DePaul Information Services


print page | close window

Recovering from the W32.Blaster/W32.Nachi Worm

What is it?

On August 11, 2003 the W32.Blaster worm was released into the wild. This worm proceeded to infect hosts vulnerable to the Microsoft RPC/DCOM security vulnerabilities found in Microsoft Windows Operating systems. The details of this vulnerabilty are covered in Microsoft's Security Bulletin MS03-026.

How does this threat affect me?

A computer infected with these worms may allow unauthorized access by a malicious user and/or the propagation of malicious code onto other Internet-connected computers, including University computers. Along with this is an imminent loss of response time on the network as more and more infected computers scan the network for vulnerable hosts. If your machine is infected with W32.Blaster, it may scan possibly one IP addresses per second (though we have data showing the worm is more ``noisy'' than this). If infected with W32.Nachi, your computer may scan up to 300 times that amount, per second!

CSRT will suspend network connectivity for any hosts infected with these, and future, worms. We feel that this suspension is warranted given the current threats that both Blaster and Nachi have posed to the University, and Internet community.

How can I fix my computer?

If you have noticed that your network connectivity has been suspended, immediately call the helpdesk at (312)362-8765. If you are a user on the wireless network, or you your own personal computer, you can follow the steps listed below to patch your machine. Please note: CSRT takes no responsibility for any side-effects these procedures may incur on your computer.
  1. Login as an administrative user to your computer.
  2. If you are using Windows XP, turn off System Restore by clicking through the following path on your computer. Start-- Run-- My Computer-- Properties-- System Restore. Users of Windows 2000, NT or ME/98 are not required to do this step.
  3. Download stinger.exe, a free tool by Network Associates to clean off the running worms from your machine. Run the tool as per the instructions of the Stinger website.
  4. Visit Microsoft's Windows Update Website. To download the patches required by your operating system...
    1. Let the server analyze your machine for the latest patch level. If this does not work automatically, click ``Scan for Updates.'' (Note: you may be asked to trust the website to execute an analysis of your machine. If prompted, click "Yes").
    2. Click on ``Critical Updates and Service Packs'' in the left toolbar. Check all updates.
    3. Click ``Install Now'' -- this process may take anywhere from 5 to 90 minutes depending on the patch level of your computer.
    4. Reboot your computer.
  5. Visit the Windows Update website again and install any other patches that were not installed. Repeat until there are no patches left to download.
  6. To be extra cautious, run stinger.exe again to verify that the worm did not reinfect your machine during the patch process.
  7. Update your anti-virus software signatures as per the vendor instructions for doing so. If you do not currently own AV software, we recommend you contact the Helpdesk to determine if you are eligible to use the University's licensed copy.
How can I stay safe in the future?

Most Internet based worms or exploits take advantage of unpatched computers, easily guessable passwords, no passwords, or the lack of an anti-virus scanner. To combat this, we recommend the following.
  1. Make sure you stay up-to-date by staying current on patches.
  2. Choose a strong password for your machine; this password should be 8 characters long, a mixture of letters, numbers and other characters, and not be based on a dictionary word of any language.
  3. Update your Anti-Virus software daily.
  4. Report any suspicious behavior to the Helpdesk.
We strongly recommend that all users of Windows XP utilize the Internet Connection Firewall which can prevent a large percentage of attacks against your computer. Microsoft has provided a web page titled How to Enable Internet Connection Firewall in Windows XP that we recommend you read in order to understand what ICF is and how to use it to protect yourself from compromise.

Microsoft also provides a feature called ``Windows Update'' in Windows XP Professional. This is a feature built into the operating system that does not require you to establish a connection over the WWW, and provides friendly reminders when updates are needed. To learn more about this feature, visit the short tutorial on enabling Windows Update. You can also visit the Windows Update FAQ to learn more about Windows Update.

The Microsoft Baseline Security Analyzer is useful for detecting the weakenesses of your computer. We recommend downloading and running this tool frequently.

Finally, Microsoft has collected various security notes and recommendations for Windows XP users. We recommend taking some time to review this by viewing the page entited Maintain Security with Windows XP.

Feel Free to Contact Us

If you have questions regarding computer or network security, feel free to contact us with those questions. We will help in any way possible. Also, sign-up for our computer and network security vulnerability alerting service; more information visit our Security Bulletins Website.


print page | close window



© 2001-2007 | DePaul University | Disclaimer | Webmaster
1 E. Jackson Chicago IL 60604 | 312-362-8000