|
What You Should Know About the Blaster Worm and Its
Variants
Updated August 22, 2003, 6:15 P.M. Pacific Time
This
information is available in more than 30 languages. Find links to
those pages here.
At 11:34 A.M. Pacific Time on August 11, Microsoft began
investigating a worm reported by Microsoft Product Support Services
(PSS). The worm, W32.Blaster.Worm and its variants, exploits a
security issue that was addressed by Microsoft Security Bulletin
MS03-026. This issue concerns a vulnerability in the Remote
Procedure Call (RPC) function.
Important Information
- Guidance for home users:
These four steps can help protect your computer and recover if
it has been infected by the Blaster worm or variants. To
get the steps, click here.
- Hoax circulating: Microsoft
never distributes software through e-mail. If you receive an
e-mail message that appears to be from Microsoft and that contains
an attachment, delete the message immediately. Do not open the
attachment. To
learn more, click here.
- Scan tool for network
administrators available: IT professionals can download a free
tool from Microsoft to help them scan their networks for the
security update. To
get the tool, click here.
Who Is Vulnerable?
Your computer is not vulnerable to the Blaster worm if you
downloaded and installed the security update that was addressed by
Security Bulletin MS03-026 prior to August 11, the date the Blaster
worm was discovered.
Products
Affected by This Worm |
- Microsoft® Windows NT® 4.0
- Microsoft Windows® 2000
- Microsoft Windows XP
- Microsoft Windows Server™ 2003
|
Products
Not Affected by This Worm |
- Windows Millennium (Windows Me)
Note Windows
98, Windows 98 Second Edition (SE), and Windows 95 also are
not affected by this issue. However, these products are no
longer supported. Users of these products are strongly
encouraged to upgrade to later
versions. |
If you
are unsure of which version of Windows you are running, click
here.
How to Tell If the Worm Is Affecting Your Computer
Some customers whose computers have been infected may not notice
the presence of the worm at all, while others who are not infected
may experience problems because the worm is attempting to attack
their computer. Typical symptoms may include Windows XP and Windows
Server 2003 systems rebooting every few minutes without user input,
or Windows NT 4.0 and Windows 2000 systems becoming
unresponsive.
|
|
Shutdown error. If your computer is infected,
you may see this error message. |
| |
Whether you are experiencing these symptoms or not, Microsoft
recommends that you take the following action immediately:
- If you're running Windows XP or Windows 2000, follow
all Steps 1–4 for home users below.
- If you're running Windows Server 2003 or Windows NT
4.0, follow Steps 1–3 for home users below.
Actions for Network Administrators
Microsoft recommends that network administrators take the
following actions immediately:
4 Steps for Home Users
If you are using Microsoft ® Windows NT® 4.0, Windows®
2000, Windows XP, or Windows Server™ 2003, you should follow the
steps in this sequence to help protect your computer and to recover
if your computer has been infected.
1. Enable a Firewall
|
Make sure you have a firewall activated to help protect
your computer against infection before you take other steps.
If your computer has been infected, activating firewall
software will help limit the effects of the worm on your
computer.
The latest Windows operating systems have a firewall built
in. Windows XP and Windows Server 2003 users should print or
save the following instructions for how to enable their
firewall.
If your computer is rebooting repeatedly, disconnect from
the Internet before you enable your firewall. To disconnect
your computer from the Internet:
- Broadband connection users: Locate the telephone
cable that runs from your external DSL or cable modem and
unplug that cable either from the modem or from the
telephone jack.
- Dial-up connection users: Locate the telephone
cable that runs from the modem inside your computer to your
telephone jack and unplug that cable either from the
telephone jack or from your computer.
Follow the instructions provided for your operating system,
and then reconnect to the Internet.
- Windows XP users:
Click
here for instructions.
- Windows Server 2003
users: Click
here for instructions.
- Windows NT 4.0 and
Windows 2000 users: You will need to install a
third-party firewall. Most firewall software for home users
is available in free or trial versions. Check the following
resources for more information on personal firewalls:
- Windows 2000 users:
Alternatively, you can take steps to block the affected
ports so that your computer can be patched. Here are some
modified instructions from the TechNet article HOW TO:
Configure TCP/IP Filtering in Windows 2000.
|
2. Update Windows
|
If you have disconnected from the Internet, remember to
reconnect before you take next steps. Download and install the
security update addressed in Security Bulletin MS03-026 for
the version of Windows that you are using from Windows
Update.
When you get to the Windows Update site, scan your computer
for any critical updates that you need, and then install them.
To do that:
- Click Scan for Updates next to the green arrow
near the center of your screen.
Note It
may take several minutes for the scan to complete.
- After the scan completes, under Pick updates to
install on the left side of your screen, click
Critical Updates and Service Packs.
A list of
updates appears.
- Click Review and install updates near the center
of your screen to begin downloading and installing the
updates.
Get the
Security Update from Windows Update
|
3. Use Antivirus Software
|
Use antivirus software and make sure you have the latest
updates installed. There are several variants of this worm,
and the most up-to-date information about them can be found at
your antivirus vendor's Web site.
- If you already have
antivirus software installed, go to your antivirus vendor's
Web site to get the latest updates, also known as virus
definitions.
- If you do not have
antivirus software installed, get it. The following vendors
participating in the Microsoft Virus Information Alliance
(VIA) offer antivirus products for home users:
Learn about Microsoft's
Virus Information
Alliance. |
4. Remove the Worm
|
If you think there is even the slightest possibility that
your computer might be infected, use the free worm removal
tool available at your preferred antivirus software vendor's
Web site:
|
For Technical Assistance
Contact your antivirus vendor for assistance with identifying or
removing virus or worm infections. If you need more help with
virus-related issues, please contact PSS. We are currently
experiencing a high call volume and apologize for any delay in
responding.
|
|