FRISK Software International


Summary of W32/Bagle.dropper
Alias:Lovsan, Poza, Blaster
Length: 7.200 bytes
Discovered: 13 Aug 2003
Definition files: 13 Aug 2003
Risk Level: Low
Distribution:Low
Infection Method:W32/Msblast.C scans in a random fashion IP ranges looking for systems, vulnerable to the RPC DCOM buffer overrun vulnerability.
 
Jump to:
Technical description
Removal Instructions

Technical Description
The W32/Msblast.C is the latest variant of the W32/Msblast worm currently spreading in the wild. The C variant functions in an identical manner to the A variant. It's packed with the UPX executable compressor and has the size of 7.200 bytes. The only modification is that it now spreads under the name of penis32.exe. This is reflected in the name of the infected file, the name of the running process once its successfully infected a machine and the value within the registry key it creates when executed.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Key: "windows auto update"
Value: "penis32.exe"

This worm creates a Mutex with the same name as the A variant 'BILLY'. In the case of a system infected with both A and C variant, only one of them is running at any given point in time.


Removal Instructions
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelyhood again become infected almost immediatly.

After the patch has been downloaded and applied, find a process called 'penis32.exe' using the task manager, and terminate that process.

Then run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.C and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update'

from the registry using the 'regedit' program in Windows.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is