If your operating system is listed below, it is critical that you read and follow the instructions listed below for that version. Microsoft has more information available at the following link: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/bpdcom.asp

It has been discovered that some Windows systems with the MS03-039 patch installed are still vulnerable to an RPC attack that can be launched using publicly available attack tools. The new problem is due to a race condition that arises when multiple RPC server threads are handling many requests arriving rapidly.

Status: The vendor has been notified of the problem. Microsoft has not yet made a statement regarding the vulnerability.

References:
CERT Vulnerability Note
http://www.kb.cert.org/vuls/id/547820
ISS Advisory
http://xforce.iss.net/xforce/alerts/id/155

Note: The hyperlinks below work best when used with Internet Explorer version 5.x or newer. If you are using a Netscape browser you will have to download the files to your local hard drive first then run them.

For information on configuring your computer to Automatically Update your Windows operating system click on the following link http://www2.montana.edu/desktop/autoupdate.htm

Windows 2003

Click here and select Open to see what Hotfixes are currently applied to your computer. If you don't see KB824146 listed you are vulnerable to the RPC DCOM attack. Go out to http://windowsupdate.microsoft.com and apply all of the critical updates. If the site is unreachable update from the Topaz server at:
WindowsServer2003-KB824146-x86-ENU.exe Hotfix

Windows XP

Click here  and select Open to see what Hotfixes are currently applied to your computer. If you don't see KB824146 listed you are vulnerable to the RPC DCOM attack. PARIS users are compatible with this latest patch. Go out to http://windowsupdate.microsoft.com and apply all of the critical updates. If the site is unreachable update from the Topaz server at:
xpsp1_en_x86.exe Service Pack 1
WindowsXP-KB824146-x86-ENU.exe Hotfix

Note: You must have Service Pack 1 installed prior to adding the Hotfix.

Windows 2000

Click here and select Open to see what Hotfixes are currently applied to your computer. If you don't see KB824146 listed you are vulnerable to the RPC DCOM attack. Go out to http://windowsupdate.microsoft.com and apply all of the critical updates. If the site is unreachable update from the Topaz server at:
Windows_2000/W2KSP4_EN.EXE Service Pack 4
Windows2000-KB824146-x86-ENU.exe Hotfix

Note: This Hotfix will install on a computer with Service Pack 2, but it is recommended that you upgrade to Service Pack 4

Windows NT 4.0

Click here and select Open to see what Hotfixes are currently applied to your computer. If you don't see KB824146 listed you are vulnerable to the RPC DCOM attack. Go out to http://windowsupdate.microsoft.com and apply all of the critical updates. If the site is unreachable update from the Topaz server at:
sp6i386.exe Service Pack 6a
WindowsNT4Server-KB824146-x86-ENU.EXE Hotfix for NT Server 4.0
WindowsNT4Workstation-KB824146-x86-ENU.EXE Hotfix for NT Workstation 4.0
 

This security patch requires Windows NT 4.0 Service Pack 6a (SP6a) or Windows NT Server 4.0, Terminal Server Edition Service Pack 6 (SP6).

Note This security patch will install on Windows NT 4.0 Workstation. However, Microsoft no longer supports this version, according to the Microsoft Lifecycle Support policy. Additionally, this security patch has not been tested on Windows NT 4.0 Workstation.

Windows 95/98

Windows 95 and Windows 98 are at end-of-life and are no longer being patched by Microsoft for new security vulnerabilities.  At this time it does not appear that Windows 95/98 or ME operating systems are vulnerable to the RPC exploit. If you want to be sure you are safe, you can protect yourself against the latest RPC DCOM vulnerability by clicking  here and selecting Open then Yes to disable DCOM.  If you are running Finance Reports for Banner or PARIS you should update your operating system to a supported version of Windows, preferably Windows XP.  Disabling DCOM to protect your machine will render Finance Reports for Banner and PARIS inoperable.  For assistance, contact the Help Desk at 994-1777 or send E-Mail.

Blaster/Lovsan Worm or Welchia/Nachi Worm

If you have received a message such as:

"This system is shutting down. Please save all work in progress and log off. any unsaved changes will be lost. this shutdown was initiated by NT AUTHORITY/SYSTEM." or  XP machines may see a message that says: "This system is being shut down in 60 seconds by NT Authority/System due to an interrupted Remote Procedure Call (RAP)."

you are most likely infected with the Blaster Worm that exploits the RPC DCOM vulnerability.

If your computer seems to have slow network response you may have been infected with the Welchia/Nachi Worm.

(Note: For advanced users that need instructions on cleaning the Blaster/Lovsan worm go to http://www2.montana.edu/desktop/blaster.htm. for cleaning instructions or remove your computer from the network and contact the Help Desk at 994-1777 or send E-Mail.)

(Note: For advanced users that need instructions on cleaning the Welchia/Nachi worm go to http://www2.montana.edu/desktop/nachi.htm. for cleaning instructions or remove your computer from the network and contact the Help Desk at 994-1777 or send E-Mail.)