Skip Navigation
York U: Redefine the Possible HOME | Current Students | Faculty & Staff | Research | International link: Future Students, Alumni & Visitors
Search »  
Navigation Items Computing Connecting to the Internet Accounts Using Email Using the Internet Developing Webpages Software and Applications Using Campus Labs Telecommunications Instructional Technology Centre
 

Information Security

INFOSEC ADVISORY: w32.blaster worm

by Chris Russel

Information regarding the worm and current status at York

w32.blaster exploits the vulnerability mentioned in Microsoft advisory MS03-026 present in Windows NT4/2000/XP/2003. This advisory and patch was first released on July 16th. Two CNS Infosec advisories were also sent in the last month relating to this vulnerability. Those who have applied the patch are NOT vulnerable to this worm.

Although many areas did ensure their systems were patched, a significant number of vulnerable systems remain on the York network. The first "blaster" infection at York was detected at approximately 3pm today. We are doing everything we can to contain, clean, and patch infected systems.

How do I know I'm infected?
At the time of infection, users will see a dialog box indicating a failure of the RPC service - they system reboots after a 60 second countdown. Symantec Anti-Virus with the latest signatures will also detect the presence of the worm, but cannot remove it by itself.

What does the worm do?
As well as flooding the network to find other systems to infect, the worm leaves a back-door network entry into your computer, potentially compromising all data your computer has access to. The worm may also interfere with normal operation of the infected computer. A side-effect of the network flooding is that SIS services are disabled until the York-local infections can be brought under control.

How do I remove the worm?
It is recommended you contact your local technical support to remove this worm and patch your system to make it invulnerable to futher attacks.

For do-it-yourself instructions, follow this two step process:
1) patch the system, either via Windows Update, or download from  here.
2) run the Symantec w32.blaster removal tool available  here.

Please keep in mind that if you remove the worm without patching, your system will be reinfected.

Systems which remain infected may be removed from the York network without notice.

Contact information
General inquiries:  infosec@yorku.ca
Network and computer abuse reports:  abuse@yorku.ca
Email spam reports: antispam@yorku.ca

 
Y graphic
last modified:
March 18, 2003
graphic rule
Copyright 2002 © York University