Weekly Virus Report – Blaster.B, Blaster.C, RPCSdbot and RPCSdbot.B Worms

This week’s report looks at five worms, Blaster, Blaster.B, Blaster.C, RPCSdbot and RPCSdbot.B, which all exploit the same vulnerability in order to spread to as many computers as possible, and at the Trojan HatFiend.10.

After its appearance on Monday, Blaster rapidly infected thousands of computers and reached the highest position in list of viruses most frequently detected by the free, online scanner, Panda ActiveScan.

Blaster spreads by attacking IP addresses -generated at random- belonging both to the network of the computer on which it is running, and to class B networks. This worm tries to exploit, in these IP addresses, the ‘Buffer Overrun in RPC Interface’ vulnerability to download a copy of itself, in a file named MSBLAST.EXE, to the compromised computer. In order to do this, Blaster incorporates its own TFTPE server.

Blaster has the following effects:

– Denial of service (DoS) attacks against the windowsupdate.com website whenever the system date is between August 16 and December 31, 2003. If this requirement is met, the worm sends a 40 byte packet every 20 milliseconds, using the TCP port 80.
– It can block and restart the attacked computer.
– It increases the network traffic on the TCP 135 and 4444, and UDP 69 ports.

The Blaster B and C variants are very similar to the original worm (Blaster). Differences include the fact that they generate files called PENIS32.EXE (B) and TEEKIDS.EXE (C).

RPCSdbot and RPCSdbot.B also exploit the ‘Buffer Overrun in RPC Interface’ vulnerability in order to spread themselves. In order to do so, they follow the same routine as the virus Blaster, since RPCSdbot and RPCSdbot.B attacks IP addresses -generated at random-. By doing so, they download a copy of themselves in the infected computer, by means of their own TFTP server.

RPCSdbot and RPCSdbot.B also drop a backdoor type Trojan, which allows a hacker to install programs, delete and download files, carry out DoS attacks, etc… in the infected computer.

Since Blaster and RPCSdbot exploit the same vulnerability, which affects Windows 2003/XP/2000/NT computers, it is advisable that users of these platforms install the patches provided by Microsoft. These patches can be downloaded from Microsoft.

We finish this report with HatFiend.10, a backdoor type Trojan, which allows hackers to gain remote access to other computers, in order to carry out actions that can compromise user confidentiality and impede the tasks performed on the computer. This malicious code goes memory resident, opens the port 1871 in the affected computer, and carries out several actions like logging keystrokes and controlling the hard drives.