Microsoft KB Archive/826369

= How to Use the KB 823980 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) Security Patch Installed =

PSS ID Number: 826369

Article Last Modified on 12/3/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Standard Edition
 * Microsoft Windows Server 2003, Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows XP 64-Bit Edition Version 2003
 * Microsoft Windows XP 64-Bit Edition Version 2002
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0
 * Microsoft Windows NT Server 4.0 Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0

-



Important On September 10, 2003, Microsoft released the KB 824146 scanning tool (KB824146scan.exe) to replace the KB 823980 scanning tool (KB823980scan.exe). (The KB823980scan.exe scanning tool is described in this article, 826369.) KB824146scan.exe can be used to determine whether computers are patched with the 824146 (MS03-039) security patch. The 824146 (MS03-039) security patch includes the 823980 (MS03-026) security patch. Therefore, in effect, the KB824146scan.exe tool scans for both security patches. The KB823980scan.exe tool is no longer available from Microsoft. If you use the KB823980scan.exe tool to scan a computer that has the 824146 security patch installed, the tool will incorrectly report that the computer is missing the 823980 security patch (MS03-026). Microsoft encourages customers to use the KB824146scan.exe instead. For additional information about the KB824146scan.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed

For additional information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: Buffer Overrun in RPCSS May Allow Code Execution



SUMMARY
Microsoft has released the KB 823980 scanning tool (KB823980scan.exe) that network administrators can use to identify host computers on their networks that do not have the 823980 security patch (MS03-026) installed. For additional information about the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution

For additional information about a new worm virus that tries to exploit the DCOM RPC vulnerability that is fixed by the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:

826955 Virus Alert About the Blaster Worm and Its Variants

For additional information about how network administrators can use Windows Management Instrumentation scripting to install the 823980 security patch (MS03-026) on unpatched computers in their Windows NT, Windows 2000, or Windows Server 2003 domain, click the following article number to view the article in the Microsoft Knowledge Base:

827227 How to Use a Visual Basic Script to Install the 823980 Security Patch (MS03-026) on Remote Host Computers



MORE INFORMATION
The KB823980scan.exe tool can scan remote host computers without requiring authentication (that is, you do not have to supply valid credentials on the remote host computer). Use of the KB823980scan.exe tool does not affect the stability of the target operating system that is scanned.

You can use the KB823980scan.exe tool from a Windows Server 2003-based, Windows XP-based, or Windows 2000-based computer to scan your network to identify host computers that do not have the 823980 security patch (MS03-026) installed.

Download Information
The KB823980scan.exe tool has been replaced by the KB824146scan.exe tool. As a result, the KB823980scan.exe tool is no longer available to download from Microsoft. Microsoft encourages customers to use the KB824146scan.exe instead of the KB823980scan.exe tool. For additional information about the KB824146scan.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

827363 How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) or 824146 (MS03-039) Security Patches Installed

If you have already downloaded the KB823980scan.exe tool and if you have not applied the 824146 security patch, you can use the KB823980scan.exe tool to determine whether the 823980 security patch (MS03-026) is installed.

To install the KB823980scan.exe tool, double-click the DCOM-KB826369-X86-ENU.exe installation package that you downloaded. The tool is a command-line utility that is installed in the KB823980Scan subfolder of the Program Files folder or the Program Files (x86) folder for 64-bit versions of Windows XP or Windows Server 2003.

Usage
When you run the KB823980scan.exe tool with the /? switch (or with no switches), the following information is shown: Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved.

The purpose of KB823980Scan.exe is to audit Windows systems over the network for KB823980 patch compliance. KB823980Scan.exe allows administrators to quickly scan enterprise networks for unpatched systems.

Usage: KB823980Scan.exe [/?] [/i:input_file] [/l[:log_file]] [/o:out_file] [/t:timeout] [/v] target ...

Targets can take any of the following forms:

a.b.c.d            - IP address a.b.c.d-i.j.k.l    - IP address range a.b.c.d/mask       - IP address with CIDR mask host               - unqualified hostname host.domain.com    - fully-qualified domain name localhost          - check local machine

Targets can be specified on the command line & in user-specified input files.

KB823980Scan.exe maintains an informational log in the current directory. The log files will take the form KB823980Scan_YYMMDD[a-z][a-z].log, where YY is the two digit year, MM is the two digit month, and DD is the two digit day. The [a-z][a-z] will be appended to the log file name as additional scans are completed on the same day.

