Full
Name: |
Blaster Worm |
| Type: |
Worm |
| Also Known As: |
W32.Blaster.Worm
Msblast.A
W32/Msblast.D
Worm.Win32.Lovesan
W32.Blaster.D.Worm
Lovsan worm
Lovsan.D |
| Danger Level: |
8 |
| Category Description: |
Virus-like program that spreads automatically to other computers by sending itself out by email or by any other means. A program that propagates itself by attacking other machines and copying itself to the affected machine.
Worms have self-replicating code that travels from machine to machine by various means. A worms first objective is merely propagation. Worms can be destructive depending on what payload they have been given. Worms may replace files, but do not insert themselves into files. |
| Comment: |
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it.
Recent updates to the variants will download the file called MSPATCH.EXE instead of MSBLAST.EXE
Block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:
TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (www.windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
|
| |
|
| Properties: |
|
| Manual Removal: |
- Make sure your PC has the latest patches!
- Get this program:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html |
