Original issue date: August 11, 2003<br>
Last revised: August 14, 2003<br>
Source: CERT/CC<br>

A complete revision history is at the end of this file.

<h3>Systems Affected</h3>
<li>Microsoft Windows NT 4.0</li>
<li>Microsoft Windows 2000</li>
<li>Microsoft Windows XP</li>
<li>Microsoft Windows Server 2003</li>

<a name="overview"></a>

<p>The CERT/CC is receiving reports of widespread activity related to
a new piece of malicious code known as W32/Blaster.  This worm appears
to exploit known vulnerabilities in the Microsoft Remote Procedure
Call (RPC) Interface.
<a name="description">
<h2>I. Description</h2>

<p>The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM
RPC interface as described in <a
href="http://www.kb.cert.org/vuls/id/568148">VU#568148</a> and <a
Upon successful execution, the worm attempts to retrieve a copy of the
file <font face="courier">msblast.exe</font> from the compromising
host.  Once this file is retrieved, the compromised system then runs
it and begins scanning for other vulnerable systems to compromise in
the same manner. In the course of propagation, a TCP session to port
135 is used to execute the attack. However, access to TCP ports 139
and 445 may also provide attack vectors and should be considered when
applying mitigation strategies.  Microsoft has published information
about this vulnerability in Microsoft Security Bulletin 
<a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">

<p>Lab testing has confirmed that the worm includes the ability to
launch a TCP SYN flood denial-of-service attack against <a
href="http://windowsupdate.com/">windowsupdate.com</a>.  We are
investigating the conditions under which this attack might manifest
itself.  Unusual or unexpected traffic to windowsupdate.com may
indicate an infection on your network, so you may wish to monitor
network traffic.</p>

<p>Sites that do not use windowsupdate.com to manage patches may wish
to block outbound traffic to windowsupdate.com. In practice, this may
be difficult to achieve, since windowsupdate.com may not resolve to
the same address every time. Correctly blocking traffic to
windowsupdate.com will require detailed understanding of your network
routing architecture, system management needs, and name resolution
environment. You should not block traffic to windowsupdate.com without
a thorough understanding of your operational needs.</p>

<p>We have been in contact with Microsoft regarding this possibility
of this denial-of-service attack.</p>

<a name="impact">
<h3>II. Impact</h3>

<p>A remote attacker could exploit these vulnerabilities to execute
arbitrary code with Local System privileges or to cause a
denial-of-service condition.

<a name="solution">
<h3>III. Solutions</h3>

<p>(NOTE: Detailed instructions for recovering Windows XP systems from the W32/Blaster worm can be found in the <a href="http://www.cert.org/tech_tips/w32_blaster.html">W32/Blaster Recovery</a> Tech Tip)

<a name="solution.patch">
<h4>Apply patches</h4>

<p>All users are encouraged to apply the patches referred to in
Microsoft Security Bulletin <a
as soon as possible in order to mitigate the vulnerability described
in <a href="http://www.kb.cert.org/vuls/id/568148">VU#568148</a>.
These patches are also available via Microsoft's <a
href="http://windowsupdate.microsoft.com/">Windows Update</a> service.

<p>Systems running Windows 2000 may still be vulnerable to at least a
denial-of-service attack via <a
href="http://www.kb.cert.org/vuls/id/326746">VU#326746</a> if their
DCOM RPC service is available via the network. Therefore, sites are
encouraged to use the packet filtering tips below in addition to
applying the patches supplied in <a
<p>It has been reported that some affected machines are not able to stay connected to the network long enough to download patches from Microsoft.  For hosts in this situation, the CERT/CC recommends the following:
<li>Physically disconnect the system from the network.</li>
<li>Check the system for signs of compromise.</li>

<ul type="disc"><li>In most cases, an infection will be indicated by
the presence of the registry key <font
auto update"</font> with a value of <font
face="courier">msblast.exe</font>. Other possible values include <font
face="courier">teekids.exe</font> and <font
face="courier">penis32.exe</font>. If this key is present, remove it
using a registry editor.</ul>

