Microsoft KB Archive/826955

= Virus alert about the Blaster worm and its variants =

Article ID: 826955

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Server 4.0 Enterprise Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition

-



SUMMARY
On August 11, 2003, Microsoft began investigating a worm that was reported by Microsoft Product Support Services (PSS), and the Microsoft PSS Security Team issued an alert to inform customers about the new worm. A worm is a type of computer virus that generally spreads without user action and that distributes complete copies (possibly modified) of itself across networks (such as the Internet). Generally known as &quot;Blaster,&quot; this new worm exploits the vulnerability that was addressed by Microsoft Security Bulletin MS03-026 (823980) to spread itself over networks by using open Remote Procedure Call (RPC) ports on computers that are running any of the products that are listed at the beginning of this article.

This article contains information for network administrators and IT professionals about how to prevent and how to recover from an infection from the Blaster worm and its variants. The worm and its variants are also known as W32.Blaster.Worm, W32.Blaster.C.Worm, W32.Blaster.B.Worm, W32.Randex.E (Symantec), W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trendmicro), and Win32.Posa.Worm (Computer Associates). For additional information about recovering from this worm, contact your antivirus software vendor. For additional information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:

49500 List of Antivirus Software Vendors

If you are a home user, visit the following Microsoft Web site for steps to help you protect your computer and to recover if your computer has been infected with the Blaster worm:

http://onecare.live.com/standard/en-us/virusenc/

For additional information about a worm that is similar to the Blaster worm and that exploits the vulnerabilities that were addressed by Microsoft Security Bulletins MS03-026 (823980) and MS03-007 (815021), click the following article number to view the article in the Microsoft Knowledge Base:

826234 Virus Alert About the Nachi Worm

Symptoms of Infection
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:  You may receive the following error messages:

The Remote Procedure Call (RPC) service terminated unexpectedly.

The system is shutting down. Please save all work in progress and log off.

Any unsaved changes will be lost.

This shutdown was initiated by NT AUTHORITY\SYSTEM.

 The computer may shut down, or may restart repeatedly, at random intervals. On a Windows XP-based or on a Windows Server 2003-based computer, a dialog box may appear that gives you the option to report the problem to Microsoft. If you are using Windows 2000 or Windows NT, you may receive a Stop error message. You may find a file that is named Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll in the Windows\System32 folder. You may find unusual TFTP* files on your computer.

Technical Details
For technical details about the changes that this worm makes to your computer, contact your antivirus software vendor.

To detect this virus, search for a file that is named Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll in the Windows\System32 folder, or download the latest antivirus software signature from your antivirus vendor, and then scan your computer.

To search for the these files:
 * 1) Click Start, click Run, type cmd in the Open box, and then click OK.
 * 2) At the command prompt, type dir %systemroot%\system32\  /a /s, and then press ENTER, where   is Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, or Yuetyutr.dll.

Note Repeat step 2 for each of these file names: Msblast.exe, Nstask32.exe, Penis32.exe, Teekids.exe, Winlogin.exe, Win32sockdrv.dll, and Yuetyutr.dll. If you find any of these files, your computer may be infected with the worm. If you find one of these files, delete the file, and then follow the steps in the &quot;Recovery&quot; section of this article. To delete the file, type del %systemroot%\system32\ /a at the command prompt, and then press ENTER.

Prevention
To prevent this virus from infecting your computer, follow these steps:  Turn on the Internet Connection Firewall feature (ICF) in Windows XP, Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition; or use Basic Firewall, Microsoft Internet Security and Acceleration (ISA) Server 2000, or a third-party firewall to block TCP ports 135, 139, 445, and 593; UDP ports 69 (TFTP), 135, 137, and 138; and TCP port 4444 for remote command shell.

