The following has been derived from information provided by Network Associates and F-Secure.

Virus Characteristics

W32/Lovsan.worm.b functions the same as the original W32.Blaster.worm.

Two files are dropped in the Windows system folder:

teekids.exe (worm, 5,360 bytes)
root32.exe (Backdoor, 19,798 bytes)

The backdoor may be detected as BackDoor-YQ (NAI).

The following registry key is created:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
"Microsoft Inet Xp.." = teekids.exe Microsoft can suck my left testi! Bill

The text within the code has also been changed from the original worm.

It scans IP ranges for target systems on TCP port 135. If successful, a remote shell is opened on port 4444 on the victim machine, the tftp command is issued and a connection is made to one of multiple servers in order to download the worm.

A description of the vulnerability used by the worm is available from the following website:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp


Preventative Measures

Block traffic on TCP/UDP port 135 (and if possible 135-139, 445 and 593).
Monitor TCP Port 4444 and UDP Port 69 (TFTP) for connection attempts.

Ensure that all systems have up to date anti-virus software and have the Microsoft patch applied. This patch is available from the following website:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Updated virus definitions will prevent the propagation of the virus, but will not prevent the MS03-026 vulnerability from being exploited. Updating virus definitions can be used as a temporary measure to mitigate the spread of the worm until the Microsoft patch can be applied.

Fixes Available

Network Associates:
Minimum DAT: 4285
Release Date: 08/13/2003
Minimum Engine: 4.1.60