virus !!!!!!

What You Should Know About the Blaster Worm and Its Variants
Updated August 20, 2003, 5:00 P.M. Pacific Time

View Printer-Friendly Version

Related Resources
Blaster Worm FAQ
Get More Details in the Technical Virus Alert
Microsoft Security Bulletin MS03-026
Join a Microsoft Security Newsgroup

Next Steps
Home Users: Protect Your PC
IT Pros: Protect Your Systems

Glossary Terms

Click the term to get the definition from our Security and Privacy Glossary.

virus
worm


Find links to this page in more than 30 different languages.

At 11:34 A.M. Pacific Time on August 11, Microsoft began investigating a worm reported by Microsoft Product Support Services (PSS). The worm commonly known as W32.Blaster.Worm and its variants exploits the Remote Procedure Call (RPC) vulnerability that was addressed by Microsoft Security Bulletin MS03-026.

Important Information
Home users guidance: These four steps can help protect your computer and recover if it has been infected by the Blaster worm or variants. To get the steps, click here.
Hoax circulating: Microsoft never distributes software through e-mail. To learn more, click here.
Variants circulating: The security update that is addressed in Security Bulletin MS03-026 protects computers against variants of the Blaster worm.
FAQ updated: You can find answers to Frequently Asked Questions about the Blaster worm and its variants. To read the FAQ, click here.
Scan tool for Network Administrators available: IT professionals can download a free tool from Microsoft to help them scan their networks for the security update. To get the tool, click here.
Who Is Vulnerable?
Users of the following products could be affected by this worm:

Microsoft® Windows NT® 4.0
Microsoft Windows® 2000
Microsoft Windows XP
Microsoft Windows Server? 2003
If you are unsure of which version of Windows you are running, click here.

Your computer is not vulnerable to the Blaster worm if either of these conditions apply to you:

If you are using Microsoft Windows 95, Windows 98, Windows 98 Second Edition (SE), or Windows Millennium (Windows Me).
If you downloaded and installed the security update that was addressed by Security Bulletin MS03-026 prior to August 11, the date the Blaster worm was discovered.
How to Tell If the Worm Is Affecting Your Computer
Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input, or Windows NT 4.0 and Windows 2000 systems becoming unresponsive. Whether you are experiencing these symptoms or not, Microsoft recommends that you take the following action immediately:

If you're running Windows Server 2003 or Windows NT 4.0, follow Steps 1?3 for home users below.
If you're running Windows XP or Windows 2000, follow all Steps 1?4 for home users below.
Actions for Network Administrators
Microsoft recommends that network administrators take the following actions immediately:

Read the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance.
Download the MS03-026 Scanning Tool to identify computers that need the security update addressed in Microsoft Security Bulletin MS03-026.
4 Steps for Home Users
If you are using Microsoft ® Windows NT® 4.0, Windows® 2000, Windows XP, or Windows Server? 2003, you should follow the steps in this sequence to help protect your computer and to recover if your computer has been infected.

1. Enable a Firewall

Make sure you have a firewall activated to help protect your computer against infection before you take other steps. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer.

The latest Windows operating systems have a firewall built in. Windows XP and Windows Server 2003 users should print or save the following instructions for how to enable their firewall.

If your computer is rebooting repeatedly, disconnect from the Internet before you enable your firewall. To disconnect your computer from the Internet:

Broadband connection users: Locate the telephone cable that runs from your external DSL or cable modem and unplug that cable either from the modem or from the telephone jack.
Dial-up connection users: Locate the telephone cable that runs from the modem inside your computer to your telephone jack and unplug that cable either from the telephone jack or from your computer.
Follow the instructions provided for your operating system, and then reconnect to the Internet.

Windows XP users: Click here for instructions.
Windows Server 2003 users: Follow these instructions to enable the Internet Connection Firewall.
Windows NT 4.0 and Windows 2000 users: You will need to install a third-party firewall. Most firewall software for home users is available in free or trial versions. Check the following resources for more information on personal firewalls:
McAfee Security
Symantec
ZoneAlarm Pro (Zone Labs)
Tiny Personal Firewall (Tiny Software)
Outpost Firewall (Agnitum)
Kerio Personal Firewall (Kerio Technologies)
BlackICE PC Protection (Internet Security Systems)
Windows 2000 users: Alternatively, you can take steps to block the affected ports so that your computer can be patched. Here are some modified instructions from the TechNet article HOW TO: Configure TCP/IP Filtering in Windows 2000.

2. Update Windows

If you have disconnected from the Internet, remember to reconnect before you take next steps. Download and install the security update addressed in Security Bulletin MS03-026 for the version of Windows that you are using from Windows Update.

When you get to the Windows Update site, scan your computer for any critical updates that you need, and then install them. To do that:

Click Scan for Updates to begin the search for available updates.
In the Pick updates to install list on the left side of your screen, click Critical Updates and Service Packs.
Click Review and install updates on the right side of your screen to begin downloading and installing the updates.
To Get the Security Update from Windows Update
Click here to go to the Windows Update Web site.

3. Use Antivirus Software

Use antivirus software and make sure you have the latest updates installed. There are several variants of this worm, and the most up-to-date information about them can be found at your antivirus vendor's Web site.

If you already have antivirus software installed, go to your antivirus vendor's Web site to get the latest updates, also known as virus definitions.
If you do not have antivirus software installed, get it. The following vendors participating in the Microsoft Virus Information Alliance (VIA) offer antivirus products for home users:
McAfee
Trend Micro
Symantec
Computer Associates
Learn about Microsoft's Virus Information Alliance.

4. Remove the Worm

If you think there is even the slightest possibility that your computer might be infected, use the free worm removal tool available at your preferred antivirus software vendor's Web site:

Network Associates
Trend Micro
Symantec
Computer Associates

For Technical Assistance
Contact your antivirus vendor for assistance with identifying or removing virus or worm infections. If you need more help with virus-related issues, please contact PSS. We are currently experiencing a high call volume and apologize for any delay in responding.

For Microsoft Product Support Services within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
For worldwide support, contact your local Microsoft office.