This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4284 (2003-08-11)Updated DAT
-- Update 21 April 2004 --
A new variant was discovered and was proactively detected as Exploit-DcomRpc with the 4289 DAT files when scanning compressed executables (default setting)
Detection for this variant as W32/Blaster.worm.k had been added to 4352 DATs and above. It propagates in the same way as previous variants. A backdoor dropped by this variant was detected as W32/Blaster.worm!backdoor using the 4352 DATs and above.
-- Update 11 March 2004 --
The risk assessment of this threat was lowered to Low-Profiled due to a decrease in prevalence.
-- Update 25 August 2003 --
The risk assessment of this threat was lowered to Medium due to a decrease in prevalence.
-- Update 15 August 2003 --
Microsoft has removed the DNS entry for windowsupdate.com to prevent the Denial of Service attack against this domain. This does not prevent users from using Windows Update to patch their systems, as this is not the address used when clicking on the Windows Update link.
-- Update 13 August 2003 --
Two new variants were discovered and are detected exactly with the 4285 DAT files.
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].
Once run, the worm creates the registry key (may be either of the following):
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine.
Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine!
The author didn't code anything for Windows NT 4, so therefore it will only crash this platform!
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted.
This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP.
Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.
However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code.
Other symptoms may include:
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a crash loop where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus. These actions should be taken prior to removing the virus (see below).
Use the curent DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Stand alone remover
Stinger has been updated to include detection/removal of this threat.
Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
To update your ThreatScan installations with the latest signatures perform the following tasks:
To create and execute a new task with the new Hot Fix functionality do the following: