-- forwarded newsletter from Microsoft --



You are receiving this message because you are a Microsoft newsletter
subscriber. Please print this page for your reference.

For the most recent news about Blaster, it is very important that you visit
the Security page: http://www.microsoft.com/security/incident/blast.asp. You
will also find tips for helping Friends, family, and colleagues.

In This Newsletter:
-       Who Is Affected
-       Impact of Attack
-       Actions to Take
-       Technical Details
-       Recovery
-       Related Knowledge Base
-       Related Microsoft Security Bulletins
-       Tips for Helping Friends, Family, and Colleagues

At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a
worm reported by Microsoft Product Support Services (PSS).  Several
antivirus companies have responded and written tools to remove the Blaster
worm.

Who Is Affected?
Users of the following products are affected:
        - Microsoft(r) Windows NT(r) 4.0
        - Microsoft Windows(r) 2000
        - Microsoft Windows XP
        - Microsoft Windows ServerT 2003

The worm was discovered August 11. Customers who had previously applied the
security patch MS03-026 are protected.

To determine if the worm is present on your machine, see the technical
details below.

Actions for Network Administrators
Managers of networked computers should read the Microsoft Product Support
Services (PSS) Security Response Team alert for technical guidance:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
virus/alerts/msblaster.asp

Technical Details:
This worm scans a random IP range to look for vulnerable systems on TCP port
135. The worm attempts to exploit the DCOM RPC vulnerability patched by
MS03-026: http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
Once the Exploit code is sent to a system, it downloads and executes the
file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates
the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows
auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

Symptoms of the virus: Some customers may not notice any symptoms at all. A
typical symptom is the system reboots every few minutes without user input.
Customers may also see:
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory

To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32
directory or download the latest antivirus software signature from your
antivirus vendor and scan your machine.
For additional information on recovering from this attack, please contact
your preferred antivirus vendor.

Recovery:
Many antivirus companies have written tools to remove the known exploit
associated with this particular worm. To download the removal tool from your
antivirus vendor, follow the procedures outlined below.

For Windows XP
1. If your computer reboots repeatedly, please unplug your network cable
from the wall.
2. First, enable Internet Connection Firewall (ICF) in Windows XP:
http://support.microsoft.com/?id=283673
        --In Control Panel, double-click "Networking and Internet
Connections", and then click "Network Connections".
        --Right-click the connection on which you would like to enable ICF,
and then click "Properties".
        --On the Advanced tab, click the box to select the option to
"Protect my computer or network".
3. Plug the network cable back into the wall to reconnect your computer to
the Internet
4. Download the MS03-026 security patch from Microsoft and install it on
your computer:

Windows XP (32 bit)
http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-
9532-3de40f69c074&displaylang=en

Windows XP (64 bit)
http://www.microsoft.com/downloads/details.aspx?FamilyID=1b00f5df-4a85-488f-
80e3-c347adcc4df1&displaylang=en

5.Install or update your antivirus signature software and scan your computer

6.Download and run the worm removal tool from your antivirus vendor.

For Windows 2000 systems, where Internet Connection Firewall (ICF) is not
available, the following steps will help block the affected ports so that
the system can be patched. These steps are based on a modified excerpt from
the article; HOW TO: Configure TCP/IP Filtering in Windows 2000.
http://support.microsoft.com/?id=309798

1. Configure TCP/IP security on Windows 2000:
        --Select "Network and Dial-up Connections" in Control Panel.
        --Right-click the interface you use to access the Internet, and then
click "Properties".
        --In the "Components checked are used by this connection" box, click
"Internet Protocol (TCP/IP)", and then click            "Properties".
        --In the Internet Protocol (TCP/IP) Properties dialog box, click
"Advanced".
        --Click the "Options" tab.
        --Click "TCP/IP filtering", and then click "Properties".
        --Select the "Enable TCP/IP Filtering (All adapters)" check box.
        --There are three columns with the following labels:
        TCP Ports
        UDP Ports
        IP Protocols
        --In each column, you must select the "Permit Only" option.
        --Click OK.

