Re: security update for blaster worm
From: Ivan Sheng (ivansh_at_online.microsoft.com)
Date: 08/13/03
- Next message: Sid: "Re: Shame on Microsoft"
- Previous message: Robert Folkerts: "Re: HOW MUCH $/TIME/SECURITY NEED TO BE LOST BEFORE MS IS HELD ACCOUNTABLE??? (N"
- In reply to: Kent W. England [MVP]: "Re: security update for blaster worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Aug 2003 03:23:34 GMT
Yes, I agree with Kent. Below is some useful information about the new worm
virus:
To prevent the system from rebooting every few minutes, please try the
steps in the "Workaround" section. However, you are strongly recommended to
install the patch which is mentioned in "Prevention" section to prevent the
system from infected again. After that, please use the most recent Anti
Virus program to clean the system.
Workaround
===========
The workaround can help you stop the system from rebooting every few
minutes. However, it should be noted that these workarounds should be
considered temporary measures as they just help block paths of attack
rather than correcting the underlying vulnerability.
1. Block RPC interface ports at your firewall if you are not using Windows
XP.
Blocking the following ports at the firewall will help prevent systems
behind that firewall from being attacked by attempts to exploit this
vulnerability:
- TCP/UDP Port 135
- TCP/UDP Port 139
- TCP/UDP Port 445
If you are using the Internet Connection Firewall in Windows XP to protect
your Internet connection, it will by default block inbound RPC traffic from
the Internet. Therefore, please enable Internet Connection Firewall
immediately.
To configure Internet Connection Firewall manually for a connection:
- In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
- Right-click the connection on which you would like to enable ICF, and
then click Properties.
- On the Advanced tab, click the box to select the option to Protect my
computer or network.
For more information, please refer to the following Microsoft Knowledge
Base article.
283673 HOW TO: Enable or Disable Internet Connection Firewall in Windows XP
http://support.microsoft.com/?id=283673
2. Disable DCOM on all affected machines
When a computer is part of a network, the DCOM wire protocol enables COM
objects on that computer to communicate with COM objects on other
computers. You can disable DCOM for a particular computer to help protect
against this vulnerability, but doing so will disable all communication
between objects on that computer and objects on other computers.
To manually enable (or disable) DCOM for a computer:
1). Run Dcomcnfg.exe.
If you are running Windows XP or Windows Server 2003, perform these
additional steps:
- Click on the Component Services node under Console Root.
- Open the Computers sub-folder.
- For the local computer, right click on My Computer and choose
Properties.
2). Choose the Default Properties tab.
3). Select (or clear) the Enable Distributed COM on this Computer check
box.
4). If you will be setting more properties for the machine, click the Apply
button to enable (or disable) DCOM. Otherwise, click OK to apply the
changes and exit Dcomcnfg.exe.
Prevention
=======
To prevent the computer from infected by the virus, please install the
security patch MS03-026. The patch is available from Windows Update as well
as on www.microsoft.com\security
For Windows XP, the direct link of the patch is listed below. Please
download and install it immediately.
http://microsoft.com/downloads/details.aspx?FamilyId=2354406C-C5B6-44AC-9532
-3DE40F69C074&displaylang=en
Please note that you still need to use Anti Virus program to clean the
system after you apply the patch. If you do not have Anti Virus software
installed, you can use the following tool to detect the worm.
http://housecall.antivirus.com
Restoration
=======
After a Trojan has successfully been installed on a system, it may be
impossible to trust that system in the future. These steps will help
restore your computer's environment to a trusted state.
1. If you have a full system backup, please restore from the last know
good backup.
2. In the case when no backup is available, we recommend reformatting the
affected system and re-installing the operating system from scratch. If you
system is a client of a network, make sure you patch or rebuild with
MS03-026 BEFORE putting it back on the network to avoid being re-infected.
3. If you cannot restore or rebuild, please try to contact your Anti Virus
vendors for removal/cleaner tools.
The following tools or information from 3rd party vendors may helpful for
removing the virus.
Symantec
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
McAfee:
http://vil.nai.com/vil/stinger
Ivan Sheng
Microsoft Online Partner Support
MCSD,MCSE4,2000,MCDBA,CCNA,ASE
Get Secure! ¨C www.microsoft.com/security
This posting is provided Ħ°as isĦħ with no warranties and confers no rights.
- Next message: Sid: "Re: Shame on Microsoft"
- Previous message: Robert Folkerts: "Re: HOW MUCH $/TIME/SECURITY NEED TO BE LOST BEFORE MS IS HELD ACCOUNTABLE??? (N"
- In reply to: Kent W. England [MVP]: "Re: security update for blaster worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
