What You Should Know About the Blaster Worm and Its Variants

At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). The worm commonly known as W32.Blaster.Worm and its variants exploit the vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

Questions & Answer to Blaster worm

Download this document and learn to protect your computer from Blaster worm.

Important New Information

• Hoax circulating: Microsoft never distributes software through e-mail. To learn more, click here.
• Variants circulating: The security update that is addressed in Security Bulletin MS03-026 protects computers against variants of the Blaster worm.
• FAQ updated: Microsoft has published answers to Frequently Asked Questions about the Blaster worm and its variants. To read the FAQ, click here.
• Scan tool available: Microsoft has released a scan tool for network administrators. To get the tool, click here.

Who Is Vulnerable?

Users of the following products could be affected by this worm:

• Microsoft® Windows NT® 4.0
• Microsoft Windows® 2000
• Microsoft Windows XP
• Microsoft Windows Server™ 2003

If you are unsure of which version of Windows you are running, click here.

Your computer is not vulnerable to the Blaster worm if either of these conditions apply to you:

• If you are using Microsoft Windows 95, Windows 98, Windows 98 Second Edition (SE), or Windows Millennium (Windows Me).
• If you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered.

How to Tell If the Worm Is Affecting Your Computer

Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input, or Windows NT 4.0 and Windows 2000 systems becoming unresponsive. Whether you are experiencing these symptoms or not, Microsoft recommends that you take the following action immediately:

• If you're running Windows Server 2003 or Windows NT 4.0, follow Steps 1-3 for home users below.
• If you're running Windows XP or Windows 2000, follow all Steps 1-4 for home users below.

Actions for Network Administrators

Microsoft recommends that network administrators take the following actions immediately:

• Read the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance.
• Download the MS03-026 Scanning Tool to identify computers that need the security update addressed in Microsoft Security Bulletin MS03-026.

4 Steps for Home Users

If you are using Microsoft Windows NT 4.0, Windows 2000, Windows XP, or Windows Server 2003, you should follow the steps in this sequence to help protect your computer and to recover if your computer has been infected.

1. Enable a Firewall

Make sure you have a firewall activated to help protect your computer against infection before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer.

The latest Windows operating systems have a firewall built in. Windows XP and Windows Server 2003 users should print or save the following instructions for how to enable their firewall.

If your computer is rebooting repeatedly, disconnect from the Internet before you enable your firewall. To disconnect your computer from the Internet:

Broadband connection users: Locate the telephone cable that runs from your external DSL or cable modem and unplug that cable either from the modem or from the telephone jack.
Dial-up connection users: Locate the telephone cable that runs from the modem inside your computer to your telephone jack and unplug that cable either from the telephone jack or from your computer.

Follow the instructions provided for your operating system, and then reconnect to the Internet.

Windows XP users:Click here for instructions.
Windows Server 2003 users:Follow these instructions to enable the Internet Connection Firewall.
Windows NT 4.0 and Windows 2000 users: You will need to install a third-party firewall. Most firewall software for home users is available in free or trial versions. Check the following resources for more information on personal firewalls:
- McAfee
- Symantec
- ZoneAlarm Pro (Zone Labs)
- Tiny Personal Firewall (Tiny Software)
- Outpost Firewall (Agnitum)
- Kerio Personal Firewall (Kerio Technologies)
- BlackICE PC Protection (Internet Security Systems)
Windows 2000 users: Alternatively, you can take steps to block the affected ports so that your computer can be patched. Here are some modified instructions from the TechNet article HOW TO: Configure TCP/IP Filtering in Windows 2000.

2. Update Windows

If you have disconnected from the Internet, remember to reconnect before you take next steps. Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from either Windows Update or the Microsoft Download Center.

To Get the Security Update from Windows Update

Click here to go to the Windows Update Web site.

To Get the Security Update from the Download Center

When you click the appropriate link below, a dialog box appears. To begin the download process, do one of the following:

To start the installation immediately, click Open or Run this program from its current location.
To copy the download to your computer for installation, click Save or Save this program to disk. After saving, open the file and follow the installation instructions.
Product name Chinese English
Windows NT 4.0 Server
Windows NT Server 4.0, Terminal Server Edition
Windows 2000
Windows XP
Windows Server 2003 32 bit Edition

If you are running a 64-bit version of Windows, please read the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance.

3. Use Antivirus Software

Use antivirus software and make sure you have the latest updates installed. There are several variants of this worm, and the most up-to-date information about them can be found at your antivirus vendor's Web site.

If you already have antivirus software installed, go to your antivirus vendor's Web site to get the latest updates, also known as virus definitions.
If you do not have antivirus software installed, get it. The following vendors participating in the Microsoft Virus Information Alliance (VIA) offer antivirus products for home users:

Learn about Microsoft's Virus Information Alliance.

4. Remove the Worm

If you think there is even the slightest possibility that your computer might be infected, use the worm removal tool available at your antivirus software vendor's Web site:

Microsoft Product Support Services

If you think your computer has been infected with the Blaster worm, please contact Microsoft Product Support Services or your antivirus vendor for assistance removing it.

For Microsoft Product Support Services, please call 2388 9600 or visit www.microsoft.com/hk/security for further information.