Endurance.Net Ridecamp Archives

A notice from Microsoft. (Note: this is just the first of many more to come 
most think. Do the patch. use ipsec to block port 139 (and anything else 
you don't use.) and have a nice ride.


johnt
===============================
> You are receiving this message because you are a Microsoft newsletter 
> subscriber. Please print this page for your reference.
>
> For the most recent news about Blaster, it is very important that you 
> visit the Security page: 
> http://www.microsoft.com/security/incident/blast.asp. You will also find 
> tips for helping Friends, family, and colleagues.
>
> In This Newsletter:
> -       Who Is Affected
> -       Impact of Attack
> -       Actions to Take
> -       Technical Details
> -       Recovery
> -       Related Knowledge Base
> -       Related Microsoft Security Bulletins
> -       Tips for Helping Friends, Family, and Colleagues
>
> At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a 
> worm reported by Microsoft Product Support Services (PSS).  Several 
> antivirus companies have responded and written tools to remove the Blaster 
> worm.
>
> Who Is Affected?
> Users of the following products are affected:
>         - Microsoft® Windows NT® 4.0
>         - Microsoft Windows® 2000
>         - Microsoft Windows XP
>         - Microsoft Windows ServerT 2003
>
> The worm was discovered August 11. Customers who had previously applied 
> the security patch MS03-026 are protected.
>
> To determine if the worm is present on your machine, see the technical 
> details below.
>
> Actions for Network Administrators
> Managers of networked computers should read the Microsoft Product Support 
> Services (PSS) Security Response Team alert for technical guidance: 
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/msblaster.asp 
>
>
> Technical Details:
> This worm scans a random IP range to look for vulnerable systems on TCP 
> port 135. The worm attempts to exploit the DCOM RPC vulnerability patched 
> by MS03-026: http://www.microsoft.com/technet/security/bulletin/ms03-026.asp
> Once the Exploit code is sent to a system, it downloads and executes the 
> file MSBLAST.EXE from a remote system via TFTP. Once run, the worm creates 
> the registry key: 
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows 
> auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
>
> Symptoms of the virus: Some customers may not notice any symptoms at all. 
> A typical symptom is the system reboots every few minutes without user 
> input. Customers may also see:
> - Presence of unusual TFTP* files
> - Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
>
> To detect this virus, search for msblast.exe in the WINDOWS SYSTEM32 
> directory or download the latest antivirus software signature from your 
> antivirus vendor and scan your machine.
> For additional information on recovering from this attack, please contact 
> your preferred antivirus vendor.
>
> Recovery:
> Many antivirus companies have written tools to remove the known exploit 
> associated with this particular worm. To download the removal tool from 
> your antivirus vendor, follow the procedures outlined below.
>
> For Windows XP
> 1. If your computer reboots repeatedly, please unplug your network cable 
> from the wall.
> 2. First, enable Internet Connection Firewall (ICF) in Windows XP: 
> http://support.microsoft.com/?id=283673
>         --In Control Panel, double-click "Networking and Internet 
> Connections", and then click "Network Connections".
>         --Right-click the connection on which you would like to enable 
> ICF, and then click "Properties".
>         --On the Advanced tab, click the box to select the option to 
> "Protect my computer or network".
> 3. Plug the network cable back into the wall to reconnect your computer to 
> the Internet
> 4. Download the MS03-026 security patch from Microsoft and install it on 
> your computer:
>
> Windows XP (32 bit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en
>
> Windows XP (64 bit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1b00f5df-4a85-488f-80e3-c347adcc4df1&displaylang=en 
>
>
> 5.Install or update your antivirus signature software and scan your computer
>
> 6.Download and run the worm removal tool from your antivirus vendor.
>
> For Windows 2000 systems, where Internet Connection Firewall (ICF) is not 
> available, the following steps will help block the affected ports so that 
> the system can be patched. These steps are based on a modified excerpt 
> from the article; HOW TO: Configure TCP/IP Filtering in Windows 2000. 
> http://support.microsoft.com/?id=309798
>
> 1. Configure TCP/IP security on Windows 2000:
>         --Select "Network and Dial-up Connections" in Control Panel.
>         --Right-click the interface you use to access the Internet, and 
> then click "Properties".
>         --In the "Components checked are used by this connection" box, 
> click "Internet Protocol (TCP/IP)", and then click               "Properties".
>         --In the Internet Protocol (TCP/IP) Properties dialog box, click 
> "Advanced".
>         --Click the "Options" tab.
>         --Click "TCP/IP filtering", and then click "Properties".
>         --Select the "Enable TCP/IP Filtering (All adapters)" check box.
>         --There are three columns with the following labels:
>         TCP Ports
>         UDP Ports
>         IP Protocols
>         --In each column, you must select the "Permit Only" option.
>         --Click OK.
>
> 2. Download the MS03-026 security patch for Windows 2000 from Microsoft 
> and install it on your computer from: 
> http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en
>
> 3. Install or update your antivirus signature software and scan your computer
