8/11/2003 - RPC DCOM Worm On The Loose (W32.Blaster.Worm / WORM_MSBLAST.A)

More info and removal instructions for the W32.Blaster.Worm / WORM_MSBLAST.A (8/11/2003) can be found at the below Norton link.  Please read and follow the instructions found there.  After visiting the Norton link and following the instructions found there, additional instructions and suggestions are below.  For additional help, contact your computer maker, your local computer shop, your Anti-Virus program vender, or Microsoft.  If you need a suggestion for a local computer shop, feel free to call our office.  

[Norton] http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

Microsoft has also provided instructions to help protect your computer and to recover if your computer has been infected...
[MICROSOFT] http://www.microsoft.com/security/incident/blast.asp


Symptoms include Windows Shutting down with this message...

> "This system is shutting down. Please save all work in
> progress and log off. Any unsaved changes will be lost.
> This shutdown was initiated by NT Authority \ System.
>
> Message: Windows must restart now because the Remote
> Procedure Call (RPC) service terminated unexpectedly."

The worm spreads to and infects computers that have not installed the latest security patches for Windows (dated July 16th).  The security patch that must be installed to prevent this infection (and reinfection) can be found at the link below.  Visit this link and follow the instructions to install the patch(es)...

    [Microsoft] http://www.microsoft.com/security/security_bulletins/ms03-026.asp


To remove this worm you must:

  1. Windows XP users enable the Internet Connection Firewall in Windows XP.  Users of other Windows versions skip to the next step.
  2. Install the latest security patches including MS03-026 by visiting Windows Update...
  3. [VERY IMPORTANT] Visit this link and follow the instructions provided there (including using the "removal tool")... 
  4. Update your AntiVirus software and run a full system scan.  Also, run the free online Housecall virus scan to confirm that no known viruses/worms still remain on the computer...
  5. Download and run any appropriate removal tool(s) to kill any additional worms, backdoors, and other malware that were detected by the anti-virus scan.  
  6. Check Windows Update again to confirm that all "Critical Updates" have been installed...

To prevent infection/reinfection:

  1. Install the latest security patches including MS03-026 by visiting Windows Update.  Always keep Windows up-to-date with the latest security patches.  Set your computer to automatically check for Windows Updates (Windows XP, Windows 2000, Windows ME, Windows 98) and Anti-Virus software updates.
  2. Use a router with a firewall or install a software based personal firewall such as the free Zone Alarm program (http://www.zonelabs.com/) or the built in Windows XP firewall (http://www.microsoft.com/WindowsXP/home/using/howto/homenet/icf.asp).

More info:
http://www.cert.org/advisories/CA-2003-20.html
http://news.com.com/2100-1002_3-5062364.html
http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=43865
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://developers.slashdot.org/article.pl?sid=03/08/11/2048249&mode=thread&tid=126&tid=172&tid=185&tid=190&tid=201
http://isc.sans.org/diary.html?date=2003-08-11