J
Jerry Bryant [MSFT]
PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
SEVERITY: CRITICAL
DATE: 08/18/2003
PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services 5.0
**********************************************************************
WHAT IS IT?
A new worm is spreading in the wild. The Microsoft Product Support Services
Security Team is issuing this alert to advise customers to be on the alert
for this virus as it spreads in the wild. Customers are advised to review
the information and take the appropriate action for their environments.
IMPACT OF ATTACK: Network Propagation, Patch Installation
TECHNICAL DETAILS:
Similar to the earlier Blaster worm and its variants, this worm also
exploits the vulnerability patched by Microsoft Security Bulletin MS03-026,
and instructs target systems to download its copy from the affected system
using the TFTP program.
In addition to exploiting the RPC vulnerability patched by Microsoft
Security Bulletin MS03-026 this worm also uses a previously patched
vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS 5.0
over port 80 to propagate to un-patched systems.
In addition upon successful infection this worm also patches systems with
the patch for Microsoft Security Bulletin MS03-026. It does this by first
determining the operating system and then downloading the associated patch
for that operating system.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:
Network Associates:
http://vil.nai.com/vil/content/v_100559.htm
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
For more information on Microsoft's Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or
use a third party firewall to block incoming TCP ports 80, 135, 139, 445 and
593; UDP ports 135, 137, 38.
To enable the Internet Connection Firewall in Windows XP please see the
instructions below or visit this KnowledgeBase Article:
http://support.microsoft.com/?id=283673
.. In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
.. Right-click the connection on which you would like to enable ICF, and then
click Properties.
.. On the Advanced tab, click the box to select the option to Protect my
computer or network.
This worm utilizes two previously-announced vulnerabilities as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerabilities that are identified in the
following Microsoft Security Bulletins.
Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Microsoft Security Bulletin MS03-007
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
In order to assist customers with the installation of the patch for
Microsoft Security Bulletin MS03-026 Microsoft has released a tool which can
be used to scan a network for the presence of systems which have not had the
MS03-026 patch installed. More details on this tool are available in
Microsoft Knowledge Base article 826369.
RECOVERY:
If your computer has been infected with this virus, please contact your
preferred antivirus vendor or Product Support Services for assistance with
removing it.
RELATED KB ARTICLES:
http://support.microsoft.com/default.aspx?scid=kb;en-us;826234
This article will be available within 24 hours.
RELATED SECURITY BULLETINS:
Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Microsoft Security Bulletin MS03-007
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
VIRUS ALERT LINK:
http://www.microsoft.com/technet/security/virus/alerts/nachi.asp
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary. Support for virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsoft.public.security.virus.
PSS Security Response Team
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
SEVERITY: CRITICAL
DATE: 08/18/2003
PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services 5.0
**********************************************************************
WHAT IS IT?
A new worm is spreading in the wild. The Microsoft Product Support Services
Security Team is issuing this alert to advise customers to be on the alert
for this virus as it spreads in the wild. Customers are advised to review
the information and take the appropriate action for their environments.
IMPACT OF ATTACK: Network Propagation, Patch Installation
TECHNICAL DETAILS:
Similar to the earlier Blaster worm and its variants, this worm also
exploits the vulnerability patched by Microsoft Security Bulletin MS03-026,
and instructs target systems to download its copy from the affected system
using the TFTP program.
In addition to exploiting the RPC vulnerability patched by Microsoft
Security Bulletin MS03-026 this worm also uses a previously patched
vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS 5.0
over port 80 to propagate to un-patched systems.
In addition upon successful infection this worm also patches systems with
the patch for Microsoft Security Bulletin MS03-026. It does this by first
determining the operating system and then downloading the associated patch
for that operating system.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:
Network Associates:
http://vil.nai.com/vil/content/v_100559.htm
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
For more information on Microsoft's Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or
use a third party firewall to block incoming TCP ports 80, 135, 139, 445 and
593; UDP ports 135, 137, 38.
To enable the Internet Connection Firewall in Windows XP please see the
instructions below or visit this KnowledgeBase Article:
http://support.microsoft.com/?id=283673
.. In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
.. Right-click the connection on which you would like to enable ICF, and then
click Properties.
.. On the Advanced tab, click the box to select the option to Protect my
computer or network.
This worm utilizes two previously-announced vulnerabilities as part of its
infection method. Because of this, customers must ensure that their
computers are patched for the vulnerabilities that are identified in the
following Microsoft Security Bulletins.
Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Microsoft Security Bulletin MS03-007
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
In order to assist customers with the installation of the patch for
Microsoft Security Bulletin MS03-026 Microsoft has released a tool which can
be used to scan a network for the presence of systems which have not had the
MS03-026 patch installed. More details on this tool are available in
Microsoft Knowledge Base article 826369.
RECOVERY:
If your computer has been infected with this virus, please contact your
preferred antivirus vendor or Product Support Services for assistance with
removing it.
RELATED KB ARTICLES:
http://support.microsoft.com/default.aspx?scid=kb;en-us;826234
This article will be available within 24 hours.
RELATED SECURITY BULLETINS:
Microsoft Security Bulletin MS03-026
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Microsoft Security Bulletin MS03-007
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
VIRUS ALERT LINK:
http://www.microsoft.com/technet/security/virus/alerts/nachi.asp
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your Microsoft
representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of
the US please contact your local Microsoft Subsidiary. Support for virus
related issues can also be obtained from the Microsoft Virus Support
Newsgroup which can be located by clicking on the following link
news://msnews.microsoft.com/microsoft.public.security.virus.
PSS Security Response Team
--
Regards,
Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities
Get Secure! www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
