Update November 11, 2003
We recently seen a resurgence of activity by the Blaster and Welchia viruses.
This traffic has been causing service interruptions within our system. We
are taking steps to notify users of potential infections and provide instruction
on how to remove the virus and prevent re-infection. If you use Windows XP
or Windows 2000 and have not followed the prevention steps
below, please do so as soon as possible.
The Problem
A worm (similar to a virus) know as Blaster was
discovered on Monday, August 11, 2003 and began affecting computers that
afternoon. Blaster is also known as also W32.Blaster.Worm, W32/Lovsan.worm,
Win32.Poza, or WORM_MSBLAST. This virus exploits a security vulnerability
in certain versions of Microsoft Windows and is able to spread from computer to
computer without the interaction of the computer users. Due to an error in
the virus, an infected machine will often cause a system to malfunction and
frequently restart while connected to the Internet. Many customers are
reporting an error similar to:
"The
system is shutting down. ... This shutdown was initiated by NT AUTHORITY\SYSTEM.
...
Windows must now
restart because a remote procedure call (RPC) service terminated unexpectedly."
The intent of this worm was to reach as many computers as
possible and launch a denial of service (DoS) attack on Microsoft's Windows
Update site beginning on August 16, 2003 and lasting through the end of 2003.
Because of the error causing computers to reboot shortly after connecting to the
Internet, it is unlikely that the denial of service attack will have much
affect.
The Welchia worm appeared the next week, with the intention
of finding computers susceptible to Blaster and either fixing or patching them.
It then searches the network (or dial-up service) the computer is connected to
looking for other computers it can spread to. Unfortunately, Welchia was poorly
constructed and results in a deluge of traffic being spread throughout the
network. This amount of traffic often overloads the capacity of the
equipment or bandwidth the provider has available, resulting in service outages
and slow-downs. Many people will notice very slow performance when this is
happening because the virus is using all or most of their internet connection
looking for other machines.
Runestone and REA-ALP Internet Services have
restricted traffic on the port this virus uses to communicate. Internet
providers around the world are also taking this step and helping to reduce the
spread of this virus. We believe that this should prevent our users from
receiving and disseminating the virus, but still recommend that you follow the
suggestions in the "How to prevent infection"
section below.
A note about Blaster/Welchia and Postini
Runestone and REA-ALP Internet Services provide the
Postini e-mail filtering service. The primary function of this service is
to prevent "junk" e-mail from reaching your computer. Postini also scans
for e-mail containing viruses. Because Blaster and Welchia spread through
computer-to-computer communication and does not require e-mail to propagate,
Postini is not able to capture these viruses. The possibility of
viruses spreading through means other than e-mail is the reason that we have and
continue to recommend using a current and updated anti-virus program on all
computers. See our virus information page for
more information.
Who is at risk?
The Blaster and Welchia viruses may affect systems which:
- are running Windows NT, Windows 2000, Windows XP (Home or Professional),
or Windows 2003 Server, and
- have not applied the available patch from Microsoft (see below for
instructions), and
- are not protected by a properly configured business, personal DSL, or
software firewall
The Blaster and Welchia viruses do not affect Windows 95, 98, or ME,
Macintosh computers, or Unix/Linux systems.
There are several steps all customers can take to avoid being infected by Blaster/Welchia type viruses. These steps will
also offer protection against other malicious programs and "hacking", and are advisable for all computers including those not affected by or
at risk of receiving the Blaster worm.
(Some items pertain specifically to certain computers and connection methods, as
indicated.)
- Windows users (all versions) should obtain the "Critical Updates" from
Microsoft's Windows Update site on
a regular basis (at least every other week.)
- All users should maintain an anti-virus program such as Norton Anti-Virus
or McAfee VirusScan and ensure that this program is frequently updated (at
least once a week.) See our virus information
page for more information.
- Users who have a high-speed connection (e.g., DSL or Wireless) should use
a software firewall such as ZoneAlarm
to protect your computer against suspicious Internet or network activity.
The download page for the ZoneAlarm products is available
here. Dial-up customers may also use this type of program.
- Windows XP users can enable the simple firewall built into Windows.
To activate it, follow step 1 in "How to remove an
infection" below. (This is not sufficient protection
against intrusion for DSL or other customers with "always on" dedicated
connections.)
- Suggestion for residential or home office DSL/Wireless customers -
use a DSL router/firewall product such as those available from
Linksys or
D-Link.
- Suggestion for large business DSL/Wireless customers (or those with
highly sensitive information on their computers or networks) - use a
professional-grade firewall such as those available from
SonicWALL.
To manually shut down and remove the Blaster and/or Welchia viruses, do the following:
- Activate the Windows XP firewall. Click 'Start - Connect to',
click on the connection name, click Properties then the Advanced
tab and check the box labeled "Protect my computer...". (The
connection can also be accessed through the Network Connections control
panel.)
(If you spoke with one of our support technicians, you have probably already
made this change and may continue to step 2.)
- Stop the viruses from running. To do this, click once with the
right-mouse button on the taskbar at the bottom of your screen. (This is
the bar which typically has the Start button in the bottom left hand corner of
the screen. Right-click in an empty area of the bar, not on the Start
button itself.) When the menu appears, click 'Task Manager' then on the
'Processes' tab at the top of the window. Click on the 'Image Name'
column heading to sort the items alphabetically and look for 'dllhost.exe', 'msblast.exe',
or 'mslaugh.exe'. If you find any (or all) of these, highlight the item
and click 'End Process' and then 'Yes' to confirm this action. When all
of these processes are stopped, close this window.
- Retrieve the "Critical Updates" packages from Microsoft's
Windows Update site repeatedly
until you receive the message, "There are no critical updates available
at this time." (You can also reach Windows Update by clicking
'Tools - Windows Update' from within recent versions of Internet Explorer.)
This update process may take several hours. The Windows XP or
Windows 2000 service packs specifically will take a very long time (45 minutes or more) to run on most
systems and may cause the computer to appear to have "frozen" or "locked up".
You should let the system process the update until it requests to restart,
restarting on your own may cause damage to Windows.
When the computer restarts, the virus may also restart. Follow Step 2
to shut the virus down again after restarting the computer.
- Obtain a removal tool from Symantec (for
Blaster and
Welchia), the multi-virus removal tool called Stinger from McAfee,
or the
Blaster removal tool from Microsoft, and use these tools to check your system.
- Update the anti-virus program on your computer and scan your hard drive
(disk C:). If you do not have an anti-virus program installed, we
suggest you download and install AVG AntiVirus from
www.grisoft.com (this
is a free anti-virus program.)
You could also visit Trend Micro's free online virus scanner,
HouseCall, or McAfee's
FreeScan, another free
online scanner. (HouseCall and the McAfee FreeScan do
not provide ongoing protection, these services just scan your computer once.)
For more information
If you would like more detailed information about
the Blaster and Welchia viruses and the issues involved, visit the following sites.
Microsoft has created
pages with information on the
Blaster and
Welchia
worms.
Microsoft TechNet Security Bulletin on RPC vulnerability
Microsoft Knowledge Base
article on buffer overrruns
Symantec article on W32.Blaster.worm
Symantec article on W32.Welchia.worm
Symantec
article on buffer overruns
McAfee article on W32/Lovesan.worm
McAfee artilce on W32/Nachi.worm
Trend Micro article on WORM_MSBLAST.A
Trend Micro article on WORM_NACHI.A
Technical
information on denial of service attacks from CERT
Whatis?com article on denial of service attacks
This document was last updated on
Thursday, January 22, 2004, at 07:14 PM