>
> 4. Then, download and run the worm removal tool from your antivirus vendor.
>
> For additional details on this worm from antivirus software vendors 
> participating in the Microsoft Virus Information Alliance (VIA), please 
> visit the following links:
>
> Network Associates:
> http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
>
> Trend Micro:
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A 
>
>
> Symantec:
> http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
>
> Computer Associates:
> http://www3.ca.com/virusinfo/virus.aspx?ID=36265
>
> For more information on Microsoft's Virus Information Alliance, please 
> visit this link:
> http://www.microsoft.com/technet/security/virus/via.asp
>
> Please contact your antivirus vendor for additional details on this virus.
>
> Prevention:
> 1. Turn on Internet Connection Firewall (Windows XP or Windows Server 
> 2003) or use a third-party firewall to block TCP ports 135, 139, 445 and 
> 593; UDP port 135, 137,138; also UDP 69 (TFTP)and TCP 4444 for remote 
> command shell. To enable the Internet Connection Firewall in Windows: 
> http://support.microsoft.com/?id=283673
>         --In Control Panel, double-click "Networking and Internet 
> Connections", and then click "Network Connections".
>         --Right-click the connection on which you would like to enable 
> ICF, and then click "Properties".
>         --On the Advanced tab, click the box to select the option to 
> "Protect my computer or network".
>
> This worm utilizes a previously announced vulnerability as part of its 
> infection method. Because of this, customers must ensure that their 
> computers are patched for the vulnerability that is identified in 
> Microsoft Security Bulletin MS03-026. 
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
>
> 2. Install the patch MS03-026 from the Microsoft Download Center:
> Windows NT 4 Server & Workstation
> http://www.microsoft.com/downloads/details.aspx?FamilyID=2cc66f4e-217e-4fa7-bdbf-df77a0b9303f&DisplayLang=en 
>
>
> Windows NT 4 Terminal Server Edition
> http://www.microsoft.com/downloads/details.aspx?FamilyID=6c0f0160-64fa-424c-a3c1-c9fad2dc65ca&DisplayLang=en
>
> Windows 2000
> http://www.microsoft.com/downloads/details.aspx?FamilyID=c8b8a846-f541-4c15-8c9f-220354449117&displaylang=en 
>
>
> Windows XP (32 bit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=2354406c-c5b6-44ac-9532-3de40f69c074&displaylang=en 
>
>
> Windows XP (64 bit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1b00f5df-4a85-488f-80e3-c347adcc4df1&displaylang=en 
>
>
> Windows 2003 (32 bit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=f8e0ff3a-9f4c-4061-9009-3a212458e92e&DisplayLang=en
>
> Windows 2003 (64 bit)
> http://www.microsoft.com/downloads/details.aspx?FamilyID=2b566973-c3f0-4ec1-995f-017e35692bc7&DisplayLang=en 
>
>
> 3. As always, please make sure to use the latest antivirus detection from 
> your antivirus vendor to detect new viruses and their variants.
>
> Related Knowledge Base Articles:
> http://support.microsoft.com/?kbid=826955
>
> Related Microsoft Security Bulletins:
> http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
>
> If you have any questions regarding this alert, please contact your 
> Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the 
> United States; outside of the United States please contact your local 
> Microsoft Subsidiary.
>
> Microsoft Communities is your launching pad for communicating online with 
> peers and experts about Microsoft products, technologies, and services:
> http://communities.microsoft.com/home/default.asp
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~ How to use this mailing list~~~~~~~~~~~~~~~~~~~~~~~~
>
> To cancel your subscription to this newsletter, either click 
> mailto:1_51084_DCF7BA58-7796-D011-A46B-0000F8600A96_US@xxxxxxxxxxxxxxxxxxxxxxxxx?subject=UNSUBSCRIBE 
> to send an unsubscribe e-mail or reply to this message with the word 
> UNSUBSCRIBE in the Subject line. To stop all e-mail newsletters from 
> microsoft.com, either click 
> mailto:2_51084_DCF7BA58-7796-D011-A46B-0000F8600A96_US@xxxxxxxxxxxxxxxxxxxxxxxxx?subject=STOPMAIL 
> to send your request or reply to this message with the word STOPMAIL in 
> the Subject Line. You can also unsubscribe at 
> http://www.microsoft.com/misc/unsubscribe.htm. You can manage all your 
> Microsoft.com communication preferences from this site.
>
> THIS DOCUMENT AND OTHER DOCUMENTS PROVIDED PURSUANT TO THIS PROGRAM ARE 
> FOR INFORMATIONAL PURPOSES ONLY. The information type should not be 
> interpreted to be a commitment on the part of Microsoft and Microsoft 
> cannot guarantee the accuracy of any information presented after the date 
> of publication. INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' 
> WITHOUT WARRANTY OF ANY KIND. The user assumes the entire risk as to the 
> accuracy and the use of this document.
> microsoft.com newsletter e-mail may be copied and distributed subject to 
> the following conditions:
> 1. All text must be copied without modification and all pages must be included
> 2. All copies must contain Microsoft's copyright notice and any other 
> notices provided therein
> 3. This document may not be distributed for profit

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
John Teeter
208 875 1206 (208 834 2788)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
http://www.endurance.net/ads/seabiscuit.html

Ridecamp is a service of Endurance Net, http://www.endurance.net.
Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp
Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp

Ride Long and Ride Safe!!

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-