<li>If you're infected, terminate the running copy of <font face="courier">msblast.exe</font>, <font
face="courier">teekids.exe</font> or <font
face="courier">penis32.exe</font> using the Task Manager.</li>
<li>Search for and delete files named <font face="courier">msblast.exe</font>, <font
face="courier">teekids.exe</font> or <font
<li>Take one of the
following steps to protect against the compromise prior to installing
the Microsoft patch:</li>
<ul type="disc">
<li>Disable DCOM as described in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a> and Microsoft Knowledge Base Article <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;825750">825750</a>.</li>
<li>Enable Microsoft's Internet Connection Firewall (<a href="http://www.microsoft.com/windowsxp/home/using/howto/homenet/icf.asp">ICF</a>) or another host-level packet filtering program to block incoming connections to port 135/TCP.  Information about ICF is available in Microsoft Knowledge Base Article <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;283673">283673</a>.</li>
<li>Reconnect the system to the network and apply the patches referenced in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>.</li>
<p><a href="http://www.trendmicro.com/">Trend Micro, Inc.</a> has <a
a set of steps to accomplish these goals. <a
href="http://www.symantec.com">Symantec</a> has also <a
a set of steps to accomplish these goals.

<h4>Disable DCOM</h4>
Depending on site requirements, you may wish to disable DCOM as
described in <a
href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>. Disabling
DCOM will help protect against this vulnerability but may also cause
undesirable side effects. Additional details on disabling DCOM and
possible side effects are available in Microsoft Knowledge Base
Article <a

<h4>Filter network traffic</h4>

<p>Sites are encouraged to block network access to the following
relevant ports at network borders.  This can minimize the potential of
denial-of-service attacks originating from outside the perimeter.  The
specific services that should be blocked include

<p>Sites should consider blocking both inbound <i>and</i> outbound
traffic to these ports, depending on network requirements, at the host
and network level. Microsoft's <a
Connection Firewall</a> can be used to accomplish these goals.

<p>If access cannot be blocked for all external hosts, the CERT/CC
recommends limiting access to only those hosts that require it for
normal operation.  As a general rule, the CERT/CC recommends filtering
<b>all</b> types of network traffic that are not required for normal

<p>Because current exploits for <a
href="http://www.kb.cert.org/vuls/id/568148">VU#568148</a> create a
backdoor, which is in some cases 4444/TCP, blocking inbound TCP
sessions to ports on which no legitimate services are provided may
limit intruder access to compromised hosts.

<h4>Recovering from a system compromise</h4>

<p>If you believe a system under your administrative control has been
compromised, please follow the steps outlined in</p>

for Recovering from a UNIX or NT System Compromise</a></dd></dl>


<p>The CERT/CC is tracking activity related to this worm as
CERT#30479.  Relevant artifacts or activity can be sent to
cert@cert.org with the appropriate CERT# in the subject line.

<a name="vendors"></a>
<h2>Appendix A.  Vendor Information</h2>

This appendix contains information provided by vendors.  When vendors
report new information, this section is updated and the changes are
noted in the revision history.  If a vendor is not listed below, we
have not received their comments.

<a name="microsoft">
<h4><a href="http://www.microsoft.com/">Microsoft</a></h4>
Please see Microsoft Security Bulletin <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>.
<!-- end vendor -->

<a name="references"></a>
<h2>Appendix B.  References</h2>
<li>CERT/CC Advisory CA-2003-19 - <a href="http://www.cert.org/advisories/CA-2003-19.html">http://www.cert.org/advisories/CA-2003-19.html</a></li>
<li>CERT/CC Vulnerability Note VU#561284 - <a href="http://www.kb.cert.org/vuls/id/561284">http://www.kb.cert.org/vuls/id/561284</a></li>
<li>CERT/CC Vulnerability Note VU#326746 - <a href="http://www.kb.cert.org/vuls/id/326746">http://www.kb.cert.org/vuls/id/326746</a></li>
<li>Microsoft Security Bulletin MS03-026 - <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">http://microsoft.com/technet/security/bulletin/MS03-026.asp</a></li>
<li>Microsoft Knowledge Base article 823980 - <a href="http://support.microsoft.com?kbid=823980">http://support.microsoft.com?kbid=823980</a></li>

<p>Our thanks to Microsoft Corporation for their review of and input to this advisory.</p>

<hr noshade width="100%">
<b>Authors</b>: <a href="mailto:cert@cert.org?subject=CA-2003-20%20Feedback">Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty Lindner</a><br>

<!--#include virtual="/include/footer_nocopyright2.html" -->

<p>Copyright 2003 Carnegie Mellon University.</p>

<p>Revision History
August 11, 2003:  Initial release<br>
August 12, 2003:  Updated recovery steps<br>
August 12, 2003:  Added link to the W32/Blaster Tech Tip<br>
August 13, 2003:  Added filenames of known variants to removal instructions<br>
August 14, 2003:  Added port to filter (593/TCP)