To turn on the ICF in Windows XP or Windows Server 2003, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, and then click Control Panel.</li> In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.</li> Right-click the connection where you want to turn on Internet Connection Firewall, and then click Properties.</li> Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol>

Note Some dial-up connections may not appear in the Network Connection folders. For example, AOL and MSN dial-up connections may not appear. In some cases, you can use the following steps to turn on ICF for a connection that does not appear in the Network Connection folder. If these steps do not work, contact your Internet Service Provider (ISP) for information about how to firewall your Internet connection. <ol style="list-style-type: lower-alpha;"> Start Internet Explorer.</li> On the Tools menu, click Internet Options.</li> Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.</li> In the Dial-up settings area, click Properties.</li> Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol>

For more information about how to turn on Internet Connection Firewall in Windows XP or in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

283673 How to turn on or turn off the firewall in Windows XP

Note ICF is only available on Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running both Routing and Remote Access and a member of the Windows Server 2003 family.</li> This worm uses a previously announced vulnerability as part of its infection method. Because of this, you must make sure that you have installed the 823980 security patch on all your computers to address the vulnerability that is identified in Microsoft Security Bulletin MS03-026. Note that the 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch that also includes fixes for the issues that are addressed in Microsoft Security Bulletin MS03-026 (823980) For more information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

For more information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

To download the 824146 security patch, click the appropriate link for your operating system:  Windows NT Workstation 4.0

http://download.microsoft.com/download/3/0/c/30cff3cd-414d-4754-b9db-276de8161eef/WindowsNT4Workstation-KB824146-x86-ENU.EXE

</li> Windows NT Server 4.0

http://download.microsoft.com/download/6/2/1/6216d162-1283-4e05-a505-3dc67b70155c/WindowsNT4Server-KB824146-x86-ENU.EXE

</li> Windows NT Server 4.0, Terminal Server Edition

http://download.microsoft.com/download/8/b/5/8b534384-5ce7-482d-8886-7c3dac565f51/WindowsNT4TerminalServer-KB824146-x86-ENU.EXE

</li> Windows 2000

http://download.microsoft.com/download/0/A/6/0A634E35-F29A-4F26-B006-D315E898EDEF/Windows2000-KB824146-x86-ENU.exe

</li> <li>Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition

http://download.microsoft.com/download/C/D/D/CDD7AC92-E4CC-4B1E-BC2F-7A61B46B23BF/WindowsXP-KB824146-x86-ENU.exe

</li> <li>Windows XP 64-Bit Version 2002

http://download.microsoft.com/download/A/C/E/ACE7FE00-4BF7-4421-8CCF-2913395500AA/WindowsXP-KB824146-ia64-ENU.exe

</li> <li>Windows Server 2003 (32-bit)

http://download.microsoft.com/download/5/7/D/57D367EB-EE72-41D6-99EC-E96724655976/WindowsServer2003-KB824146-x86-ENU.exe

</li> <li>Windows Server 2003 (64-bit) and Windows XP 64-Bit Version 2003

http://download.microsoft.com/download/0/B/2/0B2C9630-2E93-4074-94CC-E418B93646DC/WindowsServer2003-KB824146-ia64-ENU.exe

</li></ul> </li> <li>Use the latest virus-detection signature from your antivirus vendor to detect new viruses and their variants.</li></ol>

Recovery
Best practices for security suggest that you perform a complete &quot;clean&quot; installation on a previously compromised computer to remove any undiscovered exploits that can lead to a future compromise. For additional information, visit the following Cert Advisory Web site:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

However, many antivirus companies have written tools to remove the known exploit that is associated with this particular worm. To download the removal tool from your antivirus vendor, use the following procedures depending on your operating system

Recovery for Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition
<ol> <li>Turn on the Internet Connection Firewall feature (ICF) in Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition; or use Basic Firewall, Microsoft Internet Security and Acceleration (ISA) Server 2000, or a third-party firewall.

To turn on ICF, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Click Start, and then click Control Panel.</li> <li>In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.</li> <li>Right-click the connection where you want to turn on Internet Connection Firewall, and then click Properties.</li> <li>Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol>

