need of security patch MS03-026. To go directly to the download page click here - MS03-026 Scanning Tool

An additional tool has been published to help system administrators. Microsoft Knowledge Base article 827227 describes a sample Microsoft Visual Basic Scripting Edition script that is named Patchinstall.vbs. This script is an example of how a network administrator can use Windows Management Instrumentation (WMI) scripting to install the 823980 (MS03-026) security patch on remote host computers that do not have the patch installed in a Microsoft Windows NT, Microsoft Windows 2000, or Microsoft Windows Server 2003 domain environment. System administrators should read this Knowledge Base article to determine if the MS03-026 install tool can be appropriately leveraged in their environments.


WHAT IS IT?

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. This virus is also known as: W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), Win32.Posa.Worm (Computer Associates). Best practices, such as applying security patch MS03-026 should prevent infection from this worm.

Date discovered: August 11, 2003. Customers who had previously applied the security patch MS03-026 are protected. To determine if the virus is present on your machine see the technical details below.

IMPACT OF ATTACK:

Spread through open RPC ports. Customer's machine gets re-booted or the file "msblast.exe" exists on customer's system.

TECHNICAL DETAILS:

This worm scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability patched by MS03-026.

Once the Exploit code is sent to a system, it downloads and executes the file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at all. A typical symptom is the system is rebooting every few minutes without user input. Customers may also see:

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 directory or download the latest anti-virus software signature from your anti-virus vendor and scan your machine.

For additional information on recovering from this attack please contact your preferred anti-virus vendor. Please note there are several variants of this worm, and the most up-to-date information on these variants can be found at your preferred anti-virus vendor's web site.

RECOVERY:

Many Antivirus companies have written tools to remove the known exploit associated with this particular worm. To download the removal tool from your antivirus vendor follow the procedures outlined below.

For Windows XP

1. Enable the built in firewall such as Internet Connection Firewall (ICF) in Windows XP: http://support.microsoft.com/?id=283673

--From your Windows Start menu, run the Control Panel. In the Control Panel, double-click "Networking and Internet Connections", and then click "Network Connections".

--Right-click the connection on which you would like to enable the firewall, and then click "Properties". The connection you choose should be the one that you use to get access to the Internet.

--On the Advanced tab, click the box to select the option to ?Protect my computer or network?. Now your Windows XP firewall is enabled. If you are running Windows 2000 or Windows NT 4.0, you should enable a 3rd Party firewall product.

2. Download the MS03-026 security patch from Microsoft:


Windows XP (32 bit) [NOTE:Most customers have this edition. If you are unsure, try this first.]

Windows XP (64 bit)


3. Install or update your anti-virus signature software. Look below for direct links to Microsoft Virus Information Alliance (VIA) partners or contact your own anti-virus vendor's web site. You will also find direct links to anti-virus removal tools for this worm.

For Windows 2000 systems, where Internet Connection Firewall (ICF) is not available, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. http://support.microsoft.com/?id=309798

1. Configure TCP/IP security on Windows 2000:

--Select "Network and Dial-up Connections" in the control panel.

--Right-click the interface you use to access the Internet, and then click "Properties".

--In the "Components checked are used by this connection" box, click "Internet Protocol (TCP/IP)", and then click "Properties".

--In the Internet Protocol (TCP/IP) Properties dialog box, click "Advanced".

--Click the "Options" tab.

--Click "TCP/IP filtering", and then click "Properties".

--Select the "Enable TCP/IP Filtering (All adapters)" check box.

--There are three columns with the following labels:

TCP Ports

UDP Ports

IP Protocols

--In each column, you must select the "Permit Only" option. >

--Click OK.

2. Download the MS03-026 security patch for Windows 2000 from Microsoft at: http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42049d5/Windows2000-KB823980-x86-ENU.exe

3. Install or update your anti-virus signature software. Look below for direct links to Microsoft Virus Information Alliance (VIA) partners or contact your own anti-virus vendor's web site. You will also find direct links to anti-virus removal tools for this worm.

For additional details on this worm from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft?s Virus Information Alliance please visit this link:
http://www.microsoft.com/technet/security/virus/via.asp

For details on cleanup tools from anti-virus software vendors participating in the Microsoft Virus Information Alliance (VIA) please visit the following links:

Network Associates:
http://vil.nai.com/vil/stinger/

Trend Micro:
http://www.trendmicro.com/download/tsc.asp

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

Computer Associates:
http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=48952

If your anti-virus vendor is not a part of the Microsoft Virus Information Alliance(VIA), please visit their web site as most anti-virus vendors offer a cleanup tool for their customers.


Please contact your Antivirus Vendor for additional details on this virus.

PREVENTION:

Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP port 135, 137,138;also UDP 69 (TFTP) and TCP 4444 for remote command shell. To enable the Internet Connection Firewall in Windows: http://support.microsoft.com/?id=283673


In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
Right-click the connection on which you would like to enable ICF, and then click Properties.
On the Advanced tab, click the box to select the option to Protect my computer or network.
This worm utilizes a previously-announced vulnerability as part of its infection method. Because of this, customers must ensure that their computers are patched for the vulnerability that is identified in Microsoft Security MS03-026. In order to assist customers, Microsoft has released a tool which can be used to scan a network for the presence of systems which have not had the MS03-026 patch installed. More details on this tool are available in Microsoft Knowledge Base article 826369.


Install the patch MS03-026 from Windows Update:

Windows NT 4 Server & Workstation

Windows NT 4 Terminal Server Edition

Windows 2000

Windows XP (32 bit) [NOTE: Most customers have this edition. If you are unsure, try this first.]

Windows XP (64 bit)

Windows 2003 (32 bit) [NOTE: Most customers have this edition. If you are unsure, try this first.]

Windows 2003 (64 bit)

As always, please make sure to use the latest anti-virus detection from your anti-virus vendor to detect new viruses and their variants.

RELATED KB'S:
http://support.microsoft.com/?kbid=826955

RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

RELATED LINKS:
Frequently Asked Questions Regarding Blaster
http://www.microsoft.com/security/incident/blast.asp


If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.

PSS Security Response Team

http://www.microsoft.com/technet/security/virus/alerts/msblaster.asp?frame=true






Subscribe to "Internet Lifestyle"


0 comments: