Win32:Blaster

Win32:Blaster

is a true worm which does not spread via e-mail but exploits a vulnerability called "Buffer Overrun In RPC Interface" which is also known as DCOM/RPC and MS03-026.

This vulnerability has been discovered on 16th July 2003. The detailed description could be found here.

Please note: Older Win9x systems are not affected by this worm.

Win32:Blaster is 6176 bytes long and it is compressed by UPX. When executed, the worm uses a sequential scanning algorithm of IP addresses with random starting points. The networks surrounding the infected host are preffered by the algorithm.

Win32:Blaster tries to find other vulnerable hosts. It scans 20 hosts at a time, trying to connect to port 135 and check if the connection is successful. If yes, it tries several different DCOM exploits to infect the host. When the security hole is found, the worm copies itself to the host using TFTP (Trivial File Transfer Protocol). After the files is copied to the remote computer under the name msblast.exe, it is started there.

The worm adds the following key into the registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update
so the worm is activated whenever the Windows is started.

The worm contains the payload which can cause a DDoS (Distributed Denial of Service) attack on the windowsupdate.com computer After the 15th August 2003. Hosts infected with Blaster will send massive amount of packets to this computer after this date till the end of this year.

The worm contains the following text but does not display it:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

As a side effect, the worm can cause the forced operating system restart. The system displays a window with warning about it together with the countdown for 60 seconds. The message says that the restart was caused by NT Authorization\System.

Removal:
To remove this worm please use our free avast! Virus Cleaner. But be sure you also update your Windows system, otherwise the worm can come back very quickly!

avast! with VPS file dated on or after 12th August 2003 is able to detect this worm.

Refer: Avast



Copyright © 2004-2004 All rights reserved.
Valid HTML 4.01! Click here to validate current page. Best viewed with ANY browser! Valid CSS! Click here to validate current CSS.