Information on what has been causing the RPC vulnerability!

[BipolarBill]

A router seems to be plenty effective.

[r8500]

New Worm Blasts Worst Window Vulnerability
August 11, 2003

About the Virus
Blaster (known as both W32.Blaster.worm and W32/Lovsan.worm) is an extremely simple new worm that exploits one of the worst Windows vulnerabilities of recent history. We reported on the critical Windows RPC flaw in an Information Alert on July 16, 2003. Shortly after our alert, proof-of-concept code exploiting this vulnerability appeared on many security mailing-lists. Even security experts were shocked by how easily the exploit code gained full control of vulnerable Windows machines. Many warned that virus authors would use this code to create the next blended threat worm. It appears those predictions have come true. We will continue to update you as new and significant information becomes available.

Distinguishing Characteristics
Blaster is so simple that it doesn't even use e-mail to spread. The worm exploits the DCOM buffer overflow (described by Microsoft and our Information Alert) exclusively over TCP port 135 to gain full control of your Windows machine.

Once the worm has control of your machine, it uses the TFTP protocol to download a file called msblast.exe to your system and adds a registry entry to ensure that this executable starts every time you boot your computer. Msblast.exe, which is the worm itself, then starts scanning random IP addresses on TCP port 135 looking for more vulnerable systems to spread to.

That's it! The worm is very simple yet it still seems to be spreading quickly. At first glance, Blaster didn't seem to contain any malicious payload. However, the latest reports indicate that machines infected by the worm may attempt to syn flood Microsoft's "WindowsUpdate" site on August 16th. Since blaster exploits a buffer overflow flaw it could make an infected machine unstable and cause the machine to reboot.

What you can do
Most major anti-virus vendors already have signatures that detect Blaster. Check with your vendor for their latest update.
If you have not yet applied Microsoft's patch concerning this issue, apply the patch found in the Solution section of our July 16 Information Alert.
This worm doesn't appear to arrive in e-mail but instead spreads exclusively on TCP port 135. See below to learn how WatchGuard firewalls can help.
Suggestions for SOHO, Firebox and Vclass users
All WatchGuard firewalls block incoming access to TCP port 135 by default. As long as you have not created a service allowing TCP port 135 through your firewall, your WatchGuard firewall prevents this worm from infecting you via the Internet.

To further protect yourself from Blaster, you can also prevent outgoing TFTP access. Blocking TFTP access prevents Blaster from downloading msblast.exe, which it needs to spread. Simply create a TCP and UDP port 69 service on your WatchGuard firewall and deny both incoming and outgoing access through this service. Keep in mind, this will also prevent your users from using TFPT legitimately.

You can also use your WatchGuard firewall to block outgoing access on TCP port 135. This is called egress filtering. If you are somehow infected from Blaster through some other means, blocking outgoing TCP port 135 access will prevent your machines from spreading Blaster over the Internet. However, your internal LAN will still be susceptible to the worm if you have not patched your systems.

Suggestions for ServerLock and AppLock/Web owners
Although ServerLock protects core Windows system files and registry entries from unauthorized users who gain access to your computer using vulnerabilities like the DCOM flaw, it will not prevent the worm from using your computer to spread. The solutions above are your primary recourse. ##

References:
Symantec description of Blaster

McAfee description of W32/Lovsan

Credits: Researched and written by Corey Nachreiner

Go to this site, and download the patch for your os, and install it ASAP!
http://www.microsoft.com/technet/tre...n/MS03-026.asp

[r8500]

Could somebody please make this a sticky, so everyone gets a chance to read it. Thanks

[Bluehail]

Good read, good thing people like me got a firewall

[Dennis Bacon]

how do i get rid of it, i got it and patched my system but i'm assuming the worm is still here?

[the xenon]

applying the patch stops the virus i believe but also try deleting the msblast.exe and all registry entries if it managed to download that already

[Yoshi]

Is there a patch for Win 98?

[Lococoin]

my understanding is that it does not effect windows 98