W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.

IT staff have installed blocking on all perimeter routers to the Anchorage campus. This blocking prevents all in-bound and out-bound Port 135 traffic to the Anchorage campus network. The purpose of this blocking is to eliminate further scans of computers on our network by outside systems and to prevent any compromised computers within our network to spread the worm outside of UAA. Even with these blocks in place we continue at the moment to see extremely high Port 135 traffic within the Anchorage campus network suggesting that a number of compromised computers lie within our network space.

We conducted a conference call Tuesday morning at 10:00am with technical personnel across UAA’s campuses to discuss the attacks and the recommended remedies. For any compromised personal computer workstation we have circulated CD’s to technical staff that can be used to locate and remove the worm. Once this has been done and Norton Antivirus definitions have been updated a compromised personal computer workstation may be re-connected to the campus network. In the case of compromised servers, it remains our policy that the server be completely rebuilt (i.e., re-formatting hard drives and manually re-building all layered software) prior to re-connection to the network. This has been official policy for all types of compromises to servers.

Currently, we have positively identified over 100 computers (servers and workstations) that demonstrate symptoms of compromise. Our core routers are currently experiencing over 500 hits/second of Port 135 traffic and are running at over 70% utilization. We expect this traffic and impact to diminish as compromised computers are removed from the network and repaired.

If you have questions concerning this matter please give the IT Call Center a call at 786-4646.