RE: What the heck is this msblast.exe

From: Shaun Merrill (smerrill_at_sapient.com)
Date: 08/12/03

  • Next message: Marc Fossi: "RE: What the heck is this msblast.exe"
    Date: Mon, 11 Aug 2003 18:36:41 -0400
    To: <Lee_Fisher@NAI.com>, <morris_minchu@iwon.com>, <focus-ms@securityfocus.com>
    
    

    Name: W32.Blaster.Worm
    Category: 3
    Virus Definitions: August 11, 2003 (US Pacific Time)
    Type: Worm

    W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability
    using TCP port 135. It will attempt to download and run a file,
    msblast.exe.

    When W32.Blaster.Worm is executed, it will do the following:

    Adds the value:

    "windows auto update"="msblast.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

    Send data on TCP port 135 that may exploit the DCOM RPC vulnerabilty to
    allow the following actions to occur on vulnerable machine:

    the worm to be download and run using the program tftp.

      ----------
    For additional information, visit our website at
    http://securityresponse.symantec.com

    -----Original Message-----
    From: Lee_Fisher@NAI.com [mailto:Lee_Fisher@NAI.com]
    Sent: Monday, August 11, 2003 6:27 PM
    To: morris_minchu@iwon.com; focus-ms@securityfocus.com
    Subject: RE: What the heck is this msblast.exe

    From your description I would imagine it to be the Blaster ( We called
    it
    W32/Lovsan.worm )

    Many posts on forums - We list it as a Medium On Watch alert - other AV
    orgs have a similar classification.

    http://vil.nai.com/vil/content/v_100547.htm

    Lee Fisher
    Solutions Architect
    McAfee Product Management

    -----Original Message-----
    From: Minchu Mo
    To: focus-ms@securityfocus.com
    Sent: 11/08/03 15:00
    Subject: What the heck is this msblast.exe

    The code resides in c:\winnt\system32.

    It somehow change my registry and pretend to be Window autoupdate in

    \Localsystem\software\microsoft\window\run, so it can run when I boot
    the

    machine. Now it sending out packet to random(?)IP 's endpoint port

    ------------------------------------------------------------------------

    ---
    Your network firewall and IDS products do not prevent Web application 
    attacks - the most common form of online exploitation- resulting in Web 
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web 
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    Your network firewall and IDS products do not prevent Web application 
    attacks - the most common form of online exploitation- resulting in Web 
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web 
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    Your network firewall and IDS products do not prevent Web application 
    attacks - the most common form of online exploitation- resulting in Web 
    defacement, data theft, sabotage and fraud.
    KaVaDo is the only company that provides a complete suite of Web 
    application security products.
    Download a FREE whitepaper on "Security Policy Automation for Web
    Applications":http://www.securityfocus.com/Kavado-focus-ms
    ---------------------------------------------------------------------------
    

  • Next message: Marc Fossi: "RE: What the heck is this msblast.exe"

    Relevant Pages

    • RE: What the heck is this msblast.exe
      ... Your network firewall and IDS products do not prevent Web application ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: What the heck is this msblast.exe
      ... Your network firewall and IDS products do not prevent Web application ... KaVaDo is the only company that provides a complete suite of Web ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • Re: What the heck is this msblast.exe
      ... the default is reboot system. ... and download the patch and then run it from their machine. ... >Your network firewall and IDS products do not prevent Web application ... >Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • Re: MS03-029 ?-Download link
      ... Your network firewall and IDS products do not prevent Web application ... KaVaDo is the only company that provides a complete suite of Web ... Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)
    • RE: What the heck is this msblast.exe
      ... What the heck is this msblast.exe ... |Your network firewall and IDS products do not prevent Web application ... |attacks - the most common form of online exploitation- resulting in Web ... |Download a FREE whitepaper on "Security Policy Automation for Web ...
      (Focus-Microsoft)