Network & Academic Computing Services
Microsoft RPC Exploit & W32.Blaster.Worm

NACS > Security > Viruses > MS RPC & W32.Blaster.Worm

Summary: UPDATE - Sept. 10: There is a new patch that you must download to patch the RPC vulnerability. Click on 'Patch' below to choose the appropriate patch.
There is a new and very serious security vulnerability with Microsoft Windows versions NT4, 2000, 2003 Server, and XP. It is critical that you apply the patch Microsoft has developed to protect your computer and the campus network from attack. If more information regarding the exploit becomes available, we will be updating this page.

More Information
More information about the exploit can be found at: http://www.nacs.uci.edu/ucinet/security/vu_no_568148-port_593.html

Description | Patch

Notice on Blocked Systems

If your system becomes infected with the W32.Blaster.Worm it will begin scanning other systems on the Internet. When this happens, your system will be automatically blocked at the campus firewall to protect our infected systems from attacking benign Internet hosts. Once you follow the instructions on this page for patching your system and you have removed the worm from your machine, you can call the NACS Help Desk at x42222 and request that your system be unblocked. If you make that call without fixing the problem, the minute your machine is unblocked it will get blocked again. To determine if your system has been blocked (the symptom will be no access to Internet-based hosts such as non-UCI websites) check the following web page: http://www.nacs.uci.edu/ucinet/security/buci/blockeduci.html.

Description

There is a new and very serious security vulnerability with Microsoft Windows versions NT4, 2000, and XP known as the RPC DCOM Buffer Overflow, or more simply, the MS (Microsoft) RPC Vulerability. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. This type of vulnerability is in a category most commonly known as "buffer overflow exploits" which can trick the software on a system into accepting dangerous commands.

In other words, a remote attacker could exploit this vulnerability to execute arbitrary code with Local System privileges, which may be used to cause problems on the infected machine and even to cause a denial of service situation on other, uninfected, machines. There is a new worm called Blaster, or MBlaster, Lovesan, or Lovsan, which uses the RPC vulnerability to spread from computer to computer over computer networks (a worm is a program which infects a computer using a network-addressable vulnerability, such as the one described here)

While the campus is protected from attacks from off-campus from a worm like Blaster using the MS RPC vulnerability, the campus is still vulnerable if someone uses the campus dialup modems, the VPN, or brings a compromised laptop onto campus. If a worm hits the campus, it may also seriously affect local networks, the campus backbone, and the campus connection to the Internet.

Top of Page

Patch

W32.Blaster.Worm Virus and W32.Welchia.Worm
If your computer has been infected by the W32.Blaster.Worm virus, you will need to apply a patch from Microsoft, run a special virus removal tool (from either McAfee or Symantec), and update your virus software. You are infected if a window appears saying that your computer will shut down in 60 seconds. To prevent this from happening so you can apply the appropriate fixes, go to START -> RUN and then type “shutdown /a”, which should prevent your machine from shutting down. Then, hit Ctrl-Alt-Delete, go to Task Manager, and then click on the Processes tab. Find “msblast” , highlight it, and then click End Process.

There is an additional variant of the W32.Blaster.Worm named W32.Welchia.Worm that exploits another Microsoft vulnerability in addition to the RPC vulnerability.  Systems running Microsoft's web server (IIS 5.0) that have not applied the Microsoft's WebDAV patch are vulnerable to this method of infection.  This vulnerability is within a core windows component, however, and we recommend installing the patch even if you are not currently running IIS 5.0.

• W32.Blaster.Worm Information (Symantec)
• W32.Welchia.Worm Information (Symantec)
• Windows XP: We recommend disabling System Restore before applying the removal tool.
  
• PATCHING YOUR SYSTEM:
  
  1. If you are running Windows 2000, download and install Microsoft Service Pack 3 for Windows 2000.  This is only necessary if you have not already installed Service Pack 3 or greater.
  • Microsoft Service Pack 3 for Windows 2000 (local mirror)
    
  2. Download and install the *NEW* Microsoft RPC Hotfix to prevent your computer from reinfection. This patch requires a minimum of Service Pack 2 if you are using Windows 2000. This is an updated patch for the RPC vulnerability.  You must install this, even if you have installed the previous RPC patch, in order to prevent reinfection.
     • Windows NT Workstation
     • Windows NT Server
     • Windows 2000
     • Windows 2003 Server
     • Windows XP
       
  3. Download and install the Microsoft WebDAV Hotfix to prevent your computer from reinfection. This patch requires a minimum of Service Pack 3 if you are using Windows 2000.  This patch is included in Service Pack 4.  If you have Service Pack 4 installed you do not need to install this patch.
     • Windows NT
     • Windows 2000
     • Windows XP
       
  4. Download and run the McAfee W32.Blaster.Worm Removal Tool (stinger.exe) to remove the worms from your system.  This also removes the W32.Welchia.Worm and all variants of the SoBig email virus.
     • Stinger.exe (from McAfee)
     • Stinger.exe (local mirror)
       
• Note: If you are unable to download the patches, they are available on CD in the NACS Help Desk in Engineering Gateway, Room 2130, for all UCI-affiliated faculty, staff, and students.

Information about the Microsoft Vulnerabilities:
The updated patch and security bulletin for the Windows RPC vulnerability can be found here:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp.

The patch and security bulletin for the Windows WebDAV vulnerability can be found here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;815021

Local copies of the RPC patch are available here:
Windows NT Workstation  Windows NT Server   Windows 2000   Windows 2003 Server   Windows XP

Local copies of the WebDav patch are available here:
Windows NT  Windows 2000  Windows XP


These local copies of the patches are only available to systems on the UCI network.

Please call the NACS Response Center at (949) 824-2222 if you have any questions.
Note: If you are not from the UC Irvine community, NACS cannot offer technical support beyond the information provided on this Web page.

Top of Page

This page has been viewed times.

NACS > Security > Viruses > MS RPC & W32.Blaster.Worm

Updated: October 24, 2003

University of California, Irvine