W32.Blaster.Worm
Discovered on: August 11, 2003
Last Updated on: August 12, 2003 01:24:53
AM
Based on the number of submissions received
from customers and based on information
from the Symantec's Deepsight Threat Management
System, Symantec Security Response has upgraded
this threat to a Category 4 from a Category
3 threat.
W32.Blaster.Worm is a worm that will exploit
the DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) using
TCP port 135. This worm will attempt to
download and run the Msblast.exe file.
Block access to TCP port 4444 at the firewall
level, and then block the following ports,
if they do not use the applications listed:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial
of Service (DoS) on windowsupdate.com. This
is an attempt to prevent you from applying
a patch on your computer against the DCOM
RPC vulnerability.
Click here for more information on the
vulnerability that this worm exploits, and
to find out which Symantec products can
help mitigate risks from this vulnerability.
NOTE: This threat will be detected by virus
definitions having:
Defs Version: 50811s
Sequence Number: 24254
Extended Version: 8/11/2003, rev. 19
Symantec Security Response has developed
a removal tool to clean infections of W32.Blaster.Worm.
Also Known As: W32/Lovsan.worm [McAfee]
Type: Worm
Infection Length: 6,176 bytes
Systems Affected: Windows 2000, Windows
XP
Systems Not Affected: Linux, Macintosh,
OS/2, UNIX
CVE References: CAN-2003-0352
Virus Definitions (Intelligent Updater)
*
August 11, 2003
Virus Definitions (LiveUpdate?) **
August 11, 2003
*
Intelligent Updater definitions are released
daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually
released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Moderate
Removal: Easy
Threat Metrics
Wild:
High
Damage:
Medium
Distribution:
High
Damage
Payload:
Causes system instability: May cause machines
to crash.
Compromises security settings: Opens a hidden
remote cmd.exe shell.
Distribution
Ports: TCP 135, TCP 4444, UDP 69
Target of infection: Machines with vulnerable
DCOM RPC Services running.
When W32.Blaster.Worm is executed, it does
the following:
Creates a Mutex named "BILLY."
If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="msblast.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Calculates the IP address, based on the
following algorithm, 40% of the time:
Host IP: A.B.C.D
sets D equal to 0.
if C > 20, will subtract a random value
less than 20.
Once calculated, the worm will start attempting
to exploit the computer based on A.B.C.0,
and then count up.
NOTE: This means the Local Subnet will
become saturated with port 135 requests
prior to exiting the local subnet.
Calculates the IP address, based on many
random numbers, 60% of the time:
A.B.C.D
set D equal to 0.
sets A, B, and C to random values between
0 and 255.
Sends data on TCP port 135 that may exploit
the DCOM RPC vulnerability to allow the
following actions to occur on the vulnerable
computer:
Create a hidden Cmd.exe remote shell that
will listen on TCP port 4444.
NOTE: Due to the random nature of how the
worm constructs the exploit data, it may
cause computers to crash if it sends incorrect
data.
Listens on UDP port 69. When the worm receives
a request, it will return the Msblast.exe
binary.
Sends the commands to the remote computer
to reconnect to the infected host and to
download and run Msblast.exe.
If the current month is after August, or
if the current date is after the 15th, the
worm will perform a DoS on "windowsupdate.com."
With the current logic, the worm will activate
the DoS attack on the 16th of this month,
and continue until the end of the year.
The worm contains the following text, which
is never displayed:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible
? Stop making money and fix your software!!
Symantec ManHunt
Symantec ManHunt Protocol Anomaly Detection
technology detects the activity associated
with this exploit as "Portscan."
Although ManHunt can detect activity associated
with this exploit with the Protocol Anomaly
Detection technology, you can use the "Microsoft
DCOM RPC Buffer Overflow" custom signature,
released in Security Update, to precisely
identify the exploit being sent.
Symantec Security Response encourages all
users and administrators to adhere to the
following basic security "best practices":
Turn off and remove unneeded services.
By default, many operating systems install
auxiliary services that are not critical,
such as an FTP server, telnet, and a Web
server. These services are avenues of attack.
If they are removed, blended threats have
less avenues of attack and you have fewer
services to maintain through patch updates.
If a blended threat exploits one or more
network services, disable, or block access
to, those services until a patch is applied.
Always keep your patch levels up-to-date,
especially on computers that host public
services and are accessible through the
firewall, such as HTTP, FTP, mail, and DNS
services.
Enforce a password policy. Complex passwords
make it difficult to crack password files
on compromised computers. This helps to
prevent or limit damage when a computer
is compromised.
Configure your email server to block or
remove email that contains file attachments
that are commonly used to spread viruses,
such as .vbs, .bat, .exe, .pif and .scr
files.
