Current Windows exploits affecting campus via Microsoft RPC Buffer Overflow

4What is it?

4Am I infected?

4What do I do if I am infected?

4What precautionary steps MUST everyone take?

On July 16th Microsoft announced a massive security hole in all versions of Windows. Technical details of the security hole is that it is a buffer overflow vulnerability in Windows Remote Procedure Call (RPC) implementation.

For detailed information see the Microsoft security bulletin MS03-026 and the CERT advisory.

There are currently at least three exploits on campus taking advantage of this vulnerability to infect computers; Trojan.Stealther.B, W32.Blaster.Worm, and W32.Welchia.Worm.

Symptoms that you may be infected:

1. Any Microsoft Office Applications (Word, Excel, etc.) may not allow cut and paste actions.
2. Symantec Antivirus Live Update will not be able to contact hosts in order to update. Visually, you will see a red exclamation point ( ! ) over the Symantec Shield in the system tray (near clock).
3. Windows Update will not be accessible.
4. Computer may reboot for no reason. There may be a DCOM error or warning message prior to reboot.
5. AFS services will not work on some infected machines.
6. Systems that are infected may display erratic behavior, including but not limited to, output of applications not being displayed, run but then disappear, or not run at all.

Steps to take if you are infected AND to secure your computer:

First and foremost, anyone responsible for maintaining a computer running Windows should IMMEDIATELY visit the Windows Update Site http://windowsupdate.microsoft.com/ and install ALL critical and relevant security updates REGARDLESS of whether you are infected or not.

If you think you have been infected with one of the exploits listed above, follow these steps:

1. Patch your computer using the Windows Update site above. In addition to affecting normal system operation, these exploits may restrict access to the Microsoft Windows Update site and the Symantec site. If you are having trouble getting to either of these sites, local copies of the patches and fixes are available here to persons with a valid Unity user ID and password.
2. After patching, run the cleaner tools listed below
3. Reboot
4. Then run the cleaner tools again just to be sure

Symantec has removal tools to help with the cleanup; Stealther Removal Tool, Blaster Removal Tool, and Welchia Removal Tool.

*NOTE* Blaster only infects Windows 2000 and XP systems, but attempted infections on other versions of Windows may cause them to crash or misbehave.

As part of its infection the Stealther Trojan disables real time protection mode in Symantec/Norton Anti-Virus, this is indicated by an exclamation ( ! ) mark over the yellow shield in your system tray (next to the clock). To fix this you will need to reinstall Symantec Anti-Virus after patching, cleaning, etc. Be sure to uninstall this version of Symantec Antivirus before reinstalling.

*NOTE* If you are not the administrator of your machine, contact your local system administrator, help desk, or tech support to verify your computer has been updated and cleaned.