Click here to comment!
1...Possibly Jonathan would look through the record on 030812, ref SDS 4
CONTACTS
SUBJECTS
Router Netgear Purchased and Installed for Firewall to Protect C11 C1
Software Better than Hardware Router Millie's IT People at Nixon and
Guidance Microsoft Supplemental Submitted by Jerry Nord
0805 -
0805 - ..
0806 - Summary/Objective
0807 -
080701 - Follow up ref SDS 6 0000, ref SDS 4 0000.
080702 -
080703 - Received a letter from Millie yesterday saying....
080704 -
080705 - I was talking with our IT guy and he said that firewall software is
080706 - better than the firewall router. What do you think?
080708 - ..
080709 - While talking to Jerry Nord yesterday to install and configure SDS,
080710 - he seemed to indicate that CSG IT people have indicated that software
080711 - works better, as well.
080713 - ..
080714 - On 030814 Morris offered an explanation that seemed to indicate that a
080715 - router is a stronger solution. ref SDS 6 E14G I later asked Morris
080716 - about Millie's report. Morris indicated that the IT professional at
080717 - N&P who spoke with Millie may have been referring to exposure to virus
080718 - through email, which a router does not filter. McAfee on our
080719 - computers checks email for virus protection.
080720 -
080721 -
080722 -
080723 -
080724 -
0808 -
SUBJECTS
Microsoft Supplemental Guidance and Offers Services of His Son
Virus Problem Detect Recover and Prevent Virus Jerry Submits Guidance
History Cannot Find Anything for Links to Provide Context because Fin
Article f: 05 03000 BC 030812fc 030812fc.............. Virus Blaster
Additional Microsoft Guidance and Offers Services of His Son
120701 - ..
120702 - Microsoft Guidance on Recoverying from Virus
120703 -
120704 - Follow up ref SDS 6 0000, ref SDS 4 0125.
120705 -
120706 - Received letter from Jerry Nord at CSG following up correspondence
120707 - answering request for help on 030813, ref SDS 5 0001, and linked to
120708 - the record on 030812. ref SDS 4 0001
120710 - ..
120711 - Jerry mentions his son Jonathan is providing support for virus
120712 - problems. ref SDS 0 007X
120714 - ..
120715 - Possibly Jonathan would look through the record on 030812, ref SDS 4
120716 - 0000, to suggest additional steps along with language to make the
120717 - record more useful to people who need help, like Theresa on 030813.
120718 - ref SDS 5 286F
120720 - ..
120721 - Jery says....
120722 -
120723 - 1. Subject: FW: Actions for the Blaster Worm - Special Edition, MSDN Flash
120724 - Date: Fri, 15 Aug 2003 09:01:18 -0500
120725 - From: Jerry"
120726 - To: "Rod Welch rodwelch@pacbell.net
120728 - ..
120729 - 2. FYI - you may want to forward this to those who may still have
120730 - questions about this virus attack. I saw an email yesterday
120731 - from you regarding questions someone was asking.
120733 - ..
120734 - JerryN
120736 - ..
120737 - 3. p.s.
120738 -
120739 - if that person has a highspeed internet connection, Jonathan
120740 - (my son) may be able to help.
120742 - ..
120743 - Sent an email to Jerry with link to this record for consideration of
120744 - follow up, per above. ref SDS 0 XG9N
120746 - ..
120747 - Jerry's letter continues with an attached source from Microsoft....
120748 -
120749 - 4. -----Original Message-----
120750 - From: Microsoft
120751 - Sent: Thursday, August 14, 2003 5:44 PM
120752 - To: Jerry
120753 - Subject: Actions for the Blaster Worm -
120754 - Special Edition, MSDN Flash
120756 - ..
120757 - 5. You are receiving this message because you are a Microsoft
120758 - newsletter subscriber. Please print this page for your
120759 - reference.
120761 - ..
120762 - Microsoft guidance to "print" for reference shows cultural lag that
120763 - forces people to rely on documents for managing information that slow
120764 - progress toward a paperless office to improve productivity using a
120765 - computer to convert information into knowledge. Slow progress at
120766 - Microsoft was reported previously by Steve Balmer on 010510 saying
120767 - work on technology to improve productivity will take about five (5)
120768 - years. ref SDS 1 8Y8H More recently, on 020512 experience using SDS
120769 - at Aerospace company shows progress adding "intelligence" to information.