Isolate infected computers quickly to prevent
further compromising your organization.
Perform a forensic analysis and restore
the computers using trusted media.
Train employees not to open attachments
unless they are expecting them. Also, do
not execute software that is downloaded
from the Internet unless it has been scanned
for viruses. Simply visiting a compromised
Web site can cause infection if certain
browser vulnerabilities are not patched.
Removal using the Backdoor.Winshell.50
Removal Tool
Symantec Security Response has developed
a removal tool to clean infections of W32.Blaster.Worm.
This is the easiest way to remove this threat
and should be tried first.
Manual Removal
As an alternative to using the removal tool,
you can manually remove this threat.
The following instructions pertain to all
current and recent Symantec antivirus products,
including the Symantec AntiVirus and Norton
AntiVirus product lines.
Important Note: W32.Blaster.Worm exploits
the DCOM RPC vulnerability. This is described
in Microsoft Security Bulletin MS03-026,
and a patch is available there. You must
download and install the patch. In many
cases, you will need to do this before you
can continue with the removal instructions.
If you are not able to remove the infection
or prevent re-infection using the following
instructions, first download and install
the patch.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Do one of the following:
Windows 95/98/Me: Restart the computer in
Safe mode.
Windows NT/2000/XP: End the Trojan process.
Run a full system scan and delete all the
files detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made
to the registry.
For details on each of these steps, read
the following instructions.
1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows
XP, we recommend that you temporarily turn
off System Restore. Windows Me/XP uses this
feature, which is enabled by default, to
restore the files on your computer in case
they become damaged. If a virus, worm, or
Trojan infects a computer, System Restore
may back up the virus, worm, or Trojan on
the computer.
Windows prevents outside programs, including
antivirus programs, from modifying System
Restore. Therefore, antivirus programs or
tools cannot remove threats in the System
Restore folder. As a result, System Restore
has the potential of restoring an infected
file on your computer, even after you have
cleaned the infected files from all the
other locations.
Also, a virus scan may detect a threat
in the System Restore folder even though
you have removed the threat.
For instructions on how to turn off System
Restore, read your Windows documentation,
or one of the following articles:
"How to disable or enable Windows Me
System Restore"
"How to turn off or turn on Windows
XP System Restore"
For additional information, and an alternative
to disabling Windows Me System Restore,
see the Microsoft Knowledge Base article,
"Antivirus Tools Cannot Clean Infected
Files in the _Restore Folder," Article
ID: Q263455.
2. Updating the virus definitions
Symantec Security Response fully tests all
the virus definitions for quality assurance
before they are posted to our servers. There
are two ways to obtain the most recent virus
definitions:
Running LiveUpdate, which is the easiest
way to obtain virus definitions: These virus
definitions are posted to the LiveUpdate
servers once each week (usually on Wednesdays),
unless there is a major virus outbreak.
To determine whether definitions for this
threat are available by LiveUpdate, refer
to the Virus Definitions (LiveUpdate).
Downloading the definitions using the Intelligent
Updater: The Intelligent Updater virus definitions
are posted on U.S. business days (Monday
through Friday). You should download the
definitions from the Symantec Security Response
Web site and manually install them. To determine
whether definitions for this threat are
available by the Intelligent Updater, refer
to the Virus Definitions (Intelligent Updater).
The Intelligent Updater virus definitions
are available: Read "How to update
virus definition files using the Intelligent
Updater" for detailed instructions.
3. Restarting the computer in Safe mode
or ending the Worm process
Windows 95/98/Me
Restart the computer in Safe mode. All the
Windows 32-bit operating systems, except
for Windows NT, can be restarted in Safe
mode. For instructions, read the document,
"How to start the computer in Safe
Mode."
Windows NT/2000/XP
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header
to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then
click End Process.
Exit the Task Manager.
4. Scanning for and deleting the infected
files
Start your Symantec antivirus program and
make sure that it is configured to scan
all the files.
For Norton AntiVirus consumer products:
Read the document, "How to configure
Norton AntiVirus to scan all files."
For Symantec AntiVirus Enterprise products:
Read the document, "How to verify that
a Symantec Corporate antivirus product is
set to scan all files."
Run a full system scan.
If any files are detected as infected with
W32.Blaster.Worm, click Delete.
5. Reversing the changes made to the registry
CAUTION: Symantec strongly recommends that
you back up the registry before making any
changes to it. Incorrect changes to the
registry can result in permanent data loss
or corrupted files. Modify the specified
keys only. Read the document, "How
to make a backup of the Windows registry,"
for instructions.
Click Start, and then click Run. (The Run
dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"windows auto update"="msblast.exe"
Exit the Registry Editor.
|
手机注册成为会员,高速稳定下载在线观看下载大量情色电影!
最新病毒安全消息
