Microsoft Corporation recently announced a security vulnerability in its Windows Operating System(s), which allows attacks by the W32.Blaster.Worm to the Cisco CallManager server and the Cisco Conference Connection (CCC), Cisco Emergency Responder (CER), Cisco IP Contact Center (IPCC) Express and PA applications. This security vulnerability is in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface.
This virus may also be known as:
Additional information can be found on the Microsoft Website at these locations:
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
Windows 2000 Server
All Cisco CallManager versions
CCC, CER, IPCC Express, ISN, and PA
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
A stack-based buffer overflow condition has been discovered in the Microsoft RPC interface for DCOM. This is a core function of the Windows kernel, and cannot be disabled. Since this is a kernel function (implemented via SVCHOST.EXE), successful attacks result in System privilege. Specially crafted messages sent to port 135 exploit the buffer overflow.
Exploit code circulates in the wild executes shell code after the buffer overflow. This allows remote access to a command shell and complete, privileged remote control of the system. You might possibly see an error in the Event Viewer on an infected system.
All infected Windows 2000 machines can see an error similar to this in the Event Viewer, System Log:
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7031
Time: 10:10:10 PM
The Remote Procedure Call (RPC) service terminated unexpectedly.
The software affected is:
The solutions to this problem are explained in detail here.
Complete these steps to prevent the virus from infecting your machine.
If you run Cisco CallManager with PRE-WinOSUpgrade2000-2-4, then upgrade to Cisco CallManager WinOS2000-2-4 and apply WinOS2000-2-4sr5.
If you run a Cisco CallManager version that already has WinOS2000-2-4, then upgrade to Cisco CallManager WinOSUpgrade2000-2-4sr5. Additionally, if you run WinOSUpgradev2000-2-3 or 2000-2-4, you can apply the single hotfix MS03-026 to patch this one bug.
After you apply the patch, check for this registry key:
"windows auto update"="msblast.exe"
If this key is present, then it is likely your system is already infected. Consider running the Stinger virus tool or other virus software listed in the If Your Machine IS Infected with the Virus section.
If your machine is already infected, the upgrades described earlier in this document do not remove the virus. Perform these steps before you apply the Microsoft patch.
Based on your virus software you need to either get McAfee's latest DAT file 4284, which has the virus removal definitions or Norton's latest virus definitions, which were recently released.
Note: Norton is only supported for the Cisco CallManager application.
If your system is infected and does not have Norton or McAfee on the system, you can consider running the stand alone virus removal tool Stinger v1.8.0 .
Upgrade the Cisco CallManager to the releases mentioned in the If Your Machine is NOT Infected with the Virus section. Also, make sure all downloads (MS03-026) for Cisco CallManager are from cisco.com and not Microsoft's site.