Greeno
Posts: 277 +0
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.b.worm.html
Added yesterday..
When W32.Blaster.Worm is executed, it does the following:
Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="penis32.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Generates an IP address and attempts to infect the computer that has that address. The IP address is generated according to the following algorithms:
For 40% of the time, the generated IP address is of the form A.B.C.0, where A and B are equal to the first two parts of the infected computer's IP address.
C is also calculated by the third part of the infected system's IP address; however, for 40% of the time the worm checks if C is greater than 20. If so, a random value less than 20 is subtracted from C. Once the IP address is calculated, the worm will attempt to find and exploit a computer with the IP address A.B.C.0.
The worm will then increment the 0 part of the IP address by 1, attempting to find and exploit other computers based on the new IP address, until it reaches 254.
With a probability of 60%, the generated IP address is completely random.
Sends data on TCP port 135, which may exploit the DCOM RPC vulnerability. The worm sends one of two types of data: either to exploit Windows XP or Windows 2000. For 80% of the time, Windows XP data will be sent; and for 20% of the time the Windows 2000 data will be sent.
Notes:
The local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to the Windows NT or Windows 2003 server, unpatched computers running these operating systems may crash as a result of the worm's attempts to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.
Uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Listens on UDP port 69. When the worm receives a request from a computer to which it was able to connect using the DCOM RPC exploit, it will send msblast.exe to that computer and tell it to execute the worm.
If the current month is after August, or if the current date is after the 15th, the worm will perform a Denial of Service (DoS) on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
Beta definitions with a sequence number of 24289 or higher will detect this threat.
and :-
From the Inq
"KASPERSKY LABS claimed this afternoon that there's already a new version of the Blaster/Lovesan worm on the loose.
And it says that's likely to mean a repeat of the outbreak we've seen during this week. The new variety of Lovesan/Blaster exploits the same vulnerability.
Kaspersky says that the number of infected systems is around the 300,000 mark, and the new variety may double this number.
"In the worst case, the world community can face a global Internet slow down and regional disruption... to the World Wide Web," said Eugene Kaspersky, head of the labs.
The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE, different code compression, and different signatures in the body of the worm. "
Added yesterday..
When W32.Blaster.Worm is executed, it does the following:
Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.
Adds the value:
"windows auto update"="penis32.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Generates an IP address and attempts to infect the computer that has that address. The IP address is generated according to the following algorithms:
For 40% of the time, the generated IP address is of the form A.B.C.0, where A and B are equal to the first two parts of the infected computer's IP address.
C is also calculated by the third part of the infected system's IP address; however, for 40% of the time the worm checks if C is greater than 20. If so, a random value less than 20 is subtracted from C. Once the IP address is calculated, the worm will attempt to find and exploit a computer with the IP address A.B.C.0.
The worm will then increment the 0 part of the IP address by 1, attempting to find and exploit other computers based on the new IP address, until it reaches 254.
With a probability of 60%, the generated IP address is completely random.
Sends data on TCP port 135, which may exploit the DCOM RPC vulnerability. The worm sends one of two types of data: either to exploit Windows XP or Windows 2000. For 80% of the time, Windows XP data will be sent; and for 20% of the time the Windows 2000 data will be sent.
Notes:
The local subnet will become saturated with port 135 requests.
Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
While W32.Blaster.Worm cannot spread to the Windows NT or Windows 2003 server, unpatched computers running these operating systems may crash as a result of the worm's attempts to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.
Uses Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on an infected system.
Listens on UDP port 69. When the worm receives a request from a computer to which it was able to connect using the DCOM RPC exploit, it will send msblast.exe to that computer and tell it to execute the worm.
If the current month is after August, or if the current date is after the 15th, the worm will perform a Denial of Service (DoS) on Windows Update. The worm will activate the DoS attack on the 16th of this month, and continue until the end of the year.
Beta definitions with a sequence number of 24289 or higher will detect this threat.
and :-
From the Inq
"KASPERSKY LABS claimed this afternoon that there's already a new version of the Blaster/Lovesan worm on the loose.
And it says that's likely to mean a repeat of the outbreak we've seen during this week. The new variety of Lovesan/Blaster exploits the same vulnerability.
Kaspersky says that the number of infected systems is around the 300,000 mark, and the new variety may double this number.
"In the worst case, the world community can face a global Internet slow down and regional disruption... to the World Wide Web," said Eugene Kaspersky, head of the labs.
The new variety uses the name TEEKIDS.EXE instead of MSBLAST.EXE, different code compression, and different signatures in the body of the worm. "
