Cornell Home Page Computing at Cornell Security

Virus Alert: Windows Blaster, Welchia, and Nachi worms reported on campus (08/12/03)

W32/Blaster, a Windows virus, has been reported at Cornell. W32/Blaster infects computers running Windows NT, Windows 2000, Windows XP, and Windows Server 2003.

A follow-up worm called Welchia or Nachi, which attempts to clean up W32/Blaster but can cause problems of its own, has also been reported at Cornell.

Computers running Windows 95, 98, Me, or non-Windows systems such as Mac OS or Linux, are not affected.

What to Watch For:

W32/Blaster arrives through a vulnerability in a Microsoft Windows interface called RPC/DCOM. It does not arrive as an e-mail message, so your system can be infected without your knowledge. If your system is infected, Internet access may seem slow and a program named "msblast.exe" will be running; press Ctrl-Alt-Del and use the Task Manager to stop this program.

To slow the spread of W32/Blaster, CIT has blocked a specific port, number 135, for communication between on-campus and off-campus networks. This block will remain in effect until the risk is eliminated. Some local Internet service providers including Road Runner have set up similar blocks. A few Windows services, listed at the end of this message, may be affected by the block. Additional measures to protect the campus net from these attacks are being put in place as needed.

Details on the nature of the Blaster worm, the latest massive exploit of the RPC/DCOM vulnerability, are included in CERT Advisory CA-2003-20.

How to Avoid It:

CIT urges all Windows users to update their system and antivirus software to protect against this worm.

  1. Update system software: The patch can be downloaded from Symantec or downloaded locally at Cornell. The patch is also available through Windows Update, but Windows Update may be difficult to reach because it is one of the targets of W32/Blaster.

    Your Windows computer is already protected if you have run Windows Update on or after July 16 and accepted all the critical security updates, or if you downloaded the patch described in Microsoft Security Bulletin MS03-026.

    Update 9/11/03: A new patch described in Microsoft Security Bulletin MS03-039 supersedes the patch above and protects against newly discovered vulnerabilities as well. See CERT advisory CA-2003-23.
    * Download Cornell's local copy of the new patch *

  2. Update Symantec AntiVirus software and perform a complete system scan. W32/Blaster is detected by Symantec AntiVirus software that has been updated to the 8/11/03 rev.19 virus definition file, or a newer file.

    To update, run Symantec AntiVirus and choose Live Update. Or download the file via Bear Access (Virus Protection folder) or from Symantec or Cornell's local copy of the latest update.

    Cornell University has signed a site license with Symantec to provide Symantec AntiVirus (SAV) to the entire campus community. The license allows SAV to be used on all university-owned computers, home computers of staff and faculty, and computers owned by registered students.

How to Get Rid of It:

If you're seeing "shutdown in 60 seconds" messages, open the Start menu, choose Run, type in shutdown.exe -a and click OK. (This may not work on Windows 2000.) This will stop Blaster's automatic shutdown process and give you time to visit web sites and download the updates. It has also been reported that activating the Windows XP firewall may allow infected machines to connect to the Internet. Cornell staff have had success downloading the patch onto a floppy disk from an uninfected machine, and using the disk to repair infected machines.

If you suspect your computer has been infected, the first step is to download and install the updates as described above under "How to Avoid It." Then follow the instructions on Symantec's W32.Blaster.Worm removal page. You can download the Blaster removal tool and the Welchia removal tool, both of which must be run on your affected system. If you need additional assistance, please contact the CIT HelpDesk by calling 255-8990 or by sending e-mail to helpdesk@cornell.edu.

-------------------------

If you need help, please contact the CIT HelpDesk by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The HelpDesk is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the HelpDesk is closed and your problem is urgent, contact the Network Operations Center at 255-9900.

Services Affected:

There are many services associated with the Windows operating systems. These services might require more than one TCP or UDP port for the service to be functional. A small number of services may be affected by blocking tcp/udp port 135. For example, this port is used for Windows domain replication, any MMC-based remote management panel, WMI, .Net remoting and Cluster CoNTroller.

To the best of our knowledge, the following services will most likely be affected when communicating between on and off-campus networks.

Client/Server Communication TCP 135
DCOM (SCM uses udp/tcp to dynamically assign ports for DCOM) TCP & UDP 135
DHCP Manager TCP 135
Client Server Communication TCP 135
Exchange Administrator TCP 135
RPC TCP 135
Microsoft Message Queue Server TCP 135
RPC user manager, service manager, port mapper TCP 135
SCM used by DCOM TCP & UDP 135
SQL session mapper TCP 135
WINS Manager TCP 135symant

Message to Network Administrators 8/15/03: Blaster notifications

The IT Security Office has done some basic port scanning of Cornell's networks in an attempt to identify systems which have been compromised by W32.Blaster.Worm. The scans checked for the presence of tcp port 4444 listening on each host. This port is a standard backdoor port for most of the Blaster variants.

Of course, the port may also be used by other, legitimate services. Two examples are vbrick video software and Kerberos servers. The presence of a service listening on tcp port 4444 does not guarantee that the system in question is infected, but it may be an indication of an infection.

If you receive a notification, please check the system in question with updated antivirus software and/or the Blaster removal tool. The tool can be obtained from Symantec's antivirus tools site.

Message to Network Administrators 8/21/03: ICMP echo and echo-reply blocked from Cornell campus to Internet

Due to the significantly large amount of ICMP traffic generated by systems on the Cornell campus infected by the Welchia worm, our commodity Internet link and packet shaper were both becoming unstable. In an effort to stem the tide of this traffic, our Network Engineering group implemented some specific filters on our core routers.

The filters are blocking all ICMP echo and echo-reply packets (such as ping and TraceRoute) coming from Cornell networks to the Internet.

Our network core, packet shaper, and commodity Internet connection are now all more stable. Unfortunately, the ICMP blocks may interfere with some network services. We apologize for this inconvenience, but it is necessary to ensure a high quality of network service for the entire Cornell network. We will remove these filters when the Welchia worm infection problem has subsided.

Message to Network Administrators 8/26/03: Virus numbers

Ordinarily around one percent of the mail traffic that makes its way to the new postoffices (6,8,9) is classified as a virus. During the last four days we have detected approximately one million virus-infected mailfiles, comprising 35% of our mail traffic.


Security Issues for Network and System Adminstrators

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: June 5, 2003