New version of the MS-RPC DCOM Worm infecting machines

CITES > news > Virus Warning - August 18, 2003
from the Department of Homeland Security

OVERVIEW:
A new worm that exploits the same security weakness as the Blaster worm (also known as "lovsan" or "msblast") has been released on the Internet. This new worm, dubbed "nachi", "welchia", or "msblast.d" does not infect systems that have been updated to counter the Blaster worm in accordance with Microsoft's instructions at http://www.microsoft.com/security/incident/blast.asp. This new worm will re-infect computers that are currently infected with Blaster or one of its variants. It deletes the original worm, patches the system by downloading the update from Microsoft, and replaces the original worm with itself.

SYSTEMS AFFECTED:
Computers using the following operating systems may become infected: Microsoft Windows NT 4.0 Microsoft Windows 2000, and Microsoft Windows XP Microsoft Windows Server 2003.

IMPACT:
Scanning by the new worm is causing denial of service conditions for some organizations. Full details about what the worm does after infecting a computer are not yet fully understood. There may be other malicious aspects of this worm such as the installation of back doors that allow intruders to access or control infected machines.

DETAILS
Information on the new worm is still emerging. It appears that the worm searches for any computer that has not been updated including those machines infected with the Blaster worm and its variants. After infecting a new computer, it deletes the file msblast.exe from the infected machine. The worm then attempts to download the patch for the MS-RPC DCOM vulnerability from Microsoft's update site and then re-boots the machine if the installation is successful. It has been reported that the variant then begins scanning or flooding the network with high volumes of ICMP (Internet Control Message Protocol) traffic causing network congestion which can result in denial of service conditions. This may be a symptom of the worm's propagation and not designed intentionally as a denial of service attack.

RECOMMENDATIONS:
For Home Users:

Complete patching of systems for the MS-RPC DCOM vulnerability immediately. Detailed directions for applying the patch for your system can be found at:
http://www.cert.org/advisories/CA-2003-20.html
http://www.microsoft.com/security/incident/blast.asp
Install the latest updates from your anti-virus vendor.

For Network Administrators:

Complete patching of systems for the MS-RPC DCOM vulnerability immediately. Detailed directions for applying the patch for your system can be found at:
http://www.cert.org/advisories/CA-2003-20.html
http://www.microsoft.com/security/incident/blast.asp
Install the latest updates from your anti-virus vendor.
Continue MS-RPC DCOM mitigation strategy of blocking MS- RPC ports if possible.
Monitor your network for unusual levels of ICMP traffic, and traffic for port 707 also reportedly used by the worm.
Employ blocking strategies on border equipment. Reports have been received that the high levels of ICMP traffic have caused equipment at network borders to become congested.
Information is still emerging about this variant continue to monitor updates from your anti-virus vendor.

ADDITIONAL REFERENCES:
W32/Nachi.worm: http://vil.nai.com/vil/content/v_100559.htm
W32.Welchia.Worm: http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html
Worm_MSBLAST.D: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D

skip navigation	\| Home \| Help Desk \| Status \| CIO \| Site Map \| Search
Services by Audience New to Campus? Students Faculty & Staff Instructors Researchers Tech Support Providers Services by Category Calendaring Classroom Technologies Computer Facilities Computing Accounts Educational Technologies Electronic Directory Email File Storage & Web Publishing Networking & Remote Access Passwords Security Services For Departments Software Telecommunications Complete List of Services General Information Training Computing/Networking 101 Contacts Glossary About CITES Job Openings go to navigation	New version of the MS-RPC DCOM Worm infecting machines CITES > news > Virus Warning - August 18, 2003 from the Department of Homeland Security OVERVIEW: A new worm that exploits the same security weakness as the Blaster worm (also known as "lovsan" or "msblast") has been released on the Internet. This new worm, dubbed "nachi", "welchia", or "msblast.d" does not infect systems that have been updated to counter the Blaster worm in accordance with Microsoft's instructions at http://www.microsoft.com/security/incident/blast.asp. This new worm will re-infect computers that are currently infected with Blaster or one of its variants. It deletes the original worm, patches the system by downloading the update from Microsoft, and replaces the original worm with itself. SYSTEMS AFFECTED: Computers using the following operating systems may become infected: Microsoft Windows NT 4.0 Microsoft Windows 2000, and Microsoft Windows XP Microsoft Windows Server 2003. IMPACT: Scanning by the new worm is causing denial of service conditions for some organizations. Full details about what the worm does after infecting a computer are not yet fully understood. There may be other malicious aspects of this worm such as the installation of back doors that allow intruders to access or control infected machines. DETAILS Information on the new worm is still emerging. It appears that the worm searches for any computer that has not been updated including those machines infected with the Blaster worm and its variants. After infecting a new computer, it deletes the file msblast.exe from the infected machine. The worm then attempts to download the patch for the MS-RPC DCOM vulnerability from Microsoft's update site and then re-boots the machine if the installation is successful. It has been reported that the variant then begins scanning or flooding the network with high volumes of ICMP (Internet Control Message Protocol) traffic causing network congestion which can result in denial of service conditions. This may be a symptom of the worm's propagation and not designed intentionally as a denial of service attack. RECOMMENDATIONS: For Home Users: Complete patching of systems for the MS-RPC DCOM vulnerability immediately. Detailed directions for applying the patch for your system can be found at: http://www.cert.org/advisories/CA-2003-20.html http://www.microsoft.com/security/incident/blast.asp Install the latest updates from your anti-virus vendor. For Network Administrators: Complete patching of systems for the MS-RPC DCOM vulnerability immediately. Detailed directions for applying the patch for your system can be found at: http://www.cert.org/advisories/CA-2003-20.html http://www.microsoft.com/security/incident/blast.asp Install the latest updates from your anti-virus vendor. Continue MS-RPC DCOM mitigation strategy of blocking MS- RPC ports if possible. Monitor your network for unusual levels of ICMP traffic, and traffic for port 707 also reportedly used by the worm. Employ blocking strategies on border equipment. Reports have been received that the high levels of ICMP traffic have caused equipment at network borders to become congested. Information is still emerging about this variant continue to monitor updates from your anti-virus vendor. ADDITIONAL REFERENCES: W32/Nachi.worm: http://vil.nai.com/vil/content/v_100559.htm W32.Welchia.Worm: http://www.sarc.com/avcenter/venc/data/w32.welchia.worm.html Worm_MSBLAST.D: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
	CITES welcomes comments about our services and comments about our web site. Return to the top of this page. Last modified December 30, 2003

Services by Audience

Services by Category

General Information

New version of the MS-RPC DCOM Worm infecting machines

CITES > news > Virus Warning - August 18, 2003 from the Department of Homeland Security

CITES > news > Virus Warning - August 18, 2003
from the Department of Homeland Security