Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia

From: Larry Samuels MS-MVP XP \(Shell/User\) (larry_at_mvps.org)
Date: 08/19/03

• Next message: David Wang [Msft]: "Re: .HTR and Retina:"
• Previous message: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• In reply to: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Next in thread: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Reply: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Reply: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 18 Aug 2003 19:17:47 -0400

Not good if you have been seeing the reports of ICMP flooding.

-- 
Larry Samuels MS-MVP  (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone - www.microsoft.com/windowsxp/expertzone
" Duncan McNutt [FTSE]" <titmaster@127.0.0.706> wrote in message
news:OAY0u1dZDHA.2572@TK2MSFTNGP12.phx.gbl...
> yes but this is a good worm, but its got an open port 707 - LOL :D
>
> --
>
> Duncan McNutt
> Microsoft Product Deactivation Team
> --
>
>
> "Larry Samuels MS-MVP XP (Shell/User)" <larry@mvps.org> wrote in message
> news:#8dNbzdZDHA.2580@TK2MSFTNGP12.phx.gbl...
> > Thanks Jerry!!
> >
> > --
> > Larry Samuels MS-MVP  (Windows-Shell/User)
> > Associate Expert
> > Unofficial FAQ for Windows Server 2003 at
> > http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
> > Expert Zone - www.microsoft.com/windowsxp/expertzone
> > "Jerry Bryant [MSFT]" <jbryant@online.microsoft.com> wrote in message
> > news:u1pmzwdZDHA.736@TK2MSFTNGP09.phx.gbl...
> > > PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
> > >
> > > SEVERITY: CRITICAL
> > > DATE: 08/18/2003
> > > PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services
> 5.0
> > >
> > > **********************************************************************
> > >
> > > WHAT IS IT?
> > > A new worm is spreading in the wild.  The Microsoft Product Support
> > Services
> > > Security Team is issuing this alert to advise customers to be on the
> alert
> > > for this virus as it spreads in the wild.  Customers are advised to
> review
> > > the information and take the appropriate action for their
environments.
> > >
> > > IMPACT OF ATTACK: Network Propagation, Patch Installation
> > >
> > > TECHNICAL DETAILS:
> > > Similar to the earlier Blaster worm and its variants, this worm also
> > > exploits the vulnerability patched by Microsoft Security Bulletin
> > MS03-026,
> > > and instructs target systems to download its copy from the affected
> system
> > > using the TFTP program.
> > >
> > > In addition to exploiting the RPC vulnerability patched by Microsoft
> > > Security Bulletin MS03-026 this worm also uses a previously patched
> > > vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS
> 5.0
> > > over port 80 to propagate to un-patched systems.
> > >
> > > In addition upon successful infection this worm also patches systems
> with
> > > the patch for Microsoft Security Bulletin MS03-026. It does this by
> first
> > > determining the operating system and then downloading the associated
> patch
> > > for that operating system.
> > >
> > > For additional details on this worm from anti-virus software vendors
> > > participating in the Microsoft Virus Information Alliance (VIA) please
> > visit
> > > the following links:
> > >
> > > Network Associates:
> > >
> > > http://vil.nai.com/vil/content/v_100559.htm
> > >
> > > Trend Micro:
> > >
> > >
> >
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST
> .D
> > >
> > > Symantec
> > >
> > >
> >
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.htm
> l
> > >
> > > For more information on Microsoft's Virus Information Alliance please
> > visit
> > > this link: http://www.microsoft.com/technet/security/virus/via.asp
> > >
> > > Please contact your Antivirus Vendor for additional details on this
> virus.
> > >
> > > PREVENTION:
> > > Turn on Internet Connection Firewall (Windows XP or Windows Server
2003)
> > or
> > > use a third party firewall to block incoming TCP ports 80, 135, 139,
445
> > and
> > > 593; UDP ports 135, 137, 38.
> > >
> > > To enable the Internet Connection Firewall in Windows XP please see
the
> > > instructions below or visit this KnowledgeBase Article:
> > > http://support.microsoft.com/?id=283673
> > >
> > > . In Control Panel, double-click Networking and Internet Connections,
> and
> > > then click Network Connections.
> > > . Right-click the connection on which you would like to enable ICF,
and
> > then
> > > click Properties.
> > > . On the Advanced tab, click the box to select the option to Protect
my
> > > computer or network.
> > >
> > > This worm utilizes two previously-announced vulnerabilities as part of
> its
> > > infection method.  Because of this, customers must ensure that their
> > > computers are patched for the vulnerabilities that are identified in
the
> > > following Microsoft Security Bulletins.
> > >
> > > Microsoft Security Bulletin MS03-026
> > > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> > > Microsoft Security Bulletin MS03-007
> > > http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
> > >
> > > In order to assist customers with the installation of the patch for
> > > Microsoft Security Bulletin MS03-026 Microsoft has released a tool
which
> > can
> > > be used to scan a network for the presence of systems which have not
had
> > the
> > > MS03-026 patch installed. More details on this tool are available in
> > > Microsoft Knowledge Base article 826369.
> > >
> > > RECOVERY:
> > > If your computer has been infected with this virus, please contact
your
> > > preferred antivirus vendor or Product Support Services for assistance
> with
> > > removing it.
> > >
> > > RELATED KB ARTICLES:
> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;826234
> > > This article will be available within 24 hours.
> > >
> > > RELATED SECURITY BULLETINS:
> > > Microsoft Security Bulletin MS03-026
> > > http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
> > > Microsoft Security Bulletin MS03-007
> > > http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
> > >
> > > VIRUS ALERT LINK:
> > > http://www.microsoft.com/technet/security/virus/alerts/nachi.asp
> > >
> > > As always please make sure to use the latest Anti-Virus detection from
> > your
> > > Anti-Virus vendor to detect new viruses and their variants.
> > >
> > > If you have any questions regarding this alert please contact your
> > Microsoft
> > > representative or 1-866-727-2338 (1-866-PCSafety) within the US,
outside
> > of
> > > the US please contact your local Microsoft Subsidiary.  Support for
> virus
> > > related issues can also be obtained from the Microsoft Virus Support
> > > Newsgroup which can be located by clicking on the following link
> > > news://msnews.microsoft.com/microsoft.public.security.virus.
> > >
> > > PSS Security Response Team
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Jerry Bryant - MCSE, MCDBA
> > > Microsoft IT Communities
> > >
> > > Get Secure! www.microsoft.com/security
> > >
> > >
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > >
> >
> >
>
>

