PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia

yes but this is a good worm, but its got an open port 707 - LOL

--

Duncan McNutt
Microsoft Product Deactivation Team
--


"Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in message
news:#8dNbzdZDHA.2580@TK2MSFTNGP12.phx.gbl...

> Thanks Jerry!!
>
> --
> Larry Samuels MS-MVP (Windows-Shell/User)
> Associate Expert
> Unofficial FAQ for Windows Server 2003 at
> http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> Expert Zone - www.microsoft.com/windowsxp/expertzone
> "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> news:u1pmzwdZDHA.736@TK2MSFTNGP09.phx.gbl...

> > PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
> >
> > SEVERITY: CRITICAL
> > DATE: 08/18/2003
> > PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services

5.0

> >
> > ************************************************** ********************
> >
> > WHAT IS IT?
> > A new worm is spreading in the wild. The Microsoft Product Support

> Services

> > Security Team is issuing this alert to advise customers to be on the

alert

> > for this virus as it spreads in the wild. Customers are advised to

review

> > the information and take the appropriate action for their environments.
> >
> > IMPACT OF ATTACK: Network Propagation, Patch Installation
> >
> > TECHNICAL DETAILS:
> > Similar to the earlier Blaster worm and its variants, this worm also
> > exploits the vulnerability patched by Microsoft Security Bulletin

> MS03-026,

> > and instructs target systems to download its copy from the affected

system

> > using the TFTP program.
> >
> > In addition to exploiting the RPC vulnerability patched by Microsoft
> > Security Bulletin MS03-026 this worm also uses a previously patched
> > vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS

5.0

> > over port 80 to propagate to un-patched systems.
> >
> > In addition upon successful infection this worm also patches systems

with

> > the patch for Microsoft Security Bulletin MS03-026. It does this by

first

> > determining the operating system and then downloading the associated

patch

> > for that operating system.
> >
> > For additional details on this worm from anti-virus software vendors
> > participating in the Microsoft Virus Information Alliance (VIA) please

> visit

> > the following links:
> >
> > Network Associates:
> >
> > http://vil.nai.com/vil/content/v_100559.htm
> >
> > Trend Micro:
> >
> >

>

http://www.trendmicro.com/vinfo/viru...e=WORM_MSBLAST
..D

> >
> > Symantec
> >
> >

>

http://securityresponse.symantec.com...lchia.worm.htm
l

> >
> > For more information on Microsoft's Virus Information Alliance please

> visit

> > this link: http://www.microsoft.com/technet/security/virus/via.asp
> >
> > Please contact your Antivirus Vendor for additional details on this

virus.

> >
> > PREVENTION:
> > Turn on Internet Connection Firewall (Windows XP or Windows Server 2003)

> or

> > use a third party firewall to block incoming TCP ports 80, 135, 139, 445

> and

> > 593; UDP ports 135, 137, 38.
> >
> > To enable the Internet Connection Firewall in Windows XP please see the
> > instructions below or visit this KnowledgeBase Article:
> > http://support.microsoft.com/?id=283673
> >
> > . In Control Panel, double-click Networking and Internet Connections,

and

> > then click Network Connections.
> > . Right-click the connection on which you would like to enable ICF, and

> then

> > click Properties.
> > . On the Advanced tab, click the box to select the option to Protect my
> > computer or network.
> >
> > This worm utilizes two previously-announced vulnerabilities as part of

its

> > infection method. Because of this, customers must ensure that their
> > computers are patched for the vulnerabilities that are identified in the
> > following Microsoft Security Bulletins.
> >
> > Microsoft Security Bulletin MS03-026
> > http://www.microsoft.com/technet/sec...n/MS03-026.asp
> > Microsoft Security Bulletin MS03-007
> > http://www.microsoft.com/technet/sec...n/MS03-007.asp
> >
> > In order to assist customers with the installation of the patch for
> > Microsoft Security Bulletin MS03-026 Microsoft has released a tool which

> can

> > be used to scan a network for the presence of systems which have not had

> the

> > MS03-026 patch installed. More details on this tool are available in
> > Microsoft Knowledge Base article 826369.
> >
> > RECOVERY:
> > If your computer has been infected with this virus, please contact your
> > preferred antivirus vendor or Product Support Services for assistance

with

> > removing it.
> >
> > RELATED KB ARTICLES:
> > http://support.microsoft.com/default...b;en-us;826234
> > This article will be available within 24 hours.
> >
> > RELATED SECURITY BULLETINS:
> > Microsoft Security Bulletin MS03-026
> > http://www.microsoft.com/technet/sec...n/MS03-026.asp
> > Microsoft Security Bulletin MS03-007
> > http://www.microsoft.com/technet/sec...n/MS03-007.asp
> >
> > VIRUS ALERT LINK:
> > http://www.microsoft.com/technet/sec...erts/nachi.asp
> >
> > As always please make sure to use the latest Anti-Virus detection from

> your

> > Anti-Virus vendor to detect new viruses and their variants.
> >
> > If you have any questions regarding this alert please contact your

> Microsoft

> > representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside

> of

> > the US please contact your local Microsoft Subsidiary. Support for

virus

> > related issues can also be obtained from the Microsoft Virus Support
> > Newsgroup which can be located by clicking on the following link
> > news://msnews.microsoft.com/microsof...security.virus.
> >
> > PSS Security Response Team
> >
> >
> > --
> > Regards,
> >
> > Jerry Bryant - MCSE, MCDBA
> > Microsoft IT Communities
> >
> > Get Secure! www.microsoft.com/security
> >
> >
> > This posting is provided "AS IS" with no warranties, and confers no

> rights.

> >
> >

>
>

Not good if you have been seeing the reports of ICMP flooding.

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone - www.microsoft.com/windowsxp/expertzone
" Duncan McNutt [FTSE]" <titmaster@127.0.0.706> wrote in message
news:OAY0u1dZDHA.2572@TK2MSFTNGP12.phx.gbl...

> yes but this is a good worm, but its got an open port 707 - LOL
>
> --
>
> Duncan McNutt
> Microsoft Product Deactivation Team
> --
>
>
> "Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in message
> news:#8dNbzdZDHA.2580@TK2MSFTNGP12.phx.gbl...

> > Thanks Jerry!!
> >
> > --
> > Larry Samuels MS-MVP (Windows-Shell/User)
> > Associate Expert
> > Unofficial FAQ for Windows Server 2003 at
> > http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> > news:u1pmzwdZDHA.736@TK2MSFTNGP09.phx.gbl...

> > > PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
> > >
> > > SEVERITY: CRITICAL
> > > DATE: 08/18/2003
> > > PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services

> 5.0

> > >
> > > ************************************************** ********************
> > >
> > > WHAT IS IT?
> > > A new worm is spreading in the wild. The Microsoft Product Support

> > Services

> > > Security Team is issuing this alert to advise customers to be on the

> alert

> > > for this virus as it spreads in the wild. Customers are advised to

> review

> > > the information and take the appropriate action for their

environments.

> > >
> > > IMPACT OF ATTACK: Network Propagation, Patch Installation
> > >
> > > TECHNICAL DETAILS:
> > > Similar to the earlier Blaster worm and its variants, this worm also
> > > exploits the vulnerability patched by Microsoft Security Bulletin

> > MS03-026,

> > > and instructs target systems to download its copy from the affected

> system

> > > using the TFTP program.
> > >
> > > In addition to exploiting the RPC vulnerability patched by Microsoft
> > > Security Bulletin MS03-026 this worm also uses a previously patched
> > > vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS

> 5.0

> > > over port 80 to propagate to un-patched systems.
> > >
> > > In addition upon successful infection this worm also patches systems

> with

> > > the patch for Microsoft Security Bulletin MS03-026. It does this by

> first

> > > determining the operating system and then downloading the associated

> patch

> > > for that operating system.
> > >
> > > For additional details on this worm from anti-virus software vendors
> > > participating in the Microsoft Virus Information Alliance (VIA) please

> > visit

> > > the following links:
> > >
> > > Network Associates:
> > >
> > > http://vil.nai.com/vil/content/v_100559.htm
> > >
> > > Trend Micro:
> > >
> > >

> >

>

http://www.trendmicro.com/vinfo/viru...e=WORM_MSBLAST

> .D

> > >
> > > Symantec
> > >
> > >

> >

>

http://securityresponse.symantec.com...lchia.worm.htm

> l

> > >
> > > For more information on Microsoft's Virus Information Alliance please

> > visit

> > > this link: http://www.microsoft.com/technet/security/virus/via.asp
> > >
> > > Please contact your Antivirus Vendor for additional details on this

> virus.

