- Blaster Worm -  
w32.blaster.worm

also known as W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure],WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]

First Identified: 8-11-03

The blaster worm only affects computers running Windows 2000 or XP (although the same vulnerability could be exploited by similar threats on machines running Windows NT).  

This worm exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.

When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].

This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP. 

The worm contains a payload to initiate a Denial of Service attack against windows update on the 16th through the 31st day of January through August, and any day in September through December. The worm is set to activate its next Distributed Denial of Service attack this Saturday, August 16.

Computers that have up-to-date antivirus software will detect the worm executable upon download. However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash due upon receiving malformed exploit code

WORM_MSBLAST.A exploits the RPC DCOM Buffer Overflow, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. The virus payload performs a Distributed Denial of Service (DDoS) attack against windowsupdate.com on the 16th through the 31st day of January through August, and any day in September through December. The worm is set to activate its next Distributed Denial of Service attack this Saturday, August 16.

Removal using the W32.Blaster.Worm Removal Tool

Symantec Security Response has developed a removal tool tool to clean infections of W32.Blaster.Worm. This is the easiest way to remove this threat and should be tried first.

Manual Removal

As an alternative to using the removal tool, you can manually remove this threat.  (Since this can be very confusing and it is dangerous to make changes to your system registry unless you are experienced, I recommend that you contact me at 214-773-7377 to have the virus removed.)

Important Notes: 

W32.Blaster.Worm exploits the DCOM RPC vulnerability. This is described in Microsoft Security Bulletin MS03-026, and a patch is available there. You must download and install the patch. In many cases, you will need to do this before you can continue with the removal instructions. (If you are running Windows XP, you can download the patch from my server by clicking here.  If you are running Windows 2000, you will need to obtain the patch from the Microsoft website by clicking here.  Be patient, since the Microsoft webserver is being inundated with traffic since this virus was discovered.)  If you are not able to remove the infection or prevent re-infection using the following instructions, first download and install the patch.  Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. There are at least two known ways to work around this, although neither solution works 100% of the time.  If you run Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.  In many cases, on both Windows 2000 and XP, changing settings for the Remote  Procedure Call  (RPC) Service may allow you to connect to the Internet without the computer shutting down. Follow these steps: 

a. Do one of the following: Windows 2000. Right-click the My Computer icon on the Windows desktop and then click Manage. The Computer Management window opens.  Windows XP. Click the Start button, right-click the My Computer icon, click Manage. The Computer Management window opens.  

b. In the left pane, double-click Services and Applications and then select Services. A list of services appears.  

c .In the right pane, locate the Remote Procedure Call (RPC) service. 

CAUTION: There is also a service named Remote Procedure Call (RPC) Locator. Do not confuse the two

d. Right-click the Remote Procedure Call (RPC) service and click Properties. 
e. Click the Recovery tab. 
f. Using the drop-down lists, change First failure, Second failure, and Subsequent failures to "Restart the Service." 
g. Click Apply and then OK

CAUTION: Make sure that you change the following settings back when you have removed the worm!!

1.Disable System Restore (Windows XP). 
2.Update the virus definitions.( click for Norton or McAfee)
3.End the Trojan process. 
4.Run a full system scan and delete all the files detected as W32.Blaster.Worm. 
5.Reverse the changes that the Trojan made to the registry.

For details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows XP)

If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455. 

2. Updating the virus definitions (Norton: 

3. Ending the Worm process 
To end the Trojan process: 
a. Press Ctrl+Alt+Delete once. 
b. Click Task Manager. 
c. Click the Processes tab. 
d. Double-click the Image Name column header to alphabetically sort the processes. 
e. Scroll through the list and look for msblast.exe. 
f. If you find the file, click it, and then click End Process. 
g. Exit the Task Manager.

4. Scanning for and deleting the infected files 
a. Start your Symantec antivirus program and make sure that it is configured to scan all the files. 
For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files." 
For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
b. Run a full system scan. 
c. If any files are detected as infected with W32.Blaster.Worm, click Delete.

5. Reversing the changes made to the registry

CAUTION: It is strongly recommended that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only.

a. Click Start, and then click Run. (The Run dialog box appears.) 

b. Type regedit, then click OK. (The Registry Editor opens.)

c. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

d. In the right pane, delete the value: "windows auto update"="msblast.exe"

e. Exit the Registry Editor.

Reboot your machine.

If you need assistance or would like to have me come to your location to remove the virus, call 214-773-7377 or send me an email.

Bobby Kendrick
Kendrick Information Technologies
603 E. Hwy. 67, Suite 103
Duncanville, Tx. 75137
Ph/Fx: 972-223-5146   Mob: 214-773-7377