KB823980Scan.exe will create a list of vulnerable systems (unpatched as well as those with KB823980 installed) in the current working directory. This file should be fed as input to the autopatching script that you write. This file will be named &quot;Vulnerable.txt&quot; by default. Its name can be changed with the /o switch.

KB823980Scan.exe has a default timeout of 5 seconds, which should be fine for most networks. If your network is slow or has IPSec enabled then you might want to increase the timeout to 10 seconds or more.

Sample Output
C:\>kb823980scan 10.1.1.1/24

Microsoft (R) KB823980 Scanner Version 1.00.0002 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 10.1.1.0 - 10.1.1.255 10.1.1.1: connection to tcp/135 refused 10.1.1.2: unpatched 10.1.1.3: host unreachable 10.1.1.4: patched with KB823980 10.1.1.5: patched with KB823980 10.1.1.6: patched with KB823980 10.1.1.7: connection to tcp/135 refused 10.1.1.8: unpatched 10.1.1.9: patched with KB823980 . . ..

<-> Scan completed

Statistics:

Patched with KB823980   = 40 Unpatched               = 11 TOTAL HOSTS SCANNED     = 51

Needs Investigation     = 0 Connection refused      = 3 Host unreachable        = 202 Errors                  = 0 TOTAL HOSTS SKIPPED     = 205

TOTAL ADDRESSES SCANNED = 256

Explanation of Error Messages, Status, and Statistics

 * A &quot;host unreachable&quot; error message indicates that no host is present at the specified Internet Protocol (IP) address. Additionally, a firewall that black holes packets, such as Internet Connection Firewall (ICF), also returns a &quot;host unreachable&quot; error message.
 * A &quot;connection to tcp/135 refused&quot; error message indicates either that no service is listening on TCP port 135 or that TCP port 135 is being filtered (either by the Windows TCP/IP stack or by a firewall or a router).
 * An &quot;unpatched&quot; status indicates that the host that was scanned is a Windows host but does not have the 823980 security patch (MS03-026)installed.
 * The &quot;Needs Investigation&quot; counter indicates that some Internet protocols did not respond to a connection attempt on TCP port 135 and therefore could not be scanned for the security patches.

Log Files That the KB823980scan.exe Tool Creates
 KB823980Scan_ .log: This log file is for informational purposes. Vulnerable.txt: This log file contains a list of the IP addresses for computers on your network that do not have the 823980 (MS03-026) security patch installed. You can use the Vulnerable.txt log file without modification as the input file for the Patchinstall.vbs script that is described in Microsoft Knowledge Base article 827227. Note that the Vulnerable.txt log file is overwritten every time that you run KB823980scan.exe. For the sample output that is described in the &quot;Sample Output&quot; section in this article, the Vulnerable.txt log file would contain the following entries:

10.1.1.2

10.1.1.8





Known Issues

 * You cannot use double-byte character set (DBCS) characters in the path for the input file, the output file, the log file, or the host computer when you use the KB823980scan.exe tool.
 * You cannot run the KB823980scan.exe tool on a computer that is running Windows NT 4.0, Microsoft Windows 98, or Microsoft Windows Millennium Edition. However, you can run this tool from Windows Server 2003-based, Windows XP-based, or Windows 2000-based computers to scan a remote host computer that is running Windows NT 4.0.

Additional query words: dcomscan ms03-026 rpc dcom patch scanner 1.0 exploit vulnerability patch rpcss

Keywords: kbhowto KB826369

Technology: kbNTTermServ400 kbNTTermServSearch kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch kbWinNT400search kbWinNTS400 kbWinNTS400search kbWinNTsearch kbWinNTSsearch kbWinNTW400 kbWinNTW400search kbWinNTWsearch kbWinServ2003Data kbWinServ2003Data64bit kbWinServ2003Data64bitSearch kbWinServ2003DataSearch kbWinServ2003Ent kbWinServ2003Ent64bit kbWinServ2003Ent64bitSearch kbWinServ2003EntSearch kbWinServ2003Search kbWinServ2003St kbWinXPHome kbWinXPHomeSearch kbWinXPMediaCent kbWinXPPro kbWinXPPro64bit kbWinXPPro64bit2002 kbWinXPPro64bit2002Search kbWinXPPro64bit2003 kbWinXPPro64bit2003Search kbWinXPPro64bitSearch kbWinXPProSearch kbWinXPSearch kbWinXPTabPC

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.