120770 - ref SDS 2 0001 Jerry asked about this on 030718. ref SDS 3 IE5N
120771 - POIMS explains the SDS design that advances from traditional documents
120772 - to "knowledge space." ref OF 5 1107
120774 - ..
120775 - Microsoft continues...
120776 -
120777 - 6. For the most recent news about Blaster, it is very important
120778 - that you visit the Security page....
120779 -
120780 - http://www.microsoft.com/security/incident/blast.asp.
120782 - ..
120783 - This supplements guidance on 030812. ref SDS 4 VU4P
120785 - ..
120786 - Microsoft continues...
120787 -
120788 - 7. You will also find tips for helping Friends, family, and
120789 - colleagues.
120791 - ..
120792 - 8. In This Newsletter:
120793 -
120794 - • Who Is Affected
120795 - • Impact of Attack
120796 - • Actions to Take
120797 - • Technical Details
120798 - • Recovery
120799 - • Related Knowledge Base
120800 - • Related Microsoft Security Bulletins
120801 - • Tips for Helping Friends, Family, and Colleagues
120802 -
120804 - ..
120805 - 9. At 11:34 A.M. Pacific Time on August 11, Microsoft began
120806 - investigating a worm reported by Microsoft Product Support
120807 - Services (PSS). Several antivirus companies have responded and
120808 - written tools to remove the Blaster worm.
120810 - ..
120811 - 10. Who Is Affected?
120813 - ..
120814 - Users of the following products are affected:
120815 -
120816 - • Microsoft® Windows NT® 4.0
120817 - • Microsoft Windows® 2000
120818 - • Microsoft Windows XP
120819 - • Microsoft Windows ServerT 2003
120820 -
120822 - ..
120823 - 11. The worm was discovered August 11. Customers who had previously
120824 - applied the security patch MS03-026 are protected.
120826 - ..
120827 - On 030812 installed "security patch." ref SDS 4 235K
120829 - ..
120830 - 12. To determine if the worm is present on your machine, see the
120831 - technical details below. ref SDS 0 WP73
120833 - ..
120834 - 13. Actions for Network Administrators
120836 - ..
120837 - Managers of networked computers should read the Microsoft
120838 - Product Support Services (PSS) Security Response Team alert for
120839 - technical guidance:
120840 -
120841 - http://www.microsoft.com/technet/treeview/default.asp?url=/tec/security/virus/alerts/msblaster.asp
120842 -
120844 - ..
120845 - 14. Technical Details:
120846 -
120847 - This worm scans a random IP range to look for vulnerable
120848 - systems on TCP port 135. The worm attempts to exploit the DCOM
120849 - RPC vulnerability patched by MS03-026:
120850 -
120851 - http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
120853 - ..
120854 - This guidance aligns with the report on 020812. ref SDS 4 9M6H
120856 - ..
120857 - Once the Exploit code is sent to a system, it downloads and
120858 - executes the file MSBLAST.EXE from a remote system via TFTP.
120859 - Once run, the worm creates the registry key:
120860 -
120861 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
120862 - CurrentVersion\Run "windows auto update" = msblast.exe
120863 - I just want to say LOVE YOU SAN!! bill
120864 -
120866 - ..
120867 - 15. Symptoms of the virus:
120869 - ..
120870 - Some customers may not notice any symptoms at all. A typical
120871 - symptom is the system reboots every few minutes without user
120872 - input. Customers may also see:
120873 -
120874 - • Presence of unusual TFTP* files
120875 -
120876 - • Presence of the file msblast.exe in the WINDOWS
120877 - SYSTEM32 directory
120879 - ..
120880 - This aligns with symptoms reported on 030812. ref SDS 4 UZ3R
120882 - ..
120883 - 16. To detect this virus, search for msblast.exe in the WINDOWS
120884 - SYSTEM32 directory or download the latest antivirus software
120885 - signature from your antivirus vendor and scan your machine.
120887 - ..