> > >
> > > PREVENTION:
> > > Turn on Internet Connection Firewall (Windows XP or Windows Server

2003)

> > or

> > > use a third party firewall to block incoming TCP ports 80, 135, 139,

445

> > and

> > > 593; UDP ports 135, 137, 38.
> > >
> > > To enable the Internet Connection Firewall in Windows XP please see

the

> > > instructions below or visit this KnowledgeBase Article:
> > > http://support.microsoft.com/?id=283673
> > >
> > > . In Control Panel, double-click Networking and Internet Connections,

> and

> > > then click Network Connections.
> > > . Right-click the connection on which you would like to enable ICF,

and

> > then

> > > click Properties.
> > > . On the Advanced tab, click the box to select the option to Protect

my

> > > computer or network.
> > >
> > > This worm utilizes two previously-announced vulnerabilities as part of

> its

> > > infection method. Because of this, customers must ensure that their
> > > computers are patched for the vulnerabilities that are identified in

the

> > > following Microsoft Security Bulletins.
> > >
> > > Microsoft Security Bulletin MS03-026
> > > http://www.microsoft.com/technet/sec...n/MS03-026.asp
> > > Microsoft Security Bulletin MS03-007
> > > http://www.microsoft.com/technet/sec...n/MS03-007.asp
> > >
> > > In order to assist customers with the installation of the patch for
> > > Microsoft Security Bulletin MS03-026 Microsoft has released a tool

which

> > can

> > > be used to scan a network for the presence of systems which have not

had

> > the

> > > MS03-026 patch installed. More details on this tool are available in
> > > Microsoft Knowledge Base article 826369.
> > >
> > > RECOVERY:
> > > If your computer has been infected with this virus, please contact

your

> > > preferred antivirus vendor or Product Support Services for assistance

> with

> > > removing it.
> > >
> > > RELATED KB ARTICLES:
> > > http://support.microsoft.com/default...b;en-us;826234
> > > This article will be available within 24 hours.
> > >
> > > RELATED SECURITY BULLETINS:
> > > Microsoft Security Bulletin MS03-026
> > > http://www.microsoft.com/technet/sec...n/MS03-026.asp
> > > Microsoft Security Bulletin MS03-007
> > > http://www.microsoft.com/technet/sec...n/MS03-007.asp
> > >
> > > VIRUS ALERT LINK:
> > > http://www.microsoft.com/technet/sec...erts/nachi.asp
> > >
> > > As always please make sure to use the latest Anti-Virus detection from

> > your

> > > Anti-Virus vendor to detect new viruses and their variants.
> > >
> > > If you have any questions regarding this alert please contact your

> > Microsoft

> > > representative or 1-866-727-2338 (1-866-PCSafety) within the US,

outside

> > of

> > > the US please contact your local Microsoft Subsidiary. Support for

> virus

> > > related issues can also be obtained from the Microsoft Virus Support
> > > Newsgroup which can be located by clicking on the following link
> > > news://msnews.microsoft.com/microsof...security.virus.
> > >
> > > PSS Security Response Team
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Jerry Bryant - MCSE, MCDBA
> > > Microsoft IT Communities
> > >
> > > Get Secure! www.microsoft.com/security
> > >
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no

> > rights.

> > >
> > >

> >
> >

>
>

Shhh--don't give them any ideas!!

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone - www.microsoft.com/windowsxp/expertzone
" Duncan McNutt [FTSE]" <titmaster@127.0.0.706> wrote in message
news:%23283h%23dZDHA.1644@TK2MSFTNGP10.phx.gbl...

> I think they had the perfect oppertunity to cause major annoyance, not
> target windows update but if htey targeted the activation servers and on

top

> of that, triggered all the XP rigs and 2003 servers out there by forcing a
> keychange to trigger WPA:
>
> Now that would have been news
>
> --
>
> Duncan McNutt
> Microsoft Product Deactivation Team
> --
>
>
> "Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in message
> news:emYRx7dZDHA.2336@TK2MSFTNGP09.phx.gbl...

> > Not good if you have been seeing the reports of ICMP flooding.
> >
> > --
> > Larry Samuels MS-MVP (Windows-Shell/User)
> > Associate Expert
> > Unofficial FAQ for Windows Server 2003 at
> > http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > " Duncan McNutt [FTSE]" <titmaster@127.0.0.706> wrote in message
> > news:OAY0u1dZDHA.2572@TK2MSFTNGP12.phx.gbl...

