Skip to content
1-888-762-8736(M-F 8:00am-5:00pm CST)
1-877-218-7353(M-F 8:00am-5:00pm CST)
href="http://www.trendmicro.com/us/enterprise/index.html" id="ENT-overview-test2" title="SEE ALL ENTERPRISE SOLUTIONS">Enterprise Overview
Malware type: Worm
Aliases: W32.Blaster.Worm, W32/Blaster-A, W32/Blaster.worm, W32/Msblast.A, Win32/Poza!Worm
In the wild: Yes
Platform: Windows 2000, XP
Overall risk rating:
TrendLabs has received several infection reports of this new worm, which exploits the RPC DCOM BUFFER OVERFLOW. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
The vulnerability affects unpatched systems running Windows NT, 2000, XP, and Server 2003. This worm, however, can only propagate into systems running Windows 2000 and XP.
This worm has been observed to continuously scan random IP addresses and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:
Important: Users of affected systems are strongly advised to apply the necessary patches, which may be downloaded from the following Microsoft page:
Microsoft Security Bulletin MS03-039
Users are also advised to visit the following page for more information from Microsoft:
What You Should Know About the Blaster Worm and Its Variants
For general overview of the MSBLAST family of worms, please refer to the Virus Encyclopedia entry for WORM_MSBLAST.GEN.
For additional information about this threat, see:
Description created: Aug. 11, 2003 1:44:43 PM GMT -0800
Description updated: Feb. 3, 2004 11:09:08 PM GMT -0800
Size of malware: 6,176 Bytes (compressed) 11,296 Bytes (decompressed)
Initial samples received on: Aug 11, 2003
Performs DDoS attack against windowsupdate.com
Trigger condition 1:
See Technical details for complete trigger condition
Important: Since this worm exploits known security holes on Windows systems, Trend Micro strongly advises all users to apply the necessary critical patches. A failure to do so might result to possible reinfection. Please see the Solution section for the link to the necessary patches.
Autostart Technique and Memory-Residency Checking
Upon execution, this worm creates the following autorun registry entry so that it executes every time Windows starts:
"windows auto update" = MSBLAST.EXE
It creates a mutex named BILLY, which it uses to check if another copy is already running. If it finds that another copy is running, it simply terminates.
If no other copy is running, it continues with the rest of its routines. It sleeps at 20 second intervals and wakes to check for Internet connection, until it is able to establish this connection. It also checks the infected machine's Winsock version number. It runs on Winsock versions 1.0, 1.01, and 2.02.
Distributed Denial of Service Attack
Once it secures an Internet connection, this worm checks for the current system date. On the following system dates, it launches a thread that performs a Distributed Denial Of Service attack against windowsupdate.com:
When performing the DDoS attack, this worm constructs a specially crafted packet, around 40 bytes in size, and continuously sends it as a SYN packet request to windowsupdate.com every 20 milliseconds.
The packet contains no data except for its TCP/IP header. It is constructed such that the worm can spoof the sender IP address.
Also, if the worm fails to resolve the name, windowsupdate.com, it uses 255.255.255.255 instead as destination address for the DDoS attack.
As of this writing, Microsoft had already disabled the redirection of http://www.windowsupdate.com to the real Windows Update site, http://microsoft.windowsupdate.com. This prevents the Windows Update site from being attacked by the worms DDoS payload.
Exploiting the RPC DCOM Buffer Overflow
This worm exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, to infect remote machines. The vulnerability allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:
Microsoft Security Bulletin MS03-026
Microsoft Security Bulletin MS03-039
To infect vulnerable machines, this worm attempts to connect to other target systems via port 135. It does this by opening 20 TCP threads or connections which scans for IP addresses starting from the base IP address. It then sends SYN packets to remote IP addresses, and consequently uses TCP port 135 for its attack.
It uses two methods to scan for IP addresses as follows:
The first method uses the IP address of the infected machine as its base IP address, A.B.C.D. It sets D to zero and checks the value of C. If C is greater than 20, a random value less than 20 is subtracted from C. Otherwise, it retains the value of C.
For example, if the infected machines IP address is 184.108.40.206, The value 69 is changed to any number from 50 69 because 69 is greater than 20 and the worm subtracts a random value less than 20 from it. The value 101 is then changed to zero. Thus, the worm uses the IP address 210.23.[50-69].0 as its base IP address.
Moreover, if the infected machines IP address is 220.127.116.11, the base address will then be 18.104.22.168
However, after creating 20 threads or connection attempts, it uses another method which generates random IP addresses. It again opens 20 random TCP listening ports, which could range from 1000 - 5000 (these port numbers still vary). The IP address in this case is drawn sequentially ranging from 0.0.0.0 - 255.255.255.0.
This worm also opens port 4444, using this port for its remote shell. It then simulates a Trivial FTP server that listens at port 69 on the infected machine.
This worm then instructs its remote target machine, using the remote shell, to download its copy MSBLAST.EXE into the Windows System32 folder, which is usually C:\Windows\System32 or C:\WINNT\System32.
Finally, this worm instructs the target machine to execute the downloaded file. This begins another life cycle for the worm on the newly infected machine.
The worm utilizes a certain TFTP.EXE to download its copy on a target machine. During this download routine, a temp file named TFTP* is created. It eventually takes the name of the worm file when the download routine is completed. However, this renaming does not happen when the download process is interrupted or not completed. Thus, TFTP* files may be found in some infected systems as a result of this failed routine.
The following text strings are visible in this worm's body:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
Minimum scan engine version needed: 5.600
Pattern file needed: 2.530.00
Pattern release date: Apr 3, 2005
Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.
Important: To fully protect systems against this security threat, users are advised to apply the critical patches first before performing the Removal Instructions. The importance of applying these patches cannot be overstated and should be strictly implemented across the network. Failure to apply the specified patches may possibly result to remote attacks. Additionally, cleaning the system without prior installation may result to immediate reinfection or system instability.
RPC DCOM Buffer Overflow Vulnerability Scanning Tool
TrendLabs advises users to download the scanning tool released by Microsoft that can identify host machines in their network that do not have the MS03-026 security patch installed.
This Microsoft Scanning Tool is available for download at: http://support.microsoft.com?kbid=826369.
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system,
please use the
Trend Micro System Cleaner.
MANUAL REMOVAL INSTRUCTIONS
Terminating the Malware Program
This procedure terminates the running malware process from memory.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micros free online virus scanner.
For corporate product specific solutions, refer to Solution 15888 of Trend Micro's Knowledge Base.
For Pc-cillin and Housecall users refer to Solution 15904 of Trend Micro's Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions for your
small and medium business,
or home PC.
Connect with us on
| | | |