120888 - Aligns with report on 030812. ref SDS 4 VU4P
120890 - ..
120891 - 17. For additional information on recovering from this attack,
120892 - please contact your preferred antivirus vendor.
120894 - ..
120895 - 18. Recovery:
120896 -
120897 - Many antivirus companies have written tools to remove the known
120898 - exploit associated with this particular worm. To download the
120899 - removal tool from your antivirus vendor, follow the procedures
120900 - outlined below.
120902 - ..
120903 - 19. For Windows XP
120904 -
120905 - 1. If your computer reboots repeatedly, please unplug your
120906 - network cable from the wall.
120907 -
120908 -
120909 - 2. First, enable Internet Connection Firewall (ICF) in Windows
120910 - XP:
120912 - ..
120913 - http://support.microsoft.com/?id=283673
120915 - ..
120916 - In Control Panel, double-click "Networking and Internet
120917 - Connections", and then click "Network Connections".
120919 - ..
120920 - Right-click the connection on which you would like to
120921 - enable ICF, and then click "Properties".
120923 - ..
120924 - On the Advanced tab, click the box to select the option to
120925 - "Protect my computer or network".
120927 - ..
120928 - 3. Plug the network cable back into the wall to reconnect
120929 - your computer to the Internet
120931 - ..
120932 - 4. Download the MS03-026 security patch from Microsoft and
120933 - install it on your computer:
120935 - ..
120936 - Windows XP (32 bit)
120938 - ..
120939 - http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
120941 - ..
120942 - Windows XP (64 bit)
120944 - ..
120945 - http://www.microsoft.com/downloads/details.aspx?FamilyID=1b00f5df-4a85-488f-80e3-c347adcc4df1&displaylang=en
120947 - ..
120948 - 5. Install or update your antivirus signature software and
120949 - scan your computer
120951 - ..
120952 - 6. Download and run the worm removal tool from your antivirus
120953 - vendor.
120955 - ..
120956 - 20. For Windows 2000 systems,
120957 -
120958 - ...where Internet Connection Firewall (ICF) is not available,
120959 - the following steps will help block the affected ports so that
120960 - the system can be patched. These steps are based on a modified
120961 - excerpt from the article; HOW TO: Configure TCP/IP Filtering in
120962 - Windows 2000.
120963 -
120964 - http://support.microsoft.com/?id=309798
120966 - ..
120967 - 1. Configure TCP/IP security on Windows 2000:
120968 -
120969 - Select "Network and Dial-up Connections" in Control Panel.
120971 - ..
120972 - Experience on 030812 indicated this procedure failed. ref SDS 4 IQ5M
120974 - ..
120975 - Another report of failure using TCP/IP filtering on 030814.
120976 - ref SDS 6 0001
120978 - ..
120979 - Right-click the interface you use to access the Internet,
120980 - and then click "Properties".
120982 - ..
120983 - In the "Components checked are used by this connection"
120984 - box, click "Internet Protocol (TCP/IP)", and then click
120985 - "Properties".
120987 - ..
120988 - In the Internet Protocol (TCP/IP) Properties dialog box,
120989 - click "Advanced".
120991 - ..
120992 - Click the "Options" tab.
120994 - ..
120995 - Click "TCP/IP filtering", and then click "Properties".
120997 - ..
120998 - Select the "Enable TCP/IP Filtering (All adapters)" check box.
121000 - ..
121001 - There are three columns with the following labels:
121002 -
121003 - TCP Ports
121004 - UDP Ports
121005 - IP Protocols
121007 - ..
121008 - In each column, you must select the "Permit Only" option.
121010 - ..
121011 - Click OK.
121013 - ..
121014 - 2. Download the MS03-026 security patch for Windows 2000 from
121015 - Microsoft and install it on your computer from:
121016 -
121017 - http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
121018 -
121020 - ..
121021 - 3. Install or update your antivirus signature software and
121022 - scan your computer
121024 - ..
121025 - 4. Then, download and run the worm removal tool from your
121026 - antivirus vendor.
121027 -
121029 - ..
121030 - 21. For additional details on this worm from antivirus software
121031 - vendors participating in the Microsoft Virus Information
121032 - Alliance (VIA), please visit the following links:
121034 - ..