2. Download the MS03-026 security patch for Windows 2000 from Microsoft and
install it on your computer from:
http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-
8c9f-220354449117&displaylang=en

3. Install or update your antivirus signature software and scan your
computer

4. Then, download and run the worm removal tool from your antivirus vendor.

For additional details on this worm from antivirus software vendors
participating in the Microsoft Virus Information Alliance (VIA), please
visit the following links:

Network Associates:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST
.A

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.htm
l

Computer Associates:
http://www3.ca.com/virusinfo/virus.aspx?ID=36265

For more information on Microsoft's Virus Information Alliance, please visit
this link:
http://www.microsoft.com/technet/security/virus/via.asp

Please contact your antivirus vendor for additional details on this virus.

Prevention:
1. Turn on Internet Connection Firewall (Windows XP or Windows Server 2003)
or use a third-party firewall to block TCP ports 135, 139, 445 and 593; UDP
port 135, 137,138; also UDP 69 (TFTP)and TCP 4444 for remote command shell.
To enable the Internet Connection Firewall in Windows:
http://support.microsoft.com/?id=283673
        --In Control Panel, double-click "Networking and Internet
Connections", and then click "Network Connections".
        --Right-click the connection on which you would like to enable ICF,
and then click "Properties".
        --On the Advanced tab, click the box to select the option to
"Protect my computer or network".

This worm utilizes a previously announced vulnerability as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

2. Install the patch MS03-026 from the Microsoft Download Center:
Windows NT 4 Server & Workstation
http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc66f4e-217e-4fa7-
bdbf-df77a0b9303f&DisplayLang=en

Windows NT 4 Terminal Server Edition
http://www.microsoft.com/downloads/details.aspx?FamilyID=6c0f0160-64fa-424c-
a3c1-c9fad2dc65ca&DisplayLang=en

Windows 2000
http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-
8c9f-220354449117&displaylang=en

Windows XP (32 bit)
http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-
9532-3de40f69c074&displaylang=en

Windows XP (64 bit)
http://www.microsoft.com/downloads/details.aspx?FamilyID=1b00f5df-4a85-488f-
80e3-c347adcc4df1&displaylang=en

Windows 2003 (32 bit)
http://www.microsoft.com/downloads/details.aspx?FamilyID=f8e0ff3a-9f4c-4061-
9009-3a212458e92e&DisplayLang=en

Windows 2003 (64 bit)
http://www.microsoft.com/downloads/details.aspx?FamilyID=2b566973-c3f0-4ec1-
995f-017e35692bc7&DisplayLang=en

3. As always, please make sure to use the latest antivirus detection from
your antivirus vendor to detect new viruses and their variants.

Related Knowledge Base Articles:
http://support.microsoft.com/?kbid=826955

Related Microsoft Security Bulletins:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

If you have any questions regarding this alert, please contact your
Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the
United States; outside of the United States please contact your local
Microsoft Subsidiary.


Microsoft Communities is your launching pad for communicating online with
peers and experts about Microsoft products, technologies, and services:
http://communities.microsoft.com/home/default.asp

~~~~~~~~~~~~~~~~~~~~~~~~~ How to use this mailing
list~~~~~~~~~~~~~~~~~~~~~~~~

To cancel your subscription to this newsletter, either click
mailto:[log in to unmask]
.com?subject=UNSUBSCRIBE to send an unsubscribe e-mail or reply to this
message with the word UNSUBSCRIBE in the Subject line. To stop all e-mail
newsletters from microsoft.com, either click
mailto:[log in to unmask]
.com?subject=STOPMAIL to send your request or reply to this message with the
word STOPMAIL in the Subject Line. You can also unsubscribe at
http://www.microsoft.com/misc/unsubscribe.htm. You can manage all your
Microsoft.com communication preferences from this site.

THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO THIS PROGRAM ARE FOR
INFORMATIONAL PURPOSES ONLY. The information type should not be interpreted
to be a commitment on the part of Microsoft and Microsoft cannot guarantee
the accuracy of any information presented after the date of publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY
OF ANY KIND. The user assumes the entire risk as to the accuracy and the use
of this document.
microsoft.com newsletter e-mail may be copied and distributed subject to the
following conditions:
1. All text must be copied without modification and all pages must be
included
2. All copies must contain Microsoft's copyright notice and any other
notices provided therein
3. This document may not be distributed for profit

Mark Senk | 412-386-6513 | [log in to unmask]


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html