Copies itself to:

%System%\Wins\Dllhost.exe

NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).


Makes a copy of %System%\Dllcache\Tftpd.exe, as %System%\Wins\svchost.exe.

NOTE: Svchost.exe is a legitimate program, which is not malicious, and therefore Symantec antivirus products will not detect it.


Creates the following services:

Service Name: RpcTftpd
Service Display Name: Network Connections Sharing
Service Binary: %System%\wins\svchost.exe

This service will be set to start manually.

Service Name: RpcPatch
Service Display Name: WINS Client
Service Binary: %System%\wins\dllhost.exe

This service will be set to start automatically.


Ends the process, Msblast, and delete the file %System%\msblast.exe which is dropped by the worm, W32.Blaster.Worm.


The worm will select the victim IP address in two different ways. It will either use A.B.0.0 from the infected machine's IP of A.B.C.D and count up, or it will construct a random IP address based on some hard-coded addresses. After selecting the start address, it will count up through a range of Class C sized networks, for example, if it starts at A.B.0.0, it will count up to at least A.B.255.255.


The worm will send an ICMP echo, or PING, to check if the IP address constructed is an active machine on the network.


Once the worm identifies a machine as being active on the network, it will either send data to TCP port 135, which exploits the DCOM RPC vulnerability, or it will send data to TCP port 80 to exploit the WebDav vulnerability.


Creates a remote shell on the vulnerable host that will connect back to the attacking computer on a random TCP port between 666 and 765 to receive instructions.


Launches the TFTP server on the attacking machine, instructs the victim machine to connect and download Dllhost.exe and Svchost.exe from the attacking machine. If the file, %System%\dllcache\tftpd.exe exists, the worm may not download svchost.exe.


Checks the computer's operating system version, Service Pack number, and System Locale and attempts to connect to Microsoft's Windows Update and download the appropriate DCOM RPC vulnerability patch.


Once the update has been download and executed, the worm will restart the computer so that the patch is installed.


Checks the computer's system date. If the year is 2004, the worm will disable and remove itself.

It does under the name Lovsan.D

regards.

paul

Thank You very much.
Darn it how I wish that everyone AV company actually standardized their nameing scheme. :) I am not blameing you or anyone else it's just annoying to see 1 worm haveing 10 names.

For example hypothetical:
KAV: worm.testiclecrucher
MacAffe: worm.ballsasounder
Symantec: worm.letsjustmakeitup

etc.

I second testg's lament. In fact, testg's hypothetical naming scheme would be easier to remember, not to mention hilarious. ;)

testg,

{QUOTE-> Darn it how I wish that everyone AV company actually standardized their nameing scheme. <-QUOTE}

Don't hold your breath - I for one don't believe it will happen, ever. As soon as an AV company get's hold on a new piece of malware, it will be databased and named as soon as possible. Company A is quickly followed by company B, C etc. Even in case they want to, there's simply no time to contact one another before releasing a new database update. And a database update needs names for the newly added malware...

regards.

paul

Why do you want to know, only for checking your AV is up-to-date?
If you have that much trust...
Dolf

What I would like to see more than the standardization of the names, which I agree with Paul will probably never happen, would be for Eset to add immediately to their website information on any important virus or varient. I am aware that Eset is making an effort now to improve their web site and it is much better now. There is still room for considerable improvement though. Not only are only some viruses mentioned there, but it takes several hours to get the latest database list on the site. That should ideally go up before or at the time of the release. It is frustrating to have the latest update but then have to check repeatedly for hours before seeing the latest data base list on NOD's website. (Plus, without the database, I can't post at DSLR and show that NOD got the definitions first for such and such a virus that is currently being talked about...grrrr).

When you check the virus descriptions list, it says "Last updated on: Tue, 13 May 2003 21:11:15 GMT". Then it also says "Since this information is constantly updated with new virus descriptions, the downloaded file can become obsolete after a certain amount of time - that's why it is recommended to download its latest version regularly (about once a month)." Gee, there hasn't been an update to the base for over three months...but we should download the "latest version" every month? I think Eset has gotten ahead of itself here...a bit of wishful thinking? :)

There has been great improvement in the website and I really appreciate that. However, I would very much like to read a description of W32.Welchia.Worm at the NOD site for instance today ...not two months from now or whenever the virus descriptions are finally updated. I would like to be able to come to the NOD site and read about the latest threats (and yes, there is one new one listed today so I am grateful for that one) , and be able to post what Eset says about them over at DSLR where everyone is posting what Trend Micro, F -Secure, Dr. Web, etc is saying about them, but seldom does Eset have anything about the latest threats. I'd love to see that change as NOD would get more exposure if I or other NOD users could post information from Eset as others do for other avs.