By Robert Vamosi
Worm scans Internet to find vulnerable Windows 2000, NT, and XP systems
(8/11/03)
MSBlast (alias Lovsan, Blaster, and Posa) is an Internet worm that takes advantage of the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface buffer overflow flaw. Although Microsoft issued a patch on July 17, 2003, many people have yet to patch their systems. Ironically, the worm threatens to shut down the windowsupdate.com site, the source of Microsoft security patches. Because MSBlast is spreading quickly via the Internet and could shut down infected machines, this worm rates a 7 on the CNET Virus Meter.
How it works
MSBlast does not spread via e-mail. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.
MSBlast contains a denial-of-service (DoS) attack aimed at Microsoft's windowsupdate.com. The attack will start on August 15 and continues throughout the end of the year. MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.
Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill
Prevention
The best prevention is to install the patch from Microsoft. Users who have not yet patched their Windows 2000, NT, and XP systems should do so.
-
Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition
Windows Server 2003 32-bit Edition
Windows Server 2003 64-bit Edition
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Symantec, and Trend Micro.