> > > yes but this is a good worm, but its got an open port 707 - LOL
> > >
> > > --
> > >
> > > Duncan McNutt
> > > Microsoft Product Deactivation Team
> > > --
> > >
> > >
> > > "Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in

message

> > > news:#8dNbzdZDHA.2580@TK2MSFTNGP12.phx.gbl...
> > > > Thanks Jerry!!
> > > >
> > > > --
> > > > Larry Samuels MS-MVP (Windows-Shell/User)
> > > > Associate Expert
> > > > Unofficial FAQ for Windows Server 2003 at
> > > > http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> > > > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > > > "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in

message

> > > > news:u1pmzwdZDHA.736@TK2MSFTNGP09.phx.gbl...
> > > > > PSS Security Response Team Alert - New Worm: Nachi, Blaster-D,

> Welchia

> > > > >
> > > > > SEVERITY: CRITICAL
> > > > > DATE: 08/18/2003
> > > > > PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information

> Services

> > > 5.0
> > > > >
> > > > >

> ************************************************** ********************

> > > > >
> > > > > WHAT IS IT?
> > > > > A new worm is spreading in the wild. The Microsoft Product

Support

> > > > Services
> > > > > Security Team is issuing this alert to advise customers to be on

the

> > > alert
> > > > > for this virus as it spreads in the wild. Customers are advised

to

> > > review
> > > > > the information and take the appropriate action for their

> > environments.

> > > > >
> > > > > IMPACT OF ATTACK: Network Propagation, Patch Installation
> > > > >
> > > > > TECHNICAL DETAILS:
> > > > > Similar to the earlier Blaster worm and its variants, this worm

also

> > > > > exploits the vulnerability patched by Microsoft Security Bulletin
> > > > MS03-026,
> > > > > and instructs target systems to download its copy from the

affected

> > > system
> > > > > using the TFTP program.
> > > > >
> > > > > In addition to exploiting the RPC vulnerability patched by

Microsoft

> > > > > Security Bulletin MS03-026 this worm also uses a previously

patched

> > > > > vulnerability in Microsoft Security Bulletin MS03-007 directed at

> IIS

> > > 5.0
> > > > > over port 80 to propagate to un-patched systems.
> > > > >
> > > > > In addition upon successful infection this worm also patches

systems

> > > with
> > > > > the patch for Microsoft Security Bulletin MS03-026. It does this

by

> > > first
> > > > > determining the operating system and then downloading the

associated

> > > patch
> > > > > for that operating system.
> > > > >
> > > > > For additional details on this worm from anti-virus software

vendors

> > > > > participating in the Microsoft Virus Information Alliance (VIA)

> please

> > > > visit
> > > > > the following links:
> > > > >
> > > > > Network Associates:
> > > > >
> > > > > http://vil.nai.com/vil/content/v_100559.htm
> > > > >
> > > > > Trend Micro:
> > > > >
> > > > >
> > > >
> > >

> >

>

http://www.trendmicro.com/vinfo/viru...e=WORM_MSBLAST

> > > .D
> > > > >
> > > > > Symantec
> > > > >
> > > > >
> > > >
> > >

> >

>

http://securityresponse.symantec.com...lchia.worm.htm

> > > l
> > > > >
> > > > > For more information on Microsoft's Virus Information Alliance

> please

> > > > visit
> > > > > this link: http://www.microsoft.com/technet/security/virus/via.asp
> > > > >
> > > > > Please contact your Antivirus Vendor for additional details on

this

> > > virus.
> > > > >
> > > > > PREVENTION:
> > > > > Turn on Internet Connection Firewall (Windows XP or Windows Server

> > 2003)

> > > > or
> > > > > use a third party firewall to block incoming TCP ports 80, 135,

139,

> > 445

> > > > and
> > > > > 593; UDP ports 135, 137, 38.
> > > > >
> > > > > To enable the Internet Connection Firewall in Windows XP please

see

> > the

> > > > > instructions below or visit this KnowledgeBase Article:
> > > > > http://support.microsoft.com/?id=283673
> > > > >
> > > > > . In Control Panel, double-click Networking and Internet

> Connections,

> > > and
> > > > > then click Network Connections.
> > > > > . Right-click the connection on which you would like to enable

ICF,

> > and

> > > > then
> > > > > click Properties.
> > > > > . On the Advanced tab, click the box to select the option to

Protect

> > my

> > > > > computer or network.
> > > > >
> > > > > This worm utilizes two previously-announced vulnerabilities as

part

> of

> > > its
> > > > > infection method. Because of this, customers must ensure that

their

> > > > > computers are patched for the vulnerabilities that are identified

in

> > the

> > > > > following Microsoft Security Bulletins.
> > > > >
> > > > > Microsoft Security Bulletin MS03-026
> > > > > http://www.microsoft.com/technet/sec...n/MS03-026.asp
> > > > > Microsoft Security Bulletin MS03-007
> > > > > http://www.microsoft.com/technet/sec...n/MS03-007.asp
> > > > >
> > > > > In order to assist customers with the installation of the patch

for

> > > > > Microsoft Security Bulletin MS03-026 Microsoft has released a tool

> > which

> > > > can
> > > > > be used to scan a network for the presence of systems which have

not

> > had

> > > > the
> > > > > MS03-026 patch installed. More details on this tool are available

in

> > > > > Microsoft Knowledge Base article 826369.
> > > > >
> > > > > RECOVERY:
> > > > > If your computer has been infected with this virus, please contact

> > your

> > > > > preferred antivirus vendor or Product Support Services for

> assistance

> > > with
> > > > > removing it.
> > > > >
> > > > > RELATED KB ARTICLES:
> > > > > http://support.microsoft.com/default...b;en-us;826234
> > > > > This article will be available within 24 hours.
> > > > >
> > > > > RELATED SECURITY BULLETINS:
> > > > > Microsoft Security Bulletin MS03-026
> > > > > http://www.microsoft.com/technet/sec...n/MS03-026.asp
> > > > > Microsoft Security Bulletin MS03-007
> > > > > http://www.microsoft.com/technet/sec...n/MS03-007.asp
> > > > >
> > > > > VIRUS ALERT LINK:
> > > > > http://www.microsoft.com/technet/sec...erts/nachi.asp
> > > > >
> > > > > As always please make sure to use the latest Anti-Virus detection

> from

> > > > your
> > > > > Anti-Virus vendor to detect new viruses and their variants.
> > > > >
> > > > > If you have any questions regarding this alert please contact your
> > > > Microsoft
> > > > > representative or 1-866-727-2338 (1-866-PCSafety) within the US,

> > outside

> > > > of
> > > > > the US please contact your local Microsoft Subsidiary. Support

for

> > > virus
> > > > > related issues can also be obtained from the Microsoft Virus

Support

> > > > > Newsgroup which can be located by clicking on the following link
> > > > > news://msnews.microsoft.com/microsof...security.virus.
> > > > >
> > > > > PSS Security Response Team
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > >
> > > > > Jerry Bryant - MCSE, MCDBA
> > > > > Microsoft IT Communities
> > > > >
> > > > > Get Secure! www.microsoft.com/security
> > > > >
> > > > >
> > > > > This posting is provided "AS IS" with no warranties, and confers

no

> > > > rights.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>

No its not a "good" worm It cause allot of ICMP traffic and exploits two vulnerabilities
one is WEBDAV.

There is nothing good about this or any other worm.

Dave

" Duncan McNutt [FTSE]" <titmaster@127.0.0.706> wrote in message
news:OAY0u1dZDHA.2572@TK2MSFTNGP12.phx.gbl...
| yes but this is a good worm, but its got an open port 707 - LOL
|
| --
|
| Duncan McNutt
| Microsoft Product Deactivation Team
| --
|
|
| "Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in message
| news:#8dNbzdZDHA.2580@TK2MSFTNGP12.phx.gbl...
| > Thanks Jerry!!
| >
| > --
| > Larry Samuels MS-MVP (Windows-Shell/User)
| > Associate Expert
| > Unofficial FAQ for Windows Server 2003 at
| > http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
| > Expert Zone - www.microsoft.com/windowsxp/expertzone
| > "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
| > news:u1pmzwdZDHA.736@TK2MSFTNGP09.phx.gbl...
| > > PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
| > >
| > > SEVERITY: CRITICAL
| > > DATE: 08/18/2003
| > > PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services
| 5.0
| > >
| > > ************************************************** ********************
| > >
| > > WHAT IS IT?
| > > A new worm is spreading in the wild. The Microsoft Product Support
| > Services
| > > Security Team is issuing this alert to advise customers to be on the
| alert
| > > for this virus as it spreads in the wild. Customers are advised to
| review
| > > the information and take the appropriate action for their environments.
| > >
| > > IMPACT OF ATTACK: Network Propagation, Patch Installation
| > >
| > > TECHNICAL DETAILS:
| > > Similar to the earlier Blaster worm and its variants, this worm also
| > > exploits the vulnerability patched by Microsoft Security Bulletin
| > MS03-026,
| > > and instructs target systems to download its copy from the affected
| system
| > > using the TFTP program.
| > >
| > > In addition to exploiting the RPC vulnerability patched by Microsoft
| > > Security Bulletin MS03-026 this worm also uses a previously patched
| > > vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS
| 5.0
| > > over port 80 to propagate to un-patched systems.
| > >
| > > In addition upon successful infection this worm also patches systems
| with
| > > the patch for Microsoft Security Bulletin MS03-026. It does this by
| first
| > > determining the operating system and then downloading the associated
| patch
| > > for that operating system.
| > >
| > > For additional details on this worm from anti-virus software vendors
| > > participating in the Microsoft Virus Information Alliance (VIA) please
| > visit
| > > the following links:
| > >
| > > Network Associates:
| > >
| > > http://vil.nai.com/vil/content/v_100559.htm
| > >
| > > Trend Micro:
| > >
| > >
| >
| http://www.trendmicro.com/vinfo/viru...e=WORM_MSBLAST
| .D
| > >
| > > Symantec
| > >
| > >
| >
| http://securityresponse.symantec.com...lchia.worm.htm
| l
| > >
| > > For more information on Microsoft's Virus Information Alliance please
| > visit
| > > this link: http://www.microsoft.com/technet/security/virus/via.asp
| > >
| > > Please contact your Antivirus Vendor for additional details on this
| virus.
| > >
| > > PREVENTION:
| > > Turn on Internet Connection Firewall (Windows XP or Windows Server 2003)
| > or
| > > use a third party firewall to block incoming TCP ports 80, 135, 139, 445
| > and
| > > 593; UDP ports 135, 137, 38.
| > >
| > > To enable the Internet Connection Firewall in Windows XP please see the
| > > instructions below or visit this KnowledgeBase Article:
| > > http://support.microsoft.com/?id=283673
| > >
| > > . In Control Panel, double-click Networking and Internet Connections,
| and
| > > then click Network Connections.
| > > . Right-click the connection on which you would like to enable ICF, and
| > then
| > > click Properties.
| > > . On the Advanced tab, click the box to select the option to Protect my
| > > computer or network.
| > >
| > > This worm utilizes two previously-announced vulnerabilities as part of
| its
| > > infection method. Because of this, customers must ensure that their
| > > computers are patched for the vulnerabilities that are identified in the
| > > following Microsoft Security Bulletins.
| > >
| > > Microsoft Security Bulletin MS03-026
| > > http://www.microsoft.com/technet/sec...n/MS03-026.asp
| > > Microsoft Security Bulletin MS03-007
| > > http://www.microsoft.com/technet/sec...n/MS03-007.asp
| > >
| > > In order to assist customers with the installation of the patch for
| > > Microsoft Security Bulletin MS03-026 Microsoft has released a tool which
| > can
| > > be used to scan a network for the presence of systems which have not had
| > the
| > > MS03-026 patch installed. More details on this tool are available in
| > > Microsoft Knowledge Base article 826369.
| > >
| > > RECOVERY:
| > > If your computer has been infected with this virus, please contact your
| > > preferred antivirus vendor or Product Support Services for assistance
| with
| > > removing it.
| > >
| > > RELATED KB ARTICLES:
| > > http://support.microsoft.com/default...b;en-us;826234
| > > This article will be available within 24 hours.
| > >
| > > RELATED SECURITY BULLETINS:
| > > Microsoft Security Bulletin MS03-026
| > > http://www.microsoft.com/technet/sec...n/MS03-026.asp
| > > Microsoft Security Bulletin MS03-007
| > > http://www.microsoft.com/technet/sec...n/MS03-007.asp
| > >
| > > VIRUS ALERT LINK:
| > > http://www.microsoft.com/technet/sec...erts/nachi.asp
| > >
| > > As always please make sure to use the latest Anti-Virus detection from
| > your
| > > Anti-Virus vendor to detect new viruses and their variants.
| > >
| > > If you have any questions regarding this alert please contact your
| > Microsoft
| > > representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside
| > of
| > > the US please contact your local Microsoft Subsidiary. Support for
| virus
| > > related issues can also be obtained from the Microsoft Virus Support
| > > Newsgroup which can be located by clicking on the following link
| > > news://msnews.microsoft.com/microsof...security.virus.
| > >
| > > PSS Security Response Team
| > >
| > >
| > > --
| > > Regards,
| > >
| > > Jerry Bryant - MCSE, MCDBA
| > > Microsoft IT Communities
| > >
| > > Get Secure! www.microsoft.com/security
| > >
| > >
| > > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > >
| > >
| >
| >
|
|

http://isc.sans.org/diary.html?date=2003-08-18
Regards,

Paul Lynch
MCSE