Sophos

W32/Blaster-A

Aliases
  • W32/Lovsan.worm
  • W32.Blaster.Worm
  • WORM_MSBLAST.A
  • Win32.Poza
  • Worm/Lovsan.A
  • WORM_MSBLAST.H
Category
Type
What to do
Prevalence low high

Summary

 
Included in our products from October 2003 (3.74)
Protection available since 28 September 2003 09:47:13 (GMT)
Detected by All Sophos products

Action

Please follow the instructions for removing worms.

Read instructions on how to remove the W32/Blaster-A worm and ensure your system is not vulnerable to reinfection.

More Information

W32/Blaster-A is a worm that uses the internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service. The DCOM vulnerability was first reported by Microsoft in mid-July 2003. This worm does not use email to spread.

Targeted computers include the following Microsoft operating systems:

  • Windows NT 4.0

  • Windows NT 4.0 Terminal Services Edition

  • Windows 2000

  • Windows XP

  • Windows Server 2003

On Windows XP the exploit can accidentally cause the remote RPC service to terminate displaying a message entitled "System Shutdown". The Windows XP machine then reboots.

System Shutdown

Windows 95/98/Me computers, which don't run an RPC service or have a TFTP client (default setting), are not at risk.

On finding a vulnerable computer system, the worm causes the remote machine to acquire a copy of the worm using TFTP, which is saved as msblast.exe or penis32.exe in the Windows system folder.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

From 16 August 2003, one month after the security patch was posted, the worm is programmed to launch a distributed denial-of-service attack on windowsupdate.com, which may severely impact access to the website Microsoft uses to distribute security patches. Each machine which begins to run the worm on or after this date (with a new infection or after a reboot) will send 50 SYN packets per second to port 80 on windowsupdate.com.

Additionally the worm creates the following registry entry so as to run on system start:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update

The worm contains the following text, which does not get displayed:

I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!

On 29 August 2003 the FBI arrested 18-year-old Jeffrey Lee Parson of Hopkins, Minnesota in connection with the W32/Blaster-B worm, which is a variant of W32/Blaster-A.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer