W32/Blaster.A
Threat risk
|
Detection files published:
12 Aug 2003 |
Description created:
2003-08-12 |
Description updated:
2003-09-05 |
|
Alias:
MSBlast.A |
Spreading mechanism
Network | |
|
Payload:
Performs a denial of service attack | ||
Summary
This worm spreads using a buffer overflow exploit in Windows DCOM RPC service. The file, called MSBlast.exe, is 6176 bytes long, and compressed using UPX.Spreading description
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run "windows auto update" = MSBlast.exe
This enables it to start from bootup. It checks if it is already running by attempting to create a mutex called "BILLY".
It generates random IP addresses that it attempts to spread to. This is done by sending specifically formatted data to port 135 on the remote machines. If these machines are vulnerable to this attack, they will open a remote shell on port 4444. The open shell now receives instructions to connect back to the infected machine using TFTP, and download the original worm file. The worm has at this stage set up a FTP server on port 69.
Once the download is complete, the worm file is started via the same remote shell.
The buffer overrun performed on target machines may have detrimental effect on the stability of these machines.
Threat description
The worm checks the time on the infected computer. If the date is the 16th or higher of any month; or if the date is lower than 16th, but month is higher than August, the worm will initiate an attack on Windowsupdate.com, sending a lot of packets on port 80.This attack takes place in a separate thread; the worm's original infection routine is still running as well.
Removal
Download and install Microsoft patch MS03-026. You may have to download this patch form a clean computer and bring it to your infected computer on a removable media like a floppy or a CD.
Also, firewalls should be configured to stop inbound traffic on port 135/tcp at the perimeter; as well as traffic on port 4444.
Manual removal
1. Press Ctrl+Alt+Delete on your keyboard, click Task Manager and select the tab Processes. Right-click on the process Msblast.exe and select End process.
2. Return to Windows and click Start | Run
3. Type regedit and click OK
4. In the Registry editor, browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the value ‘windows auto update = msblast.exe’
5. Close the Registry editor and restart your machine
6. Finally, you should update your Norman antivirus product, and run a manual virus scan. (Do not start the scan immediately after the download is finished. NVC needs a few minutes to install the updates). On Windows XP you should deactivate System Restore before you run the scan.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
