MS Blaster Worm Roundup

Blaster Worm scans the Internet for computers that are vulnerable to its attack. Once found, it tries to enter the system through the port 135 to create a buffer overflow. One indication of infection is unusual activity on this port. This is a roundup of information covering the Blaster worm.

CERT/CC – CERT Advisory CA-2003-20 – W32/Blaster worm

The W32/Blaster worm exploits a vulnerability in Microsoft’s DCOM RPC interface. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies

Microsoft PSS Security Response Team Alert – New Worm: W32.Blaster.worm

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. Best practices, such as applying security patch MS03-026 should prevent infection from this worm. If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.

Microsoft Security Bulletin MS03-026 – Buffer Overrun In RPC Interface Could Allow Code

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135.

Internet Storm Centar (SANS) – RPC DCOM Worm (Msblaster)

A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003.

ISS X-Force – “MS Blast” MSRPC DCOM Worm Propagation

ISS X-Force has captured active samples of an automated Internet worm that propagates via the MS RPC DCOM vulnerability documented in ISS X-Force Alert titled “Flaw in Microsoft Windows RPC Implementation”. MS Blast is currently propagating aggressively across the Internet.

eEye – ‘Blaster’ Worm Description and Technical Details

The Blaster worm uses a series of components to successfully infect a host. The first component is a publicly available RPC DCOM exploit that binds a system level shell to port 4444. This exploit is used to initiate a command channel between the infecting agent and the vulnerable target. Once the target is successfully compromised, the worm transmits the msblast.exe executable (the main body of the worm) via TFTP to infect the host. The payload used in the public DCOM exploit, as well as the TFTP functionality, are both encapsulated within msblast.exe.

Cisco Systems – W32.BLASTER Worm Mitigation Recommendations

Cisco customers are currently experiencing attacks due to a new worm that is active on the Internet. The signature of this worm appears as UDP traffic to port 69 and high volumes of TCP traffic to port 135 and 4444. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. This document focuses on both mitigation techniques and affected Cisco products which need software supplied by Cisco to patch properly.

DNS Commentary – Blaster Only Set to Stun

Once again, it appears that the worm authors had caught system administrators with their trousers down. Despite the availability of a patch since mid-July to fix the vulnerability exploited by W32.Blaster, the widespread infection of both business and home computers showed that in the vast majority of cases, it had not been applied. Such was the infection rate that, at its pinnacle, the worm was taking only 30 seconds to find an uninfected computer somewhere in the world.

Virus vendors on the MS SQL worm

Sophos: W32/Blaster-A
RAV: Win32/MSBlast.A
BitDefender: Win32.Msblast.A
McAfee: W32/Lovsan.worm
F-Secure: Lovsan Worm
Norman: Blaster.A
Panda Software: W32/Blaster
Symantec: W32.Blaster.Worm
Trend Micro: WORM_MSBLAST.A
Computer Associates: Win32.Poza
ESET NOD32: Win32/Lovsan.A
Kaspersky Lab: Worm.Win32.Lovesan

Removal tool: BitDefender Anti Blaster Worm
Removal tool: Astonsoft Anti MSBlast Worm

Trojan info: New Trojan Disguised as Blaster Worm Fix

Press Release: Blaster Worm Exploits Microsoft Security Hole And Launches Attack On Update Website, Warns Sophos
Press Release: Internet Virus Alert: Central Command Warns Of New RPC Computer Worm Named Worm/Lovsan.A
Press Release: World’s First RPC Worm Found – Experts Forecast Large-Scale Infections
Press Release: Panda Software Alerts on New Worm W32/Blaster
Press Release: Virus Advisory: Network Associates Avert Places Lovsan Threat as Medium On Watch
Press Release: The New Blaster is Spreading Rapidly, Infecting Computers Around the Globe
Press Release: Ubizen’s Security Intelligence Lab Reports Worm Exploiting Microsoft’s DCOM RPC Vulnerability
Press Release: Blaster Worm Impact May Snowball as Number of Reports Increases, Warns Sophos
Press Release: Websense Enterprise Client Application Manager Blocks MSBlaster Worm
Press Release: Prevention: The Best Weapon Against the Blaster Worm
Press Release: Internet Virus Advisory: Variations of Worm/Lovsan Discovered
Press Release: interMute Introduces SpySubtract to Detect and Destroy Spyware and Stop Spread of Blaster Worm to Consumer and Small Business PCs
Press Release: Network Associates’ HackerWatch.org Reports Over One Million Systems Infected by the Lovsan Worm Press Release: Ubizen Warns Of Second Vulnerability Post-Blaster – With No Patch Press Release: Finjan Software Protects Enterprises and Home Users From New Variants Of Lovsan Worm

News reports on the MS SQL worm

CNN: Teen arrested in ‘Blaster’ attack
BBC: Worm blasts across the web
TechWorld: Feared RPC worm starts to spread
The Register: MSBlaster worm spreading rapidly
The Inquirer: Worm with teeth could infect 10s of millions of Windows machines
PC Pro: New worm infects with an eye on Windows Update site
Internet Week: Newly Discovered Worm Attacks Windows Systems
Korea Times: Windows Worm Warning Issued
Computer Weekly: New Windows worm starts to spread
PC World: Self-Propagating Worm Spreads
Silicon: Windows worm now spreading
SMH Australia: Latest Windows worm keeps techs on their toes
TechCentral.com: Virus spreading rapidly, targeting Microsoft
CRN: Latest Worm Disrupts Asia, Europe
News.com: ‘MSBlast’ worm widespread but slowing
Vnunet: Blaster worm starts European campaign
TechWeb: MSBlast Copycat on the Loose
News Factor: Tips on Removing the LovSan Net Bug
eWeek: Blaster Variant on the Loose
Vnunet: Sun Mad as a Hatter over Microsoft worm
Vnunet: Microsoft battens down for Blaster attack
SMH Australia: No evidence that Windows worm caused blackout: CERT
Internet Magazine: Blaster worm wreaks havoc on home computers
IHT: Microsoft alters tactics to fight ‘worm’
The Inquierer: New York City mega Call Centre falls to Blaster worm