W32/Blaster-G

Discussion in 'malware problems & news' started by Marianna, Apr 21, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Type
    Win32 worm

    Description
    W32/Blaster-G is a worm that uses the internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service.
    The worm will copy itself to the Windows system folder as eschlp.exe and create the file svchosthlp.exe in the same location.

    W32/Blaster-G creates the following registry entries to ensure it is run at system logon:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Helper = <SYSTEM>\eschlp.exe /fstart
    MSUpdate = <SYSTEM>\svchosthlp.exe
    SPUpdate = <SYSTEM>\svchosthlp.exe

    A more detailed description will be published here shortly.

    http://www.sophos.com/virusinfo/analyses/w32blasterg.html
     
Thread Status:
Not open for further replies.