ARCHIVED: What are the MS Blast/Blaster and Welchia worms?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

The MS Blast/Blaster (also known as W32.Blaster.Worm and LoveSan) worm uses TCP port 135 to exploit a vulnerability in unpatched versions of Microsoft Windows 2000 and XP. This worm attempts to download and run the Msblast.exe file, which can cause computers to crash, and opens a hidden remote cmd.exe shell, which exposes your system to external control. Once in place, the worm also encumbers attempts to access Windows Update to obtain the patch against the vulnerability.

The Welchia worm (also called Nachi) also uses TCP port 135 as well as TCP port 80 on unpatched Windows 2000 computers to exploit multiple vulnerabilities.

Patching

To protect your computer, immediately install the patches described at and available from the following Microsoft TechNet web pages:

  http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

  http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx

The "Run This CD First" CD distributed during move-in week 2003 also contains and installs the Blaster patch. Additionally, many patches are available to the Indiana University community in the Windows section of IUware Online.

Note: Windows 2000 computers must have Service Pack 2 installed for the patches to properly install, but for full security you must have Service Pack 3 installed.

Removal

Note: Since these worms constitute a complex system level infection, the IU University Information Security Office (UISO) strongly recommends that, rather than simply patching the problem and using the Symantec tool on an infected computer, you perform a complete reinstallation of the operating system from clean media and then patch to currency. Only when a reinstallation is not feasible should the patch and removal tool be considered adequate, and even then the operating system should be reinstalled at the earliest opportunity.

Symantec offers information on the worms, as well as removal instructions and removal utilities, on its web site.

  http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99

  http://www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99

Computer users at IU Bloomington can also obtain removal tools and the Microsoft patch on floppy disks or CDs from the Support Center walk-in location at the Information Commons on the first floor of the Herman B Wells Library.

For information on pricing, see Products and services for purchase at the CrimsonCard offices in Bloomington and Indianapolis

For more about walk-in support, see Contact your campus IT Support Center.

For more details, see the UISO Bulletin page.

Also, see the ISS X-Force Security Alert.