Frequently Asked Questions Regarding Blaster for IT Pros
August 28, 2003
Methods to prevent your machines from rebooting are listed below. Start with the first method and, if that doesn’t work or is inappropriate, try the next method. If none of the methods listed work on your systems, please contact Product Support Services.
For Windows XP or Windows Server 2003, turn on Internet Connection Firewall.
If you are using the Internet Connection Firewall in Windows XP or Windows Server 2003 to protect your Internet connection, it will by default block inbound RPC traffic from the Internet. (See http://support.microsoft.com/default.aspx?scid=kb;en-us;283673&sd=tech.)
To enable the Internet Connection Firewall:
To disable DCOM on all affected machines:
Disabling the DCOM should only be viewed as a temporary measure. If the first method above was already implemented, you should not have to proceed with the method described in this section.
When a computer is part of a network, the DCOM protocol enables COM objects on that computer to communicate with COM objects on other computers. You can disable DCOM for a particular computer to help protect against the Blaster vulnerability, but doing so will disable all communication between objects on that computer and objects on other computers.
If you disable DCOM on a remote computer, you will not be able to remotely access that computer afterward to re-enable DCOM. To re-enable DCOM, you will need physical access to that computer.
To manually disable (or enable) DCOM for a computer:
If you are running Windows 2000 RTM, SP1, or SP2 and are therefore unable to disable DCOM, you can configure Advanced TCP/IP Filtering.
To configure TCP/IP security on Windows 2000:
On Windows 2000 systems, where Internet Connection Firewall (ICF) is not available and DCOM cannot be disabled, the following steps will help block the affected ports so that the system can be patched. These steps are based on a modified excerpt from Knowledge Base article 309798, "HOW TO: Configure TCP/IP Filtering in Windows 2000," http://support.microsoft.com/default.aspx?scid=kb;en-us;309798&sd=tech.
Note: Because the TCP/IP filtering enabled above can break many applications (including FTP, P2P software, and Instant Messaging), the TCP/IP filtering should be disabled after the patch is installed.
Recovery is accomplished by installing the patch and cleaning up the infected system. You can get the patch from two locations:
Download or install the patch from the Microsoft Download Center:
Install the patch on an individual computer from Microsoft Update:
Important: It is critical that the systems be cleaned after they have been infected. Refer to the following resources for help in securing and cleaning your systems:
Microsoft now fully supports installing MS03-026 on Windows 2000 Service Pack 2 (SP2).
Additional worms are being created that exploit the vulnerability patched by Microsoft Security Bulletin MS03-026. For additional information on all of these variants, please contact your antivirus software vendor.
Additional information about the Blaster virus and its variants is available at: