Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Blaster.A

Overview

Threat Risk MEDIUM MEDIUM
Destructivity HIGH HIGH
Payload Performs a denial of service attack
Detection files published 11 Aug 2003 03:00:00
Description created 11 Aug 2003 04:28:00
Description updated 05 Sep 2003 04:14:00
Malware type WORM
Alias MSBlast.A
Spreading mechanism NETWORK
Summary None

W32/Blaster.A

Spreading

When run, the worm will first install itself in the registry though the key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run "windows auto update" = MSBlast.exe

This enables it to start from bootup. It checks if it is already running by attempting to create a mutex called "BILLY".

It generates random IP addresses that it attempts to spread to. This is done by sending specifically formatted data to port 135 on the remote machines. If these machines are vulnerable to this attack, they will open a remote shell on port 4444. The open shell now receives instructions to connect back to the infected machine using TFTP, and download the original worm file. The worm has at this stage set up a FTP server on port 69.

Once the download is complete, the worm file is started via the same remote shell.

The buffer overrun performed on target machines may have detrimental effect on the stability of these machines.

Payload Details

The worm checks the time on the infected computer. If the date is the 16th or higher of any month; or if the date is lower than 16th, but month is higher than August, the worm will initiate an attack on Windowsupdate.com, sending a lot of packets on port 80.
This attack takes place in a separate thread; the worm's original infection routine is still running as well.


Analysis

n/a

Removal

Download and install Microsoft patch MS03-026. You may have to download this patch form a clean computer and bring it to your infected computer on a removable media like a floppy or a CD. Also, firewalls should be configured to stop inbound traffic on port 135/tcp at the perimeter; as well as traffic on port 4444. Manual removal 1. Press Ctrl+Alt+Delete on your keyboard, click Task Manager and select the tab Processes. Right-click on the process Msblast.exe and select End process. 2. Return to Windows and click Start | Run 3. Type regedit and click OK 4. In the Registry editor, browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the value ‘windows auto update = msblast.exe’ 5. Close the Registry editor and restart your machine 6. Finally, you should update your Lumension antivirus product, and run a manual virus scan. (Do not start the scan immediately after the download is finished. NVC needs a few minutes to install the updates). On Windows XP you should deactivate System Restore before you run the scan.  


Last Updated: 12 Nov 2015 11:06:11