What You Should Know About the Worm Blaster

Who Is Affected?

Users of the following products are affected:

• Microsoft Windows NT 4.0
• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server 2003

The virus, worm blaster was discovered August 11. Customers who had previously applied the security patch MS03-026 are protected. To determine if the worm is present on your machine, see the technical details section of the PSS Security Response Team Alert.

Why We Are Issuing This Alert

A new worm known as W32.Blaster.Worm (also known as MBlaster, Worm Blaster, W32/Lovsan.worm, MSBlast, W32.blaster.worm, Win32.posa.worm, Win32.poza.worm) has been identified that is seeking to exploit the vulnerability that was addressed by Microsoft Security Bulletin MS03-026. Blaster is designed to launch a denial of service attack against Microsoft's Windows Update Web site.

Actions to Take

We recommend that you take the following actions immediately:

If you are using Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003, you should follow the steps in this sequence to help protect your system and to recover if your system has been infected.

1. Make sure you have a firewall installed and activated to help protect your computer against infection, before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer. Below is a list of recommended firewall software.
   • ZoneAlarm Pro (Zone Labs)
   • BullGuard Firewall (BullGuard)
   • Outpost Firewall (Agnitum)
   • Norton Firewall (Symantec)
   • BlackICE PC Protection (Internet Security Systems)
   • Alternatively, if you use Windows 2000, you can take steps to block the affected ports so that your computer can be patched. Here are some modified instructions from the TechNet article HOW TO: Configure TCP/IP Filtering in Windows 2000.
   1. In the Control Panel, double-click Network and Dial-up Connections.
   2. Right-click the interface you use to access the Internet, and then click Properties.
   3. In the Components checked are used by this connection box, click Internet Protocol (TCP/IP), and then click Properties.
   4. In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.
   5. Click the Options tab.
   6. Click TCP/IP filtering, and then click Properties.
   7. Select the Enable TCP/IP Filtering (All adapters) check box.
   8. There are three columns with the following labels:
      • TCP Ports
      • UDP Ports
      • IP Protocols

      In each column, you must select the Permit Only option.

   9. Click OK.
2. Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from the Microsoft Download Center. When you click the appropriate link below, a dialog box appears. To begin the download process, do one of the following:
• To start the installation immediately, click Open or Run this program from its current location.
• To copy the download to your computer for installation at a later time, click Save or Save this program to disk.
  • Windows NT Server 4.0 and Windows NT Workstation 4.0
  • Windows NT Server 4.0, Terminal Server Edition
  • Windows 2000
  • Windows XP (32 bit)
  • Windows XP (64 bit)
  • Windows 2003 (32 bit)
  • Windows 2003 (64 bit)
3. Make sure you install and use antivirus software.
   • If you have antivirus software installed, get the latest virus definitions from your antivirus vendor's Web site.
     
   • If you do not have antivirus software installed, get one of the antivirus software products that we recommend:
   
   
   • Mcafe VirusScan (Mcafe)
   • Pc-Cillin (Trend Micro)
   • Norton Antivirus (Symantec Norton)
   • BullGuard Antivirus (BullGuard)
   • AVG Antivirus (AVG Virus)

For System Administrators and Technical Computer Users

Read the PSS Security Response Team alert for technical guidance.

What do others say about Worm Blaster? Do a search!

Worm Blaster information - Last Updated: 29 January 2004