Yes - we posted this yesterday
see
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/alerts/nachi.asp
(copied below)
PSS Security Response Team Alert - New Worm: Nachi, Blaster-D, Welchia
SEVERITY: CRITICAL
DATE: August 18, 2003
PRODUCTS AFFECTED: Windows 2000 and XP, Internet Information Services
5.0
**********************************************************************
WHAT IS IT?
A new worm is spreading in the wild. The Microsoft Product Support
Services Security Team is issuing this alert to advise customers to be on
the alert for this virus as it spreads in the wild. Customers are advised to
review the information and take the appropriate action for their
environments.
IMPACT OF ATTACK:
Network Propagation, Patch Installation
TECHNICAL DETAILS:
Similar to the earlier Blaster worm and its variants, this worm also
exploits the vulnerability patched by Microsoft Security Bulletin MS03-026,
and instructs target systems to download its copy from the affected system
using the TFTP program.
In addition to exploiting the RPC vulnerability patched by Microsoft
Security Bulletin MS03-026 this worm also uses a previously patched
vulnerability in Microsoft Security Bulletin MS03-007 directed at IIS 5.0
over port 80 to propagate to un-patched systems.
In addition upon successful infection this worm also patches systems
with the patch for Microsoft Security Bulletin MS03-026. It does this by
first determining the operating system and then downloading the associated
patch for that operating system.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please visit
the following links:
Network Associates:
http://vil.nai.com/vil/content/v_100559.htm
Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.D
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
For more information on Microsoft's Virus Information Alliance please
visit this link:
http://www.microsoft.com/technet/security/virus/via.asp
Please contact your Antivirus Vendor for additional details on this
virus.
PREVENTION:
Turn on Internet Connection Firewall (Windows XP or Windows Server
2003) or use a third party firewall to block incoming TCP ports 80, 135,
139, 445 and 593; UDP ports 135, 137, 38.
To enable the Internet Connection Firewall in Windows XP please see
the instructions below or visit this KnowledgeBase Article:
http://support.microsoft.com/?id=283673
1. In Control Panel, double-click Networking and Internet Connections,
and then click Network Connections.
2. Right-click the connection on which you would like to enable ICF,
and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect
my computer or network.
This worm utilizes two previously-announced vulnerabilities as part of
its infection method. Because of this, customers must ensure that their
computers are patched for the vulnerabilities that are identified in the
following Microsoft Security Bulletins.
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
In order to assist customers with the installation of the patch for
Microsoft Security Bulletin MS03-026 Microsoft has released a tool which can
be used to scan a network for the presence of systems which have not had the
MS03-026 patch installed. More details on this tool are available in
Microsoft Knowledge Base article MS03-026. In order to assist customers,
Microsoft has released a tool which can be used to scan a network for the
presence of systems which have not had the MS03-026 patch installed. More
details on this tool are available in Microsoft Knowledge Base article
826369.
RECOVERY:
If your computer has been infected with this virus, please follow the
steps located on this page:
http://www.microsoft.com/security/protect/main.asp. . After updating your
virus definitions please scan your machine using your current antivirus
software, following the instructions for removal. If after you have followed
these steps you need further assistance please contact your preferred
antivirus software vendor or Microsoft Product Support Services.
RELATED MICROSOFT SECURITY BULLETINS:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
As always please make sure to use the latest Anti-Virus detection from
your Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your
Microsoft representative, your preferred antivirus software vendor or
1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please
contact your local Microsoft Subsidiary.
PSS Security Response Team
--
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
