 New Worm Blasts Worst Window Vulnerability |
New Worm Blasts Worst Window VulnerabilityAugust 11, 2003 About the VirusBlaster (known as both W32.Blaster.worm and W32/Lovsan.worm) is an extremely simple new worm that exploits one of the worst Windows vulnerabilities of recent history. We reported on the critical Windows RPC flaw in an Information Alert on July 16, 2003. Shortly after our alert, proof-of-concept code exploiting this vulnerability appeared on many security mailing-lists. Even security experts were shocked by how easily the exploit code gained full control of vulnerable Windows machines. Many warned that virus authors would use this code to create the next blended threat worm. It appears those predictions have come true. We will continue to update you as new and significant information becomes available. Distinguishing CharacteristicsBlaster is so simple that it doesn't even use e-mail to spread. The worm exploits the DCOM buffer overflow (described by Microsoft and our Information Alert) exclusively over TCP port 135 to gain full control of your Windows machine. Once the worm has control of your machine, it uses the TFTP protocol to download a file called msblast.exe to your system and adds a registry entry to ensure that this executable starts every time you boot your computer. Msblast.exe, which is the worm itself, then starts scanning random IP addresses on TCP port 135 looking for more vulnerable systems to spread to. That's it! The worm is very simple yet it still seems to be spreading quickly. At first glance, Blaster didn't seem to contain any malicious payload. However, the latest reports indicate that machines infected by the worm may attempt to syn flood Microsoft's "WindowsUpdate" site on August 16th. Since blaster exploits a buffer overflow flaw it could make an infected machine unstable and cause the machine to reboot. What you can do
References:Symantec description of Blaster McAfee description of W32/Lovsan Credits: Researched and written by Corey Nachreiner Date: 08/24/2004  |
