PSS Security Response Team Alert -
New Worm: Nachi, Blaster-D, Welchia
SEVERITY: CRITICAL
DATE: 08/18/2003
PRODUCTS
AFFECTED: Windows
2000 and XP, Internet Information Services 5.0
**********************************************************************
WHAT IS
IT?
A new worm is spreading in the wild. The Microsoft
Product Support Services Security Team is issuing this alert to advise customers
to be on the alert for this virus as it spreads in the wild. Customers are
advised to review the information and take the appropriate action for their
environments.
IMPACT OF ATTACK:
Network Propagation, Patch
Installation
TECHNICAL
DETAILS:
Similar to the earlier Blaster worm and its variants,
this worm also exploits the vulnerability patched by Microsoft Security Bulletin
MS03-026, and instructs target systems to download its copy from the affected
system using the TFTP program.
In addition to exploiting the RPC vulnerability patched
by Microsoft Security Bulletin
In addition upon successful infection this worm also
patches systems with the patch for Microsoft Security Bulletin
For additional details on this worm from anti-virus
software vendors participating in the Microsoft Virus Information Alliance (VIA)
please visit the following links:
Network Associates:
http://vil.nai.com/vil/content/v_100559.htm
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
For more information on Microsoft's Virus Information
Alliance please visit this link: http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional
details on this virus.
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or
Windows Server 2003) or use a third party firewall to block incoming TCP ports
80, 135, 139, 445 and 593; UDP ports 135, 137, 38.
To enable the Internet Connection Firewall in Windows XP
please see the instructions below or visit this Knowledge Base Article: http://support.microsoft.com/?id=283673
* In Control Panel, double-click
Networking and Internet Connections, and then click Network Connections.
* Right-click the connection on
which you would like to enable ICF, and then click Properties.
* On the Advanced tab, click the
box to select the option to Protect my computer or network.
This worm utilizes two previously-announced
vulnerabilities as part of its infection method. Because of this,
customers must ensure that their computers are patched for the vulnerabilities
that are identified in the following Microsoft Security
Bulletins.
Microsoft Security Bulletin
Microsoft Security Bulletin
In order to assist customers with the installation of
the patch for Microsoft Security Bulletin
RECOVERY:
If your computer has been infected with this virus,
please contact your preferred antivirus vendor or Product Support Services for
assistance with removing it.
RELATED KB
ARTICLES:
http://support.microsoft.com/default.aspx?scid=kb;en-us;826234
This article will be available within 24
hours.
RELATED SECURITY
BULLETINS:
Microsoft Security Bulletin
Microsoft Security Bulletin
VIRUS ALERT
LINK:
http://www.microsoft.com/technet/security/virus/alerts/nachi.asp
As always please make sure to use the latest Anti-Virus
detection from your Anti-Virus vendor to detect new viruses and their
variants.
-----Original Message-----
From: Perry Lorier [mailto:perry@deeper.co.nz]
Sent: Tuesday, 19 August 2003 1:09 a.m.
To: nznog@list.waikato.ac.nz
Subject: [nznog] Weird pings
This e-mail message has been scanned and cleared by MailMarshal at
www.gen-i.co.nz