W32.Blaster.worm

[Mike Rawls]

The McAfee Stinger program fix will remove the worm.
Thanks anyway.
Mike

 

[Larry Brasher]

Hello,

Here is some additional information.

Stop Windows XP and Windows Server 2003 systems from rebooting after an
attack:
Another way to prevent Windows XP and Windows 2003 Server systems from
rebooting once the count down has started is to run this command at
the command line:

shutdown /a

This aborts the shutdown sequence. Since the RPC service has already
been shut down, it cannot be shut down again. Then you can patch the
system with MS03-026 which will reboot the system once it’s installed.
This command is not available on pre-XP systems.
Change Service Properties to avoid the reboot:

1. Open up the Services snap-in.
This can be done by right clicking on "My Computer", select
"Manage", select "Services and Applications" and click on "Services".
This can be done by going to the Control Panel and selecting to
switch to "Classic View", double-click on "Administrative Tools" and
select "Services".
2.Double-click on the "Remote Procedure Call (RPC)" service.
3. On the User Interface for RPC, click the "Recovery" tab.
4. Under the "Recovery" tab, go to the "First failure:" drop down and
change the value from "Restart the Computer" to "Restart the
Service".
5. Change the "Restart service after:" value to 5 minutes.
6. Install the MS03-026 / 823980 on the computer.


What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp

Microsoft scanning tool for MSBLASTER
http://support.microsoft.com/default.aspx?scid=kb;en-us;826369

PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or
use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP
port 135, 137,138; also UDP 69 (TFTP) and TCP 4444 for remote command
shell.
To enable the Internet Connection Firewall in Windows:
http://support.microsoft.com/?id=283673
1.In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
2.Right-click the connection on which you would like to enable ICF, and
then click Properties.
3.On the Advanced tab, click the box to select the option to "Protect my
computer or network".
This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, you must ensure that their

computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
Install the patch MS03-026 from Windows Update:
Windows NT 4 Server & Workstation

http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d
29e1a/Q823980i.EXE

Windows NT 4 Terminal Server Edition

http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-5372218
8d489/Q823980i.EXE

Windows 2000

http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42
049d5/Windows2000-KB823980-x86-ENU.exe

Windows XP (32 bit)

http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a9
83f01/WindowsXP-KB823980-x86-ENU.exe

Windows XP (64 bit)

http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c
67df5/WindowsXP-KB823980-ia64-ENU.exe

Windows 2003 (32 bit)

http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629
390b9/WindowsServer2003-KB823980-x86-ENU.exe

Windows 2003 (64 bit)

http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c
50425/WindowsServer2003-KB823980-ia64-ENU.exe


Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking