Frequently Asked Questions Regarding Blaster for IT Pros

August 28, 2003


Q. Due to Blaster, my machine is constantly rebooting. How do I stop it long enough to install the patch?

A.

Methods to prevent your machines from rebooting are listed below. Start with the first method and, if that doesn’t work or is inappropriate, try the next method. If none of the methods listed work on your systems, please contact Product Support Services.

For Windows XP or Windows Server 2003, turn on Internet Connection Firewall.

If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. (See http://support.microsoft.com/default.aspx?scid=kb;en-us;283673&sd=tech.)

To enable the Internet Connection Firewall:

  1. From the Start menu, run the Control Panel, click Networking and Internet Connections, and click Network Connections.
  2. Right-click the connection on which you would like to enable the firewall and click Properties. (The connection you choose should be the one that you use to get access to the Internet.)
  3. On the Advanced tab, select the option to Protect my computer or network.
  4. Note: These steps enable the firewall on systems running Windows XP or Windows Server 2003 only. If you are running Windows 2000 or Windows NT 4.0, you should enable a third-party firewall product.

  <p>
    <strong>To disable DCOM on all affected machines:</strong>
  </p>
  <p>Disabling the DCOM should only be viewed as a temporary measure. If the first method above was already implemented, you should not have to proceed with the method described in this section.<br /><strong>Note</strong> This procedure will not block the exploit on Windows 2000 RTM, SP1, or SP2 systems. It should not be implemented as a workaround on those systems.</p>
  <p>When a computer is part of a network, the DCOM protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against the Blaster vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.</p>
  <p>If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterward to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.</p>
  <p>
    <strong>To manually disable (or enable) DCOM for a computer:</strong>
  </p>
  <table border="0" cellpadding="0" cellspacing="0">
    <tr valign="top">
      <td>
        <ol>
          <li>
            <p>Run Dcomcnfg.exe.<br />If you are running Windows XP or Windows Server 2003, perform these additional steps:</p>
          </li>
          <li>
            <p>Click <strong>Component Services</strong> under Console Root.</p>
          </li>
          <li>
            <p>Open the <strong>Computers</strong> folder.</p>
            <ul>
              <li>For the local computer, right-click <strong>My Computer</strong> and choose <strong>Properties</strong>.</li>
              <li>For a remote computer, right-click the <strong>Computers</strong> folder, select <strong>New</strong>, select <strong>Computer</strong>, type the computer name, right-click the computer name, and select <strong>Properties</strong>.</li>
            </ul>
          </li>
          <li>Choose the <strong>Default Properties</strong> tab .</li>
          <li>Clear (or select) the <strong>Enable Distributed COM on this Computer</strong> check box </li>
          <li>If you will be setting more properties for the machine, click the <strong>Apply</strong> button to disable (or enable) DCOM. Otherwise, click OK to apply the changes and exit Dcomcnfg.exe .</li>
          <li>
            <p>Reboot or restart the system to make the changes take effect.</p>
            <p>Although these steps will stop a machine infected or under attack from Blaster from rebooting every few minutes, they should be considered temporary measures because they only help block paths of attack but do not correct the underlying vulnerability.</p>
            <p>Additional information on disabling DCOM can be found in this Knowledge Base article 825750, "How to Disable DCOM Support in Windows," <a runat="server" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;825750&amp;sd=tech">http://support.microsoft.com/default.aspx?scid=kb;en-us;825750&amp;sd=tech</a></p>
          </li>
        </ol>
      </td>
    </tr>
  </table>

  <p>If you are running Windows 2000 RTM, SP1, or SP2 and are therefore unable to disable DCOM, you can configure Advanced TCP/IP Filtering.</p>
  <p>
    <strong>To configure TCP/IP security on Windows 2000:</strong>
  </p>
  <p>On Windows 2000 systems, where Internet Connection Firewall (ICF) is not available and DCOM cannot be disabled, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from Knowledge Base article 309798, "HOW TO: Configure TCP/IP Filtering in Windows 2000," <a runat="server" href="http://support.microsoft.com/default.aspx?scid=kb;en-us;309798&amp;sd=tech">http://support.microsoft.com/default.aspx?scid=kb;en-us;309798&amp;sd=tech</a>.</p>
  <table border="0" cellpadding="0" cellspacing="0">
    <tr valign="top">
      <td>
        <ol>
          <li>From the <strong>Start</strong> menu, select <strong>Control Panel</strong>, and select <strong>Network and Dial-up Connections</strong>.</li>
          <li>
            <p>Right-click the interface you use to access the Internet and click Properties.</p>
          </li>
          <li>
            <p>In the <strong>"Components checked are used by this connection"</strong> box, click <strong>Internet Protocol (TCP/IP)</strong> and click <strong>Properties</strong>.</p>
          </li>
          <li>
            <p>In the <strong>Internet Protocol (TCP/IP) Properties</strong> dialog box, click <strong>Advanced</strong>.</p>
          </li>
          <li>
            <p>Click the <strong>Options</strong> tab.</p>
          </li>
          <li>
            <p>Click <strong>TCP/IP filtering</strong> and click <strong>Properties</strong>.</p>
          </li>
          <li>
            <p>Select the <strong>Enable TCP/IP Filtering (All adapters)</strong> check box.</p>
          </li>
          <li>
            <p>Select the <strong>Permit Only</strong> option in each of the columns with the following labels:</p>
            <p>
              <strong>TCP Ports</strong>
            </p>
            <p>
              <strong>UDP Ports</strong>
            </p>
            <p>
              <strong>IP Protocols</strong>
            </p>
          </li>
          <li>
            <p>Click <strong>OK</strong>.</p>
          </li>
        </ol>
      </td>
    </tr>
  </table>

  <p>
    <strong>Note:</strong> Because the TCP/IP filtering enabled above can break many applications (including FTP, P2P software, and Instant Messaging), the TCP/IP filtering should be disabled after the patch is installed.</p>
</td>

Q. How do I recover from a Blaster infection?

A.

Recovery is accomplished by installing the patch and cleaning up the infected system. You can get the patch from two locations:

Download or install the patch from the Microsoft Download Center:

Windows NT 4.0

Windows NT 4.0 Terminal Server Edition

Windows 2000

Windows XP 32 bit Edition

Windows XP 64 bit Edition

Windows Server 2003 32 bit Edition

Windows Server 2003 64 bit Edition

  <p>
    <strong>Install the patch on an individual computer from Microsoft Update:</strong>
  </p>
  <table border="0" cellpadding="0" cellspacing="0">
    <tbody>
      <tr>
        <td valign="top">
          <ul>
            <li></li>
          </ul>
        </td>
        <td>
          <p>
            <a runat="server" href="http://update.microsoft.com/microsoftupdate/">http://update.microsoft.com/microsoftupdate/.</a>
          </p>
        </td>
      </tr>
    </tbody>
  </table>

  <p>
    <strong>Important:</strong> It is <em>critical</em> that the systems be cleaned after they have been infected. Refer to the following resources for help in securing and cleaning your systems:</p>
  <p>
    <a runat="server" href="http://vil.nai.com/vil/stinger/">http://vil.nai.com/vil/stinger/</a>
  </p>
  <p>
    <a runat="server" href="http://www.trendmicro.com/download/tsc.asp">http://www.trendmicro.com/download/tsc.asp</a>
  </p>
  <p>
    <a runat="server" href="http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html"> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html</a>
  </p>
  <p>
    <br />
  </p>
</td>

Q. Does Microsoft support installing MS03-026 on Windows 2000 SP2?

A.

Microsoft now fully supports installing MS03-026 on Windows 2000 Service Pack 2 (SP2).



Q. Are there other worms or viruses that exploit MS03-026?

A.

Additional worms are being created that exploit the vulnerability patched by Microsoft Security Bulletin MS03-026. For additional information on all of these variants, please contact your antivirus software vendor.


Q. Where can I find additional information on Blaster?

A.

Additional information about the Blaster virus and its variants is available at:

http://www.microsoft.com/security/incident/blast.mspx


Top of page Top of page