---

• Next message: David Wang [Msft]: "Re: .HTR and Retina:"
• Previous message: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• In reply to: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Next in thread: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Reply: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Reply: Duncan McNutt [FTSE]: "Re: PSS Critical Security Alert - New Worm: Nachi, Blaster-D, Welschia"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages FW: Actions for the Blaster Worm - Special Edition, TechNet Flash ... Actions for the Blaster Worm - Special Edition, ... You are receiving this message because you are a Microsoft newsletter ... Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory ... antivirus vendor and scan your machine. ... (Focus-Microsoft) Bobax.C ... Other files containing the virus have been ... W32.Bobax.C is a worm that exploits both the LSASS ... While this threat may execute on Windows 95/98/Me/Server ... Virus Definitions * ... (microsoft.public.windowsxp.security_admin) Re: Did Microsoft create Opaserv worm to improve Win2k sales? ... >> As far as I could tell, this virus shouldn't destroy any of your ... and that's true whether you're running Windows or Linux ... >> you hadn't installed the free Microsoft security patch from TWO AND ... >>> I was recently hit by the Opaserv worm. ... (microsoft.public.security) Re: I ran the exe file !!!! ... point before the virus infection. ... For the moment you should simply stick with MS windows Updates. ... What You Should Know About the Swen Worm ... you have Windows ME or Windows XP, you could run the System Restore ... (microsoft.public.security.virus) Re: Cant apply KB835732 on various Win2k systems ... So these machines have the Sasser worm? ... Microsoft has learned about a worm identified as "W32.Sasser.worm" that is ... Windows XP Professional ... > AnalyzePhaseOne: used 7691 ticks ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)