Virus
and Hoax Updates
Blaster - WORM_MSBLAST.A (High Risk)
WORM_MSBLAST.A affects unpatched systems running
Windows NT,
2000, XP, and Server 2003. This worm can only propagate to systems
running Windows 2000 and XP. WORM_MSBLAST.A is currently
spreading in-the-wild, and has been in heavy circulation since
Monday.
WORM_MSBLAST.A is a destructive worm that exploits
the RPC DCOM
Buffer Overflow, a vulnerability in a Windows Distributed Component
Object Model (DCOM) Remote Procedure Call (RPC) interface, which
allows an attacker to gain full access and execute any code on a
target machine, leaving it compromised. The virus payload performs
a Distributed Denial of Service (DDoS) attack against
windowsupdate.com on the 16th through the 31st day of every
month from January through August, and any day in September
through December. The worm is set to activate its next Distributed
Denial of Service attack this Saturday, August 16.
Upon execution, this worm creates an autorun registry
entry that
allows it to execute at every Windows startup. It creates a mutex
named "BILLY," that it uses to check whether another copy
is already
running. If it finds that another copy is running, it simply terminates.
If no other copy is running, it continues with the rest of its routines;
sleeping at 20 second intervals and waking to check for Internet
connection, until it is able to establish this connection.
Once it secures an Internet connection, this worm
checks for the
current system date. If the system date is the 16th through 31st day
of any month in January through August, or any day of the month of
September through December, it launches a thread that performs a
Distributed Denial of Service (DDoS) attack against
windowsupdate.com. When performing the DDoS attack, this worm
constructs a specially crafted packet, which it sends to the target
site. The packet contains no data except for its TCP/IP header, and
is constructed in such a way that the worm can spoof the sender IP
address. This worm continuously sends the packet every 20
milliseconds.
This worm exploits the RPC DCOM BUFFER OVERFLOW,
a
vulnerability in a Windows Distributed Component Object Model
(DCOM) Remote Procedure Call (RPC) interface, to infect remote
machines.
To infect unpatched, vulnerable machines, this worm
attempts to
connect to other target systems via port 135. It does this by opening
20 TCP threads or connections which scan for IP addresses. After
creating 20 threads or connection attempts, it uses another method
which generates random IP address.
This worm then instructs its remote target machine
to download its
copy MSBLAST.EXE into the Windows System32 folder; typically
C:\Windows\System32 or C:\WINNT\System32. Finally, it instructs
the target machine to execute the downloaded file. This begins
another life cycle for the worm on the newly infected machine.
The following text strings are visible in this worm's
body:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and
fix your software!!
If you would like to scan your computer for WORM_MSBLAST.A
or
thousands of other worms, viruses, Trojans and malicious code, visit
HouseCall, Trend Micro's free, online virus scanner at:
http://housecall.trendmicro.com
For
more information about hoaxes, visit Trend
Micro Hoax Encyclopedia (http://www.antivirus.com/vinfo/hoaxes/hoax.asp)
or Hoaxbusters
(http://hoaxbusters.ciac.org/HoaxBustersHome.html)
For
virus checking software, try Symantec
(http://www.symantec.com/) or McAfee
(http://www.mcafee.com/). Remember to update your virus definitions
regularly.
|
