 
Win32:BlasterWin32:Blaster is a true worm which does not spread via e-mail but exploits a vulnerability called "Buffer Overrun In RPC Interface" which is also known as DCOM/RPC and MS03-026. This vulnerability has been discovered on 16th July 2003. The detailed description could be found here. Please note: Older Win9x systems are not affected by this worm. Win32:Blaster is 6176 bytes long and it is compressed by UPX. When executed, the worm uses a sequential scanning algorithm of IP addresses with random starting points. The networks surrounding the infected host are preffered by the algorithm. Win32:Blaster tries to find other vulnerable hosts. It scans 20 hosts at a time, trying to connect to port 135 and check if the connection is successful. If yes, it tries several different DCOM exploits to infect the host. When the security hole is found, the worm copies itself to the host using TFTP (Trivial File Transfer Protocol). After the files is copied to the remote computer under the name msblast.exe, it is started there. The worm adds the following key into the registry:
The worm contains the payload which can cause a DDoS (Distributed Denial of Service) attack on the windowsupdate.com computer After the 15th August 2003. Hosts infected with Blaster will send massive amount of packets to this computer after this date till the end of this year. The worm contains the following text but does not display it:
As a side effect, the worm can cause the forced operating system restart. The system displays a window with warning about it together with the countdown for 60 seconds. The message says that the restart was caused by NT Authorization\System. Removal: avast! with VPS file dated on or after 12th August 2003 is able to detect this worm. Refer: Avast |
|
|
|