|  | ||||||||||||||||||||||||||||||||
Name: W32.Blaster.Worm
Aliases: Lovsan,Worm_Msblast.A,W32/Lovsan.worm Variants: Type: Internet Worm Platforms: Windows 32-bit Status: in the wild Threat: V-CON 3 (medium) The following has been derived from information provided by Symantec, NAI, F-Secure, and SANS. Due to an increase in prevalence, new information and media attention, we are raising the threat level from a V-CON 2 to a V-CON 3. Virus Characteristics W32.Blaster.Worm, tries to exploit the MS03-026 vulnerability. It arrives as a UPX packed executable with the name "msblast.exe", and a size of 6176 bytes. It scans IP ranges to look for target systems on TCP port 135. If successful, a remote shell is opened on port 4444 on the victim machine, the tftp command is issued and a connection is made to one of multiple servers in order to download the worm. A description of the vulnerability is available from the following website: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Payload Upon execution, the worm creates the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = MSBLAST.EXE The worms code contains the following text strings: "I just want to say LOVE YOU SAN!!" "billy gates why do you make this possible ? Stop making money and fix your software!!" The worm checks to see if the date is between August 15, and December 31. If this condition is met, it will then start a distributed denial-of-service attack against the windowsupdate.com server. Preventative Measures Close port 135/tcp (and if possible 135-139, 445 and 593) Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm for activity related to this worm. Ensure that all systems have applied the Microsoft patch. This patch is available from the following website: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Fixes Available Network Associates: Minimum DAT: 4284 Release Date: August 11, 2003 Minimum Engine: 4.1.60 EXTRA.DAT is available from: http://a64.g.akamai.net/7/64/2015/2003-08-11-03-/download.nai.com/products/mcafee-avert/100547.zip Symantec: Virus Definitions (Intelligent Updater): August 11, 2003 Virus Definitions (LiveUpdate): August 11, 2003 < - Virus Information Index - >
| | |||||||||||||||||||||||||
