Re: Blasting Blaster.Worm (aka LovSan Virus)

From: iDaemon Security (security_at_securedaemon.net)
Date: 08/13/03

  • Next message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
    To: Alavan <alavan@pangeatech.com>
    Date: 12 Aug 2003 20:30:52 -0600
    
    

    It is very well described in the Symantec Alerts we get.

    Here is a brief description of how it infects:

    1. worm finds host vulnerable to DCOM RPC exploit, attacks on 135/TCP
    (and UDP... it is safe to assume that traffic will use TCP and/or UDP,
    so please assume UDP is implied for the rest of my comments)
    2. worm causes buffer overflow, yielding a shell on 4444/TCP which
    intiates outbound tftp to the host it was infected from,downloading
    msblaster.exe and dropping it on the newly infected host which is
    rebooted so that msblaster.exe is run on startup
    3. msblaster.exe propagates outbound and listens on 69/TCP (which is
    tftp in case you don't have an /etc/services handy), infecting more
    hosts and serving out msblaster.exe via tftp

    Log/sniff/block 135/TCP, 4444/TCP (which is the port used by krb524, a
    Kerberos migration service), and 69/TCP.

    Regards,

    Chris

    On Tue, 2003-08-12 at 13:40, Alavan wrote:
    > All,
    >
    > We're a small ISP providing T-1 access to residents of apartment
    > communities. Several of our communities have been hit hard by this recent
    > worm. Trying to identify who's infected is difficult. We've tried logging
    > UDP, TCP and IP in general, but there's nothing telling getting logged.
    > Reports indicate that the Virus will try a DDOS on Microsoft's Windows
    > Update site on 8/16/03, but we saw 1500 small packets per second leaving a
    > site and couldn't log them via the Cisco router using the above method. I
    > assumed they were destined for MS. After the flood stopped (some unknown
    > reason), we traced the flood to a customer using usage stats on our
    > switches throughout the property.
    >
    > Turns out that the customer was infected with Blaster.Worm (lovsan). So, it
    > sure seems that it's doing more than initially indicated.
    >
    > Does anyone know exactly what protocol is being used by this
    > "msblaster.exe" or this other shell program created? Any easy way to sniff
    > and log via our Cisco router?
    >
    > Any advice would help. We've currently got another property with 1352
    > packets/second leaving a T-1 serial interface that only at 128/255, or
    > half-used. We never see that kind of pps.
    >
    > Thanks in advance.
    >
    > Alavan
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------

    -- 
    iDaemon Security <security@securedaemon.net>
    Securedaemon.net
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"

    Relevant Pages

    • WORM_MIMAIL.A Anyone have any info on what this does yet?
      ... We are getting flooded with these little puppies, ... additional info on what this thing does once it infects a host? ... AIM: eBoundaryTch | ICQ: 3090141 ...
      (Incidents)
    • Re: [Full-Disclosure] MyDoom download info
      ... variant of the Nachi worm which attempts to cleanse computers infected by ... MyDoom and download Microsoft security patches to unprotected computers ... Once it infects target machines the worm attempts to search and ... The scanning traffic generated by the original Nachi worm in August ...
      (Full-Disclosure)
    • RE: New worm? readme.eml
      ... Subject: New worm? ... The worm tries to send mail to these mail servers. ... > still prevalent sircam virus. ... Nimda, when it infects, opens share drives ...
      (Focus-IDS)
    • Sociopath Raid/Dustin Cook & The Irok Virus
      ... F-Secure Virus Descriptions: Irok ... The worm is 10001 bytes long DOS-based program that ... The worm finally drops a Visual Basic script file ... the worm will infect COM and EXE files on the system it infects. ...
      (alt.comp.anti-virus)
    • Re: Sociopath Raid/Dustin Cook & The Irok Virus
      ... F-Secure Virus Descriptions: Irok ... The worm is 10001 bytes long DOS-based program that ... The worm finally drops a Visual Basic script file ... the worm will infect COM and EXE files on the system it infects. ...
      (alt.comp.anti-virus)