Apply patches
All users are encouraged to apply the patches referred to in
Microsoft Security Bulletin MS03-026
as soon as possible in order to mitigate the vulnerability described
in VU#568148.
These patches are also available via Microsoft's Windows Update service.
Systems running Windows 2000 may still be vulnerable to at least a
denial-of-service attack via VU#326746 if their
DCOM RPC service is available via the network. Therefore, sites are
encouraged to use the packet filtering tips below in addition to
applying the patches supplied in MS03-026.
It has been reported that some affected machines are not able to stay connected to the network long enough to download patches from Microsoft. For hosts in this situation, the CERT/CC recommends the following:
- Physically disconnect the system from the network.
- Check the system for signs of compromise.
- In most cases, an infection will be indicated by
the presence of the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows
auto update" with a value of msblast.exe. Other possible values include teekids.exe and penis32.exe. If this key is present, remove it
using a registry editor.
- If you're infected, terminate the running copy of msblast.exe, teekids.exe or penis32.exe using the Task Manager.
- Search for and delete files named msblast.exe, teekids.exe or penis32.exe.
- Take one of the
following steps to protect against the compromise prior to installing
the Microsoft patch:
- Disable DCOM as described in MS03-026 and Microsoft Knowledge Base Article 825750.
- Enable Microsoft's Internet Connection Firewall (ICF) or another host-level packet filtering program to block incoming connections to port 135/TCP. Information about ICF is available in Microsoft Knowledge Base Article 283673.
- Reconnect the system to the network and apply the patches referenced in MS03-026.
Trend Micro, Inc. has published
a set of steps to accomplish these goals. Symantec has also published
a set of steps to accomplish these goals.
Disable DCOM
Depending on site requirements, you may wish to disable DCOM as
described in MS03-026. Disabling
DCOM will help protect against this vulnerability but may also cause
undesirable side effects. Additional details on disabling DCOM and
possible side effects are available in Microsoft Knowledge Base
Article 825750.
Filter network traffic
Sites are encouraged to block network access to the following
relevant ports at network borders. This can minimize the potential of
denial-of-service attacks originating from outside the perimeter. The
specific services that should be blocked include
- 69/UDP
- 135/TCP
- 135/UDP
- 139/TCP
- 139/UDP
- 445/TCP
- 445/UDP
- 593/TCP
- 4444/TCP
Sites should consider blocking both inbound and outbound
traffic to these ports, depending on network requirements, at the host
and network level. Microsoft's Internet
Connection Firewall can be used to accomplish these goals.
If access cannot be blocked for all external hosts, the CERT/CC
recommends limiting access to only those hosts that require it for
normal operation. As a general rule, the CERT/CC recommends filtering
all types of network traffic that are not required for normal
operation.
Because current exploits for VU#568148 create a
backdoor, which is in some cases 4444/TCP, blocking inbound TCP
sessions to ports on which no legitimate services are provided may
limit intruder access to compromised hosts.
Recovering from a system compromise
If you believe a system under your administrative control has been
compromised, please follow the steps outlined in
- Steps
for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is tracking activity related to this worm as
CERT#30479. Relevant artifacts or activity can be sent to
cert@cert.org with the appropriate CERT# in the subject line.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
