|  | ||||||||||||||||||||||||||||||||
Name: W32.Blaster.Worm.E
Aliases: Lovsan.e,W32/Lovsan.worm.e Variants: Type: Internet Worm Platforms: Windows 32-bit Status: in the wild Threat: V-CON 2 (low) The following has been derived from information provided by Symantec, NAI, and F-secure. Virus Characteristics This is a variant of the W32.Blaster.Worm which includes several modifications. Below are the variant specific details including a new filename and registry entry. The DDoS target of the worm has also been modified. For complete details on the original variant visit www.sss.ca. Filename: MSLAUGH.EXE Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Automation" = "mslaugh.exe" The target of the Denial of Service (DDoS) attack has been changed to: kimble.org The worm has been packed with UPX, uses a MUTEX named "SILLY" and contains the following string: "I dedicate this particular strain to me ANG3L - hope yer enjoying yerself and dont forget the promise for me B/DAY !!!!" Payload Exploits DCOM RPC vulnerability MS03-026 Performs denial of service attack on kimble.org The payload period is from the 16th through to the end of the month for the months of January to August. If the month between September and December, the worm will attempt to perform a DDoS on kimble.org. The DDoS traffic has the following characteristics: - SYN flood on port 80 to kimble.org. - Attempts to send 50 HTTP packets per second. - Packet length is 40 bytes If the worm is unable to resolve kimble.org through DNS, it uses a destination address of 255.255.255.255. According to Symantec, some fixed characteristics of the TCP and IP headers are: IP identification = 256 Time to Live = 128 Source IP address = a.b.x.y, where a.b are from the host IP and x.y are random. In some cases, a.b are random. Destination IP address = DNS resolution of "kimble.org" TCP Source port is between 1000 and 1999 TCP Destination port = 80 TCP Sequence number always has the two low bytes set to 0; the 2 high bytes are random. TCP Window size = 16384 Preventative Measures Close port 135/TCP (and if possible 135-139, 445 and 593) Monitor TCP Port 4444 and UDP Port 69 (tftp) for activity related to this worm. Ensure that all systems have up to date anti-virus software and have the Microsoft patch applied. This patch is available from the following website: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Further recommendations to mitigate the DoS payload can be found at the following link under Mitigating the DoS Payload: http://www.sarc.com/avcenter/venc/data/w32.blaster.e.worm.html Fixes Available Network Associates: Minimum DAT: 4283 (With scanning of compressed files enabled) Release Date: 08/06/2003 Minimum Engine: 4.1.60 Symantec: Virus Definitions (Intelligent Updater): August 29, 2003 Virus Definitions (LiveUpdate): September 03, 2003 < - Virus Information Index - >
| | |||||||||||||||||||||||||