Notes <ul> <li>If your computer shuts down or restarts repeatedly when you try to follow these steps, disconnect from the Internet before you turn on your firewall. If you connect to the Internet over a broadband connection, locate the cable that runs from your external DSL or cable modem, and then unplug that cable either from the modem or from the telephone jack. If you use a dial-up connection, locate the telephone cable that runs from the modem inside your computer to your telephone jack, and then unplug that cable either from the telephone jack or from your computer. If you cannot disconnect from the Internet, type the following line at the command prompt to configure RPCSS not to restart your computer when the service fails:

sc failure rpcss reset= 0 actions= restart

To reset RPCSS to default recovery setting after you complete these steps, type the following line at the command prompt:

sc failure rpcss reset= 0 actions= reboot/60000

</li> <li>If you have more than one computer sharing an Internet connection, use a firewall only on the computer that is directly connected to the Internet. Do not use a firewall on the other computers that share the Internet connection. If you are running Windows XP, use the Network Setup Wizard to turn on ICF.</li> <li>Using a firewall should not affect your e-mail service or Web browsing, but a firewall can disable some Internet software, services, or features. If this behavior occurs, you may have to open some ports on your firewall for some Internet feature to work. See the documentation that is included with the Internet service that is not working to determine which ports you must open. See the documentation that is included with your firewall to determine how to open these ports. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

308127 How to manually open ports in Internet Connection Firewall in Windows XP

</li> <li>In some cases, you can use the following steps to turn on ICF for a connection that does not appear in the Network Connections folder. If these steps do not work, contact your Internet Service Provider (ISP) for information about how to firewall your Internet connection. <ol style="list-style-type: lower-alpha;"> <li>Start Internet Explorer.</li> <li>On the Tools menu, click Internet Options.</li> <li>Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.</li> <li>In the Dial-up settings area, click Properties.</li> <li>Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.</li></ol> </li></ul>

For more information about how to turn on Internet Connection Firewall in Windows XP or in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

283673 How to turn on or turn off the firewall in Windows XP

Note ICF is only available on Windows XP, Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running Routing and Remote Access and is a member of the Windows Server 2003 family.</li> <li>Download the 824146 security patch, and then install it on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-026 and MS03-039. To download the 824146 security patch, click the appropriate link:

Windows XP Home Edition, Windows XP Professional, Windows XP Tablet PC Edition, and Windows XP Media Center Edition

http://download.microsoft.com/download/C/D/D/CDD7AC92-E4CC-4B1E-BC2F-7A61B46B23BF/WindowsXP-KB824146-x86-ENU.exe

Windows XP 64-Bit Version 2002

http://download.microsoft.com/download/A/C/E/ACE7FE00-4BF7-4421-8CCF-2913395500AA/WindowsXP-KB824146-ia64-ENU.exe

Note that the 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch that also includes fixes for the issues addressed in Microsoft Security Bulletin MS03-026 (823980) For more information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

For more information about the 823980 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC interface may allow code execution

</li> <li>Install or update your antivirus signature software, and then run a complete system scan.</li> <li>Download and run the worm-removal tool from your antivirus vendor.</li></ol>

Recovery for Windows 2000 and Windows NT 4.0
The Internet Connection Firewall feature is not available in Windows 2000 or Windows NT 4.0. If Microsoft Internet Security and Acceleration (ISA) Server 2000 or a third-party firewall is not available to block TCP ports 135, 139, 445 and 593, UDP ports 69 (TFTP), 135, 137, and 138, and TCP port 4444 for remote command shell, follow these steps to help block the affected ports for local area network (LAN) connections. Note that TCP/IP Filtering is not available for Dial-up connections. If you are using a Dial-up connection to connect to the Internet, you should enable a firewall. <ol> <li>Configure TCP/IP security. To do this, use the procedure for your operating system.

Windows 2000 <ol style="list-style-type: lower-alpha;"> <li>In Control Panel, double-click Network and Dial-up Connections.</li> <li>Right-click the interface that you use to access the Internet, and then click Properties.</li> <li>In the Components checked are used by this connection box, click Internet Protocol (TCP/IP), and then click Properties.</li> <li>In the Internet Protocol (TCP/IP) Properties dialog box, click Advanced.</li> <li>Click the Options tab.</li> <li>Click TCP/IP filtering, and then click Properties.</li> <li>Click to select the Enable TCP/IP Filtering (All adapters) check box.</li> <li>There are three columns with the following labels: <ul> <li>TCP Ports</li> <li>UDP Ports</li> <li>IP Protocols</li></ul>

In each column, click the Permit Only option.</li> <li>Click OK.

Notes <ul> <li>If your computer shuts down or restarts repeatedly when you try to follow these steps, disconnect from the Internet before you turn on your firewall. If you connect to the Internet over a broadband connection, locate the cable that runs from your external DSL or cable modem, and then unplug that cable either from the modem or from the telephone jack. If you use a dial-up connection, locate the telephone cable that runs from the modem inside your computer to your telephone jack, and then unplug that cable either from the telephone jack or from your computer.</li> <li>If you have more than one computer sharing an Internet connection, use a firewall only on the computer that is directly connected to the Internet. Do not use a firewall on the other computers that share the Internet connection.</li> <li>Using a firewall should not affect your e-mail service or Web browsing, but a firewall can disable some Internet software, services, or features. If this behavior occurs, you may have to open some ports on your firewall for some Internet feature to work. See the documentation that is included with the Internet service that is not working to determine which ports you must open. See the documentation that is included with your firewall to determine how to open these ports.</li> <li>These steps are based on a modified excerpt from Microsoft Knowledge Base article 309798. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

309798 How to configure TCP/IP filtering in Windows 2000

</li></ul> </li></ol>

Windows NT 4.0 <ol style="list-style-type: lower-alpha;"> <li>In Control Panel, double-click Network.</li> <li>Click the Protocol tab, click TCP/IP Protocol, and then click Properties.</li> <li>Click the IP Address tab, and then click Advanced.</li> <li>Click to select the Enable Security check box, and then click Configure.</li> <li>In the TCP Ports, UDP Ports, and IP Protocols columns, click to select the Permit only setting.</li> <li>Click OK, and then close the Network tool.</li></ol> </li> <li>Download the 824146 security patch, and then install it on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-026 and MS03-039. To download the 824146 security patch, click the appropriate link:

Windows NT Workstation 4.0

http://download.microsoft.com/download/3/0/c/30cff3cd-414d-4754-b9db-276de8161eef/WindowsNT4Workstation-KB824146-x86-ENU.EXE

Windows NT Server 4.0

http://download.microsoft.com/download/6/2/1/6216d162-1283-4e05-a505-3dc67b70155c/WindowsNT4Server-KB824146-x86-ENU.EXE

Windows NT Server 4.0, Terminal Server Edition

http://download.microsoft.com/download/8/b/5/8b534384-5ce7-482d-8886-7c3dac565f51/WindowsNT4TerminalServer-KB824146-x86-ENU.EXE

Windows 2000

http://download.microsoft.com/download/0/A/6/0A634E35-F29A-4F26-B006-D315E898EDEF/Windows2000-KB824146-x86-ENU.exe

Note that the 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch that also includes fixes for the issues addressed in Microsoft Security Bulletin MS03-026 (823980) For more information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A buffer overrun in RPCSS could allow an attacker to run malicious programs

For more information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer overrun in RPC may allow code execution

</li> <li>Install or update your antivirus signature software, and then run a complete system scan.</li> <li>Download and run the worm-removal tool from your antivirus vendor.</li></ol>

For additional technical details about the Blaster worm from antivirus software vendors who are participating in the Microsoft Virus Information Alliance (VIA), visit any of the following third-party Web sites: <ul> <li>Network Associates

http://us.mcafee.com/virusinfo/default.asp?id=description&virus_k=100547

</li> <li>Trend Micro

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=worm_msblast.a

</li> <li>Symantec

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

</li> <li>Computer Associates

http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=36265

</li></ul>

Note If you do not have to use TCP filtering, you may want to disable TCP filtering after you apply the fix that is described in this article and you have verified that you have successfully removed the worm.

For additional technical details about known variants of the Blaster worm, visit the following Symantec Web sites: <ul> <li>W32.Blaster.C.Worm: Teekids.exe

http://www.sarc.com/avcenter/venc/data/w32.blaster.c.worm.html

</li> <li>W32.Blaster.B.Worm: Penis32.exe

http://www.sarc.com/avcenter/venc/data/w32.blaster.b.worm.html

</li> <li>W32.Randex.E : Nstask32.exe, Winlogin.exe, Win32sockdrv.dll, and Yyuetyutr.dll

http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.e.html

</li></ul>

For more information about the Microsoft Virus Information Alliance, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/alerts/info/via.mspx

For additional information about how to recover from this worm, contact your antivirus vendor.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

<div class="references_section">