What You Should Know About the Blaster Worm and Its Variants

Updated August 22, 2003, 6:15 P.M. Pacific Time

View Printer-Friendly Version Related Resources Blaster Worm FAQ Get More Details in the Technical Virus Alert Microsoft Security Bulletin MS03-026 Join a Microsoft Security Newsgroup Next Steps Home Users: Protect Your PC IT Pros: Protect Your Systems   Glossary Terms Click the term to get the definition from our Security and Privacy Glossary. firewall remote procedure call virus worm

This information is available in more than 30 languages. Find links to those pages here.

At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). The worm, W32.Blaster.Worm and its variants, exploits a security issue that was addressed by Microsoft Security Bulletin MS03-026. This issue concerns a vulnerability in the Remote Procedure Call (RPC) function.

Important Information

• Guidance for home users: These four steps can help protect your computer and recover if it has been infected by the Blaster worm or variants. To get the steps, click here.
• Hoax circulating: Microsoft never distributes software through e-mail. If you receive an e-mail message that appears to be from Microsoft and that contains an attachment, delete the message immediately. Do not open the attachment. To learn more, click here.
• Scan tool for network administrators available: IT professionals can download a free tool from Microsoft to help them scan their networks for the security update. To get the tool, click here.

Who Is Vulnerable?

Your computer is not vulnerable to the Blaster worm if you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered.

If you are unsure of which version of Windows you are running, click here.

How to Tell If the Worm Is Affecting Your Computer

Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input, or Windows NT 4.0 and Windows 2000 systems becoming unresponsive.

Shutdown error. If your computer is infected, you may see this error message.

Whether you are experiencing these symptoms or not, Microsoft recommends that you take the following action immediately:

• If you're running Windows XP or Windows 2000, follow all Steps 1–4 for home users below.
• If you're running Windows Server 2003 or Windows NT 4.0, follow Steps 1–3 for home users below.

Actions for Network Administrators

Microsoft recommends that network administrators take the following actions immediately:

• Read the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance.
• Download the MS03-026 Scanning Tool to identify computers that need the security update addressed in Microsoft Security Bulletin MS03-026.

4 Steps for Home Users

If you are using Microsoft ® Windows NT® 4.0, Windows® 2000, Windows XP, or Windows Server™ 2003, you should follow the steps in this sequence to help protect your computer and to recover if your computer has been infected.

1. Enable a Firewall

Make sure you have a firewall activated to help protect your computer against infection before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer. The latest Windows operating systems have a firewall built in. Windows XP and Windows Server 2003 users should print or save the following instructions for how to enable their firewall. If your computer is rebooting repeatedly, disconnect from the Internet before you enable your firewall. To disconnect your computer from the Internet: Broadband connection users: Locate the telephone cable that runs from your external DSL or cable modem and unplug that cable either from the modem or from the telephone jack. Dial-up connection users: Locate the telephone cable that runs from the modem inside your computer to your telephone jack and unplug that cable either from the telephone jack or from your computer. Follow the instructions provided for your operating system, and then reconnect to the Internet. Windows XP users: Click here for instructions. Windows Server 2003 users: Click here for instructions. Windows NT 4.0 and Windows 2000 users: You will need to install a third-party firewall. Most firewall software for home users is available in free or trial versions. Check the following resources for more information on personal firewalls: McAfee Security Symantec ZoneAlarm Pro (Zone Labs) Tiny Personal Firewall (Tiny Software) Outpost Firewall (Agnitum) Kerio Personal Firewall (Kerio Technologies) BlackICE PC Protection (Internet Security Systems) Windows 2000 users: Alternatively, you can take steps to block the affected ports so that your computer can be patched. Here are some modified instructions from the TechNet article HOW TO: Configure TCP/IP Filtering in Windows 2000.

2. Update Windows

If you have disconnected from the Internet, remember to reconnect before you take next steps. Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from Windows Update. When you get to the Windows Update site, scan your computer for any critical updates that you need, and then install them. To do that: Click Scan for Updates next to the green arrow near the center of your screen. Note  It may take several minutes for the scan to complete. After the scan completes, under Pick updates to install on the left side of your screen, click Critical Updates and Service Packs. A list of updates appears. Click Review and install updates near the center of your screen to begin downloading and installing the updates. Get the Security Update from Windows Update Click here to go to the Windows Update Web site.

3. Use Antivirus Software

Use antivirus software and make sure you have the latest updates installed. There are several variants of this worm, and the most up-to-date information about them can be found at your antivirus vendor's Web site. If you already have antivirus software installed, go to your antivirus vendor's Web site to get the latest updates, also known as virus definitions. If you do not have antivirus software installed, get it. The following vendors participating in the Microsoft Virus Information Alliance (VIA) offer antivirus products for home users: Network Associates Trend Micro Symantec Computer Associates Learn about Microsoft's Virus Information Alliance.

4. Remove the Worm

If you think there is even the slightest possibility that your computer might be infected, use the free worm removal tool available at your preferred antivirus software vendor's Web site: Network Associates Trend Micro Symantec Computer Associates

For Technical Assistance

Contact your antivirus vendor for assistance with identifying or removing virus or worm infections. If you need more help with virus-related issues, please contact PSS. We are currently experiencing a high call volume and apologize for any delay in responding.

• For Microsoft Product Support Services within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
• For worldwide support, contact your local Microsoft office.