WORM_MSBLAST.A

Discussion in 'malware problems & news' started by FanJ, Aug 11, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    See also the following threads:

    RPC DCOM Exploit - Widespread use...
    http://www.wilderssecurity.com/showthread.php?t=11991


    Outbreaks of RPC vulnerable systems
    http://www.wilderssecurity.com/showthread.php?t=12324


    [hr]

    From TrendMicro:

    Dear Trend Micro customer,

    TrendLabs has received several infection reports of this new worm named WORM_MSBLAST.A which exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

    This worm has been observed to continuously scan and send data to vulnerable systems in the network using port 135. When the system date is August 15, it performs a Distributed Denial Of Service attack against windowsupdate.com.

    As of 1:54 PM, US Pacific Time, Trend has declared a yellow alert to control the spread of this malware.

    TrendLabs HQ will be releasing the following EPS deliverables within the next few minutes:

    - Official Pattern Release 604
    - TMCM Outbreak Prevention Policy 43
    - Damage Cleanup Template 143

    --snip--

    For more information on WORM_MSBLAST.A, please visit our Web site at:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A


    [hr]


    From Sophos:

    W32/Blaster-A

    Aliases :
    W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A

    Type : Win32 worm

    Description
    W32/Blaster-A is a worm that scans networks looking for computers vulnerable to Microsoft's DCOM RPC security exploit.

    On finding a suitable victim, the worm causes the remote machine to acquire a copy of the worm using TFTP.

    Additionally the worm creates the following registry entry so as to run on system start:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update

    After August 15 the worm will launch a distributed denial-of-service attack on windowsupdate.com

    Microsoft has issued a patch for the vulnerability exploited by this Trojan. The patch is available from http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

    http://www.sophos.com/virusinfo/analyses/w32blastera.html
     
    FanJ, Aug 11, 2003
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...