RE: Blaster update
From: Larry Brasher (a-lbrash_at_microsoft.com)
Date: 08/17/03
- Next message: Larry Brasher: "Re: Blaster Virus Defense Problem"
- Previous message: Larry Brasher: "Re: blaster fix - MS03-026"
- In reply to: LindaR: "Blaster update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 17 Aug 2003 02:24:11 GMT
Hello,
Here is some additional information.
Advanced TCP/IP Filtering
On Windows 2000 systems, where Internet Connection Firewall (ICF) is not
available, the following steps will help block the affected ports so that
the system can be patched. These steps are based on a modified excerpt from
this article: 309798 HOW TO: Configure TCP/IP Filtering in Windows 2000
http://support.microsoft.com/?id=309798
To configure TCP/IP security on Windows 2000:
1. Select "Network and Dial-up Connections" in the control panel.
2. Right-click the interface you use to access the Internet, and then click
Properties.
3. In the "Components checked are used by this connection" box, click
Internet Protocol (TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, click
Advanced.
5. Click the Options tab.
6. Click "TCP/IP filtering", and then click Properties.
7. Select the "Enable TCP/IP Filtering (All adapters)" check box.
8. There are three columns with the following labels:
TCP Ports
UDP Ports
IP Protocols
In each column, you must select the "Permit Only" option.
9. Click OK.
Stop Windows XP and Windows Server 2003 systems from rebooting after an
attack:
Another way to prevent Windows XP and Windows 2003 Server systems from
rebooting once the count down has started is to run this command at
the command line:
shutdown /a
This aborts the shutdown sequence. Since the RPC service has already
been shut down, it cannot be shut down again. Then you can patch the
system with MS03-026 which will reboot the system once it’s installed.
This command is not available on pre-XP systems.
Change Service Properties to avoid the reboot:
1. Open up the Services snap-in.
This can be done by right clicking on "My Computer", select
"Manage", select "Services and Applications"and click on "Services".
This can be done by going to the Control Panel and selecting to
switch to "Classic View", double-click on "Administrative Tools"and
select "Services".
2.Double-click on the "Remote Procedure Call (RPC)"service.
3. On the User Interface for RPC, click the "Recovery"tab.
4. Under the "Recovery"tab, go to the "First failure:"drop down and
change the value from "Restart the Computer"to "Restart the
Service".
5. Change the "Restart service after:"value to 5 minutes.
6. Install the MS03-026 / 823980 on the computer.
What You Should Know About the Blaster Worm and Its Variants
http://www.microsoft.com/security/incident/blast.asp
Microsoft scanning tool for MSBLASTER
http://support.microsoft.com/default.aspx?scid=kb;en-us;826369
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server 2003) or
use a third party firewall to block TCP ports 135, 139, 445 and 593; UDP
port 135, 137,138; also UDP 69 (TFTP) and TCP 4444 for remote command
shell.
To enable the Internet Connection Firewall in Windows:
http://support.microsoft.com/?id=283673
1.In Control Panel, double-click Networking and Internet Connections, and
then click Network Connections.
2.Right-click the connection on which you would like to enable ICF, and
then click Properties.
3.On the Advanced tab, click the box to select the option to"Protect my
computer or network".
This worm utilizes a previously-announced vulnerability as part of its
infection method. Because of this, you must ensure that their
computers are patched for the vulnerability that is identified in Microsoft
Security Bulletin MS03-026.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
Install the patch MS03-026 from Windows Update:
Windows NT 4 Server & Workstation
http://download.microsoft.com/download/6/5/1/651c3333-4892-431f-ae93-bf8718d
29e1a/Q823980i.EXE
Windows NT 4 Terminal Server Edition
http://download.microsoft.com/download/4/6/c/46c9c414-19ea-4268-a430-5372218
8d489/Q823980i.EXE
Windows 2000
http://download.microsoft.com/download/0/1/f/01fdd40f-efc5-433d-8ad2-b4b9d42
049d5/Windows2000-KB823980-x86-ENU.exe
Windows XP (32 bit)
http://download.microsoft.com/download/9/8/b/98bcfad8-afbc-458f-aaee-b7a52a9
83f01/WindowsXP-KB823980-x86-ENU.exe
Windows XP (64 bit)
http://download.microsoft.com/download/a/7/5/a75b3c8f-5df0-451b-b526-cfc7c5c
67df5/WindowsXP-KB823980-ia64-ENU.exe
Windows 2003 (32 bit)
http://download.microsoft.com/download/8/f/2/8f21131d-9df3-4530-802a-2780629
390b9/WindowsServer2003-KB823980-x86-ENU.exe
Windows 2003 (64 bit)
http://download.microsoft.com/download/4/0/3/403d6631-9430-4ff6-a061-9072a4c
50425/WindowsServer2003-KB823980-ia64-ENU.exe
Shane Brasher
MCSE (2000,NT),MCSA, A+
Microsoft Platforms Support
Windows NT/2000 Networking
- Next message: Larry Brasher: "Re: Blaster Virus Defense Problem"
- Previous message: Larry Brasher: "Re: blaster fix - MS03-026"
- In reply to: LindaR: "Blaster update"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
