FRISK Software International


Summary of W32/Msblast.A
Alias:Lovsan, Poza, Blaster
Length: 6176 bytes
Discovered: 11 Aug 2003
Definition files: 11 Aug 2003
Risk Level: High
Distribution:High
Infection Method:W32/Msblast.A scans in a random fashion IP ranges looking for systems, vulnerable to the RPC DCOM buffer overrun vulnerability.
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Msblast.A is a worm, currently spreading in the wild. When run initially on a compromised system, the worm creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Key: "Windows auto update"
Value: "msblast.exe"

If the infected system, is connected to the Internet, the worm performs scanning of random IP addresses. This worm exploits the RPC DCOM buffer overrun vulnerability. When it encounters a vulnerable system, it tries to exploit the vulnerability, the exploitation routine does not always work and in some cases can cause instability of the remote system. If the exploitation is successful, it first spawns a remote shell, then retrieves a copy of the worm by using the TFTP tool found on every Windows NT4, 2000 and XP system. That copy is then executed.


Technical Description
W32/Msblast.A is a worm currently spreading in the wild. It is written in C++, compressed with the UPX executable packer with the size of 6.176 bytes. After the standard initialization routine, the worm creates the following registry key to ensure it is run on the next Windows startup:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Key: "Windows auto update"
Value: "msblast.exe"

The worm checks whether it is already running in memory, by creating a mutex with the name of 'BILLY'. If this mutex already exists the worm terminates itself without further action. If no such mutex is present the worm continues its execution. After initializing Winsock, the worm checks for the presence of a network connection on the system. If the connection is present it starts its scanning procedure, if a connection is not present, the worm temporarily suspends its execution but periodically performs this check while running in memory.

The first part of the scanning routine, consists of generating two pseudo-random integers. It then retrieves the hostname of the infected system and then the IP address of the system, splits it up and retrieves the first two octals of the IP address. It does couple of comparison tests with regards both to the hostname of the local system, and the generated integer which affect the scanning procedure later on. When executed, the worm either starts the scanning phase from a completely random IP address, or uses parts of the infected systems IP address to generate the starting point. After the worm has created a TCP socket, it starts to scan IP addresses for vulnerable hosts. The worm performs 20 connection attempts at a time. The IP address from which the scanning routine begins, is incremented during each routine. A typical scan by the W32/Msblast.A worm, has the following structure:

Source: Destination: Protocol: Info:
Infected system IP xxx.xxx.xxx.1 TCP [SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0
Infected system IP xxx.xxx.xxx.2 TCP [SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0
Infected system IP xxx.xxx.xxx.3 TCP [SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0
Infected system IP xxx.xxx.xxx.4 TCP [SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0
Infected system IP xxx.xxx.xxx.5 TCP [SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0


This worm exploits the recent RPC DCOM buffer overrun vulnerability. It's using a slightly modified version of an exploit released for this same vulnerability some time ago. When a vulnerable host is found, it sends two packets, the second one containing the payload, which if successful spawns a shell on the exploited host on port 4444. The worm incorporates two global offsets used for the exploitation and resulting payload, one for Windows 2000 and another one Windows XP. Depending on the outcome of a semi-random function, either one is used. If the exploitation is not successful, it can cause system instability or system crash on the remote system. The worm immediately attempts to connect to the remote shell on port 4444 and if successful retrieves a copy of the worm from the system responcible for the attack by executing a "get" command with the tftp.exe (Trivial File Transfer Protocol service) tool located on every Windows NT 4, 2000 and XP system. That copy is then executed through the shell and following that the shell is terminated.

The worm has a built-in DOS routine, aimed at windowsupdate.com. Whether this function is executed, depends on the local system date settings. If the day is above the 15th, then the DOS routine is executed in parallel to the main scanning procedure. By constructing a raw-socket, the worm sends out a TCP packet with the SYN flag set (the first step of the three-way handshake required by the TCP protocol) this packet has a spoofed source-address to the webserver located at windowsupdate.com. This is a classic example of a SYN-flood attack. When performing this routine, the worm modifies the last two octals of the localhost IP address and replaces them with random ones. The traffic might look like the following, where xxx.xxx are the first octals of the local systems IP address:
Source: Destination: Protocol: Info:
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0


Couple of strings inside the worms body, are not exposed to the user at any given point.

"I just want to say LOVE YOU SAN!!"
billy gates why do you make this possible ?
Stop making money and fix your software!!


Removal Instructions
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelyhood again become infected almost immediatly.

After the patch has been downloaded and applied, find a process called 'msblast.exe' using the task manager, and terminate that process.

Then run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.A and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update'

from the registry using the 'regedit' program in Windows.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is