Re: Blasting Blaster.Worm (aka LovSan Virus)

From: Lloyd Taylor (
Date: 08/13/03

  • Next message: "Re: DCOM worm analysis report: W32.Blaster.Worm"
    Date: Tue, 12 Aug 2003 20:51:36 -0700 (PDT)
    To: Alavan <>

    Check the clock on the affected user's computer. If it's set in the future,
    the worm may well have triggered, thinking that August 16th was already

    Also check for other malware. Since 135 was open, it's quite likely that
    the computer is vulnerable to other sploits.

    As previously suggested in this forum, please read the Symantec
    analysis at

    To inhibit propagation of the worm to/from your network, block the
    following ports at (at least) all of your border routers (in/out),
    and preferrably (to inhibit infection within your netowkr) on your
    interior routers as well:

     * Close port 135/tcp (and if possible 135-139, 445 and 593)
     * Monitor TCP Port 4444 and UDP Port 69 (tftp) which are used by the worm
       for activity related to this worm.

    More details are available from the CERT advisory at:


    --Lloyd Taylor
      VP Technology & Operations
      Keynote Systems

    On Tue, 12 Aug 2003, Alavan wrote:

    > Date: Tue, 12 Aug 2003 12:40:43 -0700
    > From: Alavan <>
    > To:
    > Subject: Blasting Blaster.Worm (aka LovSan Virus)
    > All,
    > We're a small ISP providing T-1 access to residents of apartment
    > communities. Several of our communities have been hit hard by this recent
    > worm. Trying to identify who's infected is difficult. We've tried logging
    > UDP, TCP and IP in general, but there's nothing telling getting logged.
    > Reports indicate that the Virus will try a DDOS on Microsoft's Windows
    > Update site on 8/16/03, but we saw 1500 small packets per second leaving a
    > site and couldn't log them via the Cisco router using the above method. I
    > assumed they were destined for MS. After the flood stopped (some unknown
    > reason), we traced the flood to a customer using usage stats on our
    > switches throughout the property.
    > Turns out that the customer was infected with Blaster.Worm (lovsan). So, it
    > sure seems that it's doing more than initially indicated.
    > Does anyone know exactly what protocol is being used by this
    > "msblaster.exe" or this other shell program created? Any easy way to sniff
    > and log via our Cisco router?
    > Any advice would help. We've currently got another property with 1352
    > packets/second leaving a T-1 serial interface that only at 128/255, or
    > half-used. We never see that kind of pps.
    > Thanks in advance.
    > Alavan
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------


  • Next message: "Re: DCOM worm analysis report: W32.Blaster.Worm"

    Relevant Pages

    • Re: My Doom Creators - incomprehensible
      ... your project is not a target; a worm has ... Usenet newsgroup using what appears to be a valid email address. ... e-mail for virus infection. ... the worm can harvest a lot of e-mail addresses to send itself to. ...
    • Re: Sophisticated Bogus Microsoft Patch SPAM
      ... Below is a description of the 'swen' worm and its effects. ... e-mail for virus infection. ... I must empty my mailbox every 5 minutes, ... ISP; send them this URL ...
    • Re: Watch out for this
      ... The 'swen' worm and its effects, ... there is not much you can do to stop the flood. ... e-mail for virus infection. ... You can use a remote virus scan from one of the antivirus program ...
    • Re: Reducing Spam Associated with Posting to Newsgroups
      ... The flood of e-mail is being generated by the 'swen' worm. ... e-mail for virus infection. ... other active newsgroups .) ...
    • Re: Mailbox is full
      ... The flood of e-mail is being generated by the 'swen' worm. ... Only your ISP can stop the flood of 'swen' generated e-mail; ... e-mail for virus infection. ...