[an error occurred while processing this directive]

Microsoft DCOM RPC Vulnerability

Late Breaking News 9/11/03

Microsoft released a new critical patch on Sept. 10, 2003. This patch supercedes the RPC DCOM patch released on 07/16/03. The CDs distributed on campus to students, faculty, and staff do NOT contain this patch.

Please make plans to run Windows Update or manually apply this patch as soon as possible.

Further information about this vulnerability can be found at:

Affected Software:

  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server(r) 4.0
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

Not Affected Software:

  • Microsoft Windows 98
  • Microsoft Windows Millennium Edition
  • Macintosh OS (all)
  • Linux/Unix

Information From August & Early September

The Microsoft DCOM RPC vulnerability is exploited actively now across the Internet. Two new worms, Blaster (alias Lovsan), its variants and Randex.E are exploiting this vulnerability in huge numbers.

The Microsoft DCOM RPC vulnerability has a high threat level. New information gathered since August 1 from various sources has increased the threat level of this vulnerability:

Firewalls, Patches, and Anti-Virus software are not stopping all occurrences. Compromised systems may not show signs of infection.

We will be scanning the campus for this vulnerability and notifying the owners of vulnerable systems. In some cases we may take vulnerable systems off the network (If it is showing signs of being compromised, or the owner can not be reached in a reasonable amount of time).

Information from Microsoft

  • Recent reports say that blocking with a firewall helps, but does not prevent all infections
  • The patch from MS also "helps" but word is that even patches systems are vulnerable to at least the DoS vulnerability at the moment, which means its only a matter of time before a full out exploit is available (Information gathered from monitoring hacker chat rooms)
  • Systems that are compromised are difficult to detect, putting a *very* well hidden keystroke logger on the infected system. Anti-virus software may not catch all cases (and has been reported as such).
  • New Trojans have been release (as of today) that take advantage of this vulnerability.
  • Turning off DCOM is the only thing to do to be completely safe, but can "break things". Not sure of the scope, yet.

Steps to Take for Protection

Below are the steps that need to be followed in order to protect computers from the latest threats:

Perform Windows Update

  1. You can either run "Windows Update" from the start menu or go directly to Microsoft's Web site (Note: you have to use Internet Explorer for it to work properly).
  2. On the 'Welcome to Windows Update' Page, click on 'Scan for updates'.
  3. Windows Update will present you with a list of suggested updates. While it is recommended that you install all critical updates that your computer is missing, the one pertaining to this vulnerability is the 'Security Update for Windows - (823980)'

Set Automatic Update for Windows

  1. Right-click on My Computer and select Properties.
  2. Select Automatic Updates tab.
  3. Check the box next to "Keep my computer up to date..."
  4. Select "Download the updates automatically and notify me when they are ready to be installed."
  5. Click OK to close the Properties window.

Update Anti-Virus software and Perform Scan

If using Symantec Anti-Virus, definitions must be dated August 13, 2003 rev 9 or later. The steps to updates Symantec's Anti-Virus product are:

  1. Double click on the system tray icon labeled "Norton Anti-Virus Corporate Edition"
  2. Click the button labeled "Live Update..."
  3. Follow the instructions in the Live Update wizard.

Note: This will detect the W32.Mimail.A@mm virus as well.

The steps to scan your computer with the updated virus definition files are:

  1. Double click on the system tray icon labeled "Norton AntiVirus Corporate Edition"
  2. Expand Scan folder in left pane
  3. Select Scan Computer in left pane
  4. Click box left of Local Disk
  5. Click Scan button in lower right corner

Remove Blaster Worm (if necessary)

  1. Download Symantec Blaster removal tool
  2. Follow Symantec's instructions for running FixBlast.exe.

Remove Welchia Worm (if necessary)

  1. Download Symantec Welchia Worm removal tool
  2. Follow Symantec's instructions for running FixWelch.exe.

Checking for keylogger

  1. Open Windows explorer (must be Administrator or equivalent)
  2. Go to "Tools" --> "Folder Options"
  3. Click the "View" tab
  4. Click the "Show hidden files and folders" radio button
  5. Remove check next to "Hide protected operating system files"
  6. Remove check next to "Hide extensions for known file types"
  7. Navigate to C:\Windows\System32
  8. Sort by modified date (newest files first)
  9. Note suspicious text files dated recently, especially ones that have the string "key" in them

NOTE: If the suspicious file contains keystroke logging you may see your usernames and passwords in the file. If this is the case please contact the Help Desk (863-HELP) immediately for assistance.

For additional assistance

If you need assistance applying patches, installing or updating antivirus software, or removing viruses, please email the Help Desk or call 863-HELP.

References
Page Last Reviewed
[an error occurred while processing this directive]