121035 - • Network Associates:
121036 -
121037 - http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
121039 - ..
121040 - • Trend Micro:
121041 -
121042 - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
121044 - ..
121045 - • Symantec:
121046 -
121047 - http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
121049 - ..
121050 - • Computer Associates:
121051 -
121052 - http://www3.ca.com/virusinfo/virus.aspx?ID=36265
121054 - ..
121055 - 22. For more information on Microsoft's Virus Information Alliance, please visit
121056 - this link:
121057 -
121058 - http://www.microsoft.com/technet/security/virus/via.asp
121060 - ..
121061 - 23. Please contact your antivirus vendor for additional details on
121062 - this virus.
121064 - ..
121065 - 24. Prevention:
121067 - ..
121068 - 1. Turn on Internet Connection Firewall (Windows XP or
121069 - Windows Server 2003) use a third-party firewall to block
121070 - TCP ports 135, 139, 445 and 593; UDP t 135, 137,138; also
121071 - UDP 69 (TFTP)and TCP 4444 for remote command shell.
121073 - ..
121074 - To enable the Internet Connection Firewall in Windows:
121075 -
121076 - http://support.microsoft.com/?id=283673
121078 - ..
121079 - --In Control Panel, double-click "Networking and Internet
121080 - Connections", and then click "Network Connections".
121082 - ..
121083 - --Right-click the connection on which you would like to
121084 - enable ICF, and then click "Properties".
121086 - ..
121087 - --On the Advanced tab, click the box to select the option
121088 - to "Protect my computer or network".
121090 - ..
121091 - This worm utilizes a previously announced vulnerability as
121092 - part of its infection method. Because of this, customers
121093 - must ensure that their computers are patched for the
121094 - vulnerability that is identified in Microsoft Security
121095 - Bulletin MS03-026.
121096 -
121097 - http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
121098 -
121100 - ..
121101 - 2. Install the patch MS03-026 from the Microsoft Download
121102 - Center: Windows NT 4 Server & Workstation
121103 -
121104 - http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc66f4e-217e-4fa7-bdbf-df77a0b9303f&DisplayLang=en
121106 - ..
121107 - Windows NT 4 Terminal Server Edition
121108 -
121109 - http://www.microsoft.com/downloads/details.aspx?FamilyID=6c0f0160-64fa-424c-a3c1-c9fad2dc65ca&DisplayLang=en
121111 - ..
121112 - Windows 2000
121113 -
121114 - http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
121116 - ..
121117 - Windows XP (32 bit)
121118 -
121119 - http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
121121 - ..
121122 - Windows XP (64 bit)
121123 -
121124 - http://www.microsoft.com/downloads/details.aspx?FamilyID=1b00f5df-4a85-488f-80e3-c347adcc4df1&displaylang=en
121126 - ..
121127 - Windows 2003 (32 bit)
121128 -
121129 - http://www.microsoft.com/downloads/details.aspx?FamilyID=f8e0ff3a-9f4c-4061-9009-3a212458e92e&DisplayLang=en
121131 - ..
121132 - Windows 2003 (64 bit)
121133 -
121134 - http://www.microsoft.com/downloads/details.aspx?FamilyID=2b566973-c3f0-4ec1-995f-017e35692bc7&DisplayLang=en
121136 - ..
121137 - 3. As always, please make sure to use the latest antivirus
121138 - detection from your antivirus vendor to detect new viruses
121139 - and their variants.
121141 - ..
121142 - 25. Related Knowledge Base Articles:
121143 -
121144 - http://support.microsoft.com/?kbid=826955
121146 - ..
121147 - 26. Related Microsoft Security Bulletins:
121148 -
121149 - http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
121151 - ..
121152 - 27. If you have any questions regarding this alert, please contact
121153 - your Microsoft representative or 1-866-727-2338
121154 - (1-866-PCSafety) within the United States; outside of the
121155 - United States please contact your local Microsoft Subsidiary.
121156 -
121157 -
121158 -
121159 -
121160 -
121161 -
121162 -
121163 -
121164 -
121165 -
121166 -
121167 -
121168 -
121169 -
121170 -
121171 -
121172 -
121173 -
1212 -