W32/Lovsan.worm.a

This page shows details and results of our analysis on the malware W32/Lovsan.worm.a

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

6,176 bytes

Description Added

2003-08-11

Description Modified

2005-08-29

Malware Proliferation

Characteristics

-- Update 21 April 2004 --
A new variant was discovered and was proactively detected as Exploit-DcomRpc with the 4289 DAT files when scanning compressed executables (default setting)

  • eschlp.exe (66,048 bytes)

Detection for this variant as W32/Blaster.worm.k had been added to 4352 DATs and above. It propagates in the same way as previous variants. A backdoor dropped by this variant was detected as W32/Blaster.worm!backdoor using the 4352 DATs and above.

-- Update 11 March 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.

-- Update 25 August 2003 --
The risk assessment of this threat was lowered to Medium due to a decrease in prevalence.

-- Update 15 August 2003 --
Microsoft has removed the DNS entry for windowsupdate.com to prevent the Denial of Service attack against this domain. This does not prevent users from using Windows Update to patch their systems, as this is not the address used when clicking on the Windows Update link.

-- Update 13 August 2003 --
Two new variants were discovered and are detected exactly with the 4285 DAT files.

  • teekids.exe (5,360 bytes) [detected as W32/Lovsan.worm.b]
  • penis32.exe (7,200 bytes) [detected as Exploit-DcomRpc]
These are functionally similar to the original W32/Lovsan.worm.
--

This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.

When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].

Once run, the worm creates the registry key (may be either of the following):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
This will appear in regedit as:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "windows auto update" = msblast.exe
Although Win9x/ME/NT/2K/XP can carry the virus. Automatic execution and infection only occurs on Win2K/XP.

Symptoms

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown

Method of Infection

This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.

When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine.

Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine!

The author didn't code anything for Windows NT 4, so therefore it will only crash this platform!

The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted.

This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP.

Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.

However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.

Other symptoms may include:

  • inability to cut/paste
  • inability to move icons
  • Add/Remove Programs list empty
  • dll errors in most Microsoft Office programs
  • generally slow, or unresponsive system performance
By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pick up msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.

Removal

Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a crash loop where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).

Virus Removal :
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stand alone remover
Stinger has been updated to include detection/removal of this threat.

Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

  1. Apply the MS03-039 patch (includes MS03-026  patch)
  2. Terminate the process msblast.exe
  3. Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
  4. Edit the registry
    • Delete the "windows auto update" value from
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
        Windows\CurrentVersion\Run
Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.

To update your ThreatScan installations with the latest signatures perform the following tasks:

  1. From within ePO open the Policies tab.
  2. Select McAfee ThreatScan and then select Scan Options
  3. In the pane below click the Launch AutoUpdater button.
  4. Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-12 has completed successfully.
  5. From within ePO create a new AutoUpdate on Agent(s) task.
  6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that tsc20 in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is tsc25.
  7. Launch this task against all agent machines.
  8. When the task(s) complete information will be available in the Task Status Details report.

To create and execute a new task with the new Hot Fix functionality do the following:

  1. Create a new ThreatScan task.
  2. Edit the settings of this task.
  3. Edit the Task option, Host IP Range to include all desired machines to scan.
  4. Select the Remote Infection Detection category and Windows Virus Checks template.
    -or-
    Select the Other category and Scan All Vulnerabilities template.
  5. Launch the scan.

Variants

W32/Lovsan.worm.k
W32/Lovsan.worm.g