Content:

Updated: 29 August 2003

Recommended reactions for all the W32/Msblast variants

Update F-Prot Antivirus

Computer users who have still not updated their operating systems are urged to do so immediately. Users of F-Prot Antivirus should also update their F-Prot Antivirus to the latest version, update their virus signature files and scan their machines.

Patch Microsoft Windows

Download and apply the patch against this vulnerability, published by Microsoft on 16 July. The patch is available from Microsoft's website:

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelihood be re-infected almost immediately.

Scan the Computer

After the patch has been downloaded and applied, physically disconnect the computer from the network. Then use the task manager to find and terminate the worm process. Known variants are "msblast.exe", "teekids.exe", and "penis32.exe".

  1. Open the Task Manager by pressing Ctrl-Alt-Delete and selecting "Task Manager".
  2. Select "Processes".
  3. Select "msblast.exe", click the "End Process" tab, and answer "Yes" to the warning dialogue.
  4. Repeat step 3 for "teekids.exe" and "penis32.exe".

Run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.A, W31/Msblast.B, W32/Msblast.C and W32/Msblast.D and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update'

from the registry using the 'regedit' program in Windows.

Install a Firewall

A firewall will increase your protection against outside threats such as the Msblast worms. For more information on the firewalls built into Windows XP Home, Windows XP Professional and Windows 2003 Server, as well as on appropriate firewalls for other Windows systems, please visit Microsoft.

For information on firewalls please visit our support center.


A new W32/Msblast variant: W32/Msblast.E

29 August 2003

W32/Msblast.E
Alias: Lovsan, Poza, Blaster

Yet another variant of Msblast, W32/Msblast.E was discovered on 29 August 2003. Its behaviour is almost identical to its predecessors.

Threat Description

This latest variant scans for open 135 ports like the original A variant. If such a port is found open it uses the same exploit to obtain access to the vulnerable machine.

Threat Detection

F-Prot Antivirus detects W32/Msblast.E with the latest virus signature files.


A new W32/Msblast variant: W32/Msblast.D

18 August 2003

W32/Msblast.D
Alias: Lovsan, Poza, Blaster

A new Msblast variant, W32/Msblast.D was discovered on 18 August 2003. It appears to behave in a similar fashion as its other variants, using the same RPC vulnerability.

Threat Description

This latest variant scans for open 135 ports like the original A variant. If such a port is found open it uses the same exploit to obtain access to the vulnerable machine.

For further information, please read the technical description of W32/Msblast.D.

Threat Detection

F-Prot Antivirus detects W32/Msblast.D with the latest virus signature files.


New W32/Msblast variants: W32/Msblast.B and W32/Msblast.C

13 August 2003

W32/Msblast.B, W32/Msblast.C
Alias: Lovsan, Poza, Blaster

New Msblast variants, W32/Msblast.B and W32/Msblast.C, have started spreading in the wild.

These variants use the same vulnerability as their predecessor. Users that have already updated their Windows operating system with the patch available from Microsoft's website are therefore not vulnerable to these new variants of the Msblast RPC-worm.

Threat Description

Both these new variants scan for open 135 ports like the original A variant. If such a port is found open, Msblast.B and Msblast.C use the same exploit to obtain access to the vulnerable machine.

For further information, please read the technical description of W32/Msblast.B and W32/Msblast.C.

Threat Detection

F-Prot Antivirus detects W32/Msblast.B and W32/Msblast.C with the latest virus signature files and prevents both worms from running and infecting a vulnerable machine.


W32/Msblast.A

11 August 2003

W32/Msblast.A
Alias: Lovsan, Poza, Blaster

W32/Msblast.A is a new RPC-worm that started spreading on the evening of 11 August.

It appears that the worm exploits a month old vulnerability in the Windows operating system to aid its distribution. The vulnerability, described in Microsoft Security Bulletin MS03-026, enables the worm to start a remote shell account on a vulnerable machine.

Threat Description

The worm scans for open 135 ports. If such a port is found open, Msblast.A uses the exploit to obtain access to the vulnerable machine. The worm body contains these strings:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? 
Stop making money and fix your software!!

For further information, please read the technical description of W32/Msblast.A.

Threat Detection

F-Prot Antivirus detects W32/Msblast.A with the latest virus signature files and prevents it from running and infecting a vulnerable machine.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

2014 © CYRENPrivacy Statement