|
Summary of W32/Msblast.A |
| Alias: | Lovsan, Poza, Blaster |
| Length: |
6176 bytes |
| Discovered: |
11 Aug 2003 |
| Definition files: |
11 Aug 2003 |
| Risk Level: |
High |
| Distribution: | High |
| Infection Method: | W32/Msblast.A scans in a random fashion IP ranges looking for systems, vulnerable to the RPC DCOM buffer overrun vulnerability. |
|
|
|
| Brief Description |
W32/Msblast.A is a worm, currently spreading in the wild. When run initially on a compromised system, the worm creates the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Key: "Windows auto update"
Value: "msblast.exe"
If the infected system, is connected to the Internet, the worm performs scanning of random IP addresses. This worm exploits the RPC DCOM buffer overrun vulnerability. When it encounters a vulnerable system, it tries to exploit the vulnerability, the exploitation routine does not always work and in some cases can cause instability of the remote system. If the exploitation is successful, it first spawns a remote shell, then retrieves a copy of the worm by using the TFTP tool found on every Windows NT4, 2000 and XP system. That copy is then executed. |
| Technical Description |
W32/Msblast.A is a worm currently spreading in the wild. It is written in C++, compressed with the UPX executable packer with the size of 6.176 bytes. After the standard initialization routine, the worm creates the following registry key to ensure it is run on
the next Windows startup:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Key: "Windows auto update"
Value: "msblast.exe"
The worm checks whether it is already running in memory, by creating a mutex with the name of 'BILLY'. If this mutex already exists the
worm terminates itself without further action. If no such mutex is present the worm continues its execution. After
initializing Winsock, the worm checks for the presence of a network connection on the system. If the connection is present it
starts its scanning procedure, if a connection is not present, the worm temporarily suspends its execution but periodically performs
this check while running in memory.
The first part of the scanning routine, consists of generating two pseudo-random integers. It then retrieves the hostname of the
infected system and then the IP address of the system, splits it up and retrieves the first two octals of the IP address. It does
couple of comparison tests with regards both to the hostname of the local system, and the generated integer which affect the scanning
procedure later on. When executed, the worm either starts the scanning phase from a completely random IP address, or uses parts of
the infected systems IP address to generate the starting point. After the worm has created a TCP socket, it starts to scan IP
addresses for vulnerable hosts. The worm performs 20 connection attempts at a time. The IP address from which the scanning routine begins, is incremented during each routine. A typical scan by the W32/Msblast.A worm, has the following structure:
| Source: |
Destination: |
Protocol: |
Info: |
| Infected system IP |
xxx.xxx.xxx.1 |
TCP |
[SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| Infected system IP |
xxx.xxx.xxx.2 |
TCP |
[SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| Infected system IP |
xxx.xxx.xxx.3 |
TCP |
[SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| Infected system IP |
xxx.xxx.xxx.4 |
TCP |
[SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| Infected system IP |
xxx.xxx.xxx.5 |
TCP |
[SourcePort] [destination port=135] [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
This worm exploits the recent RPC DCOM buffer overrun
vulnerability. It's using a slightly modified version of an exploit released for this same vulnerability some time ago. When a
vulnerable host is found, it sends two packets, the second one containing the payload, which if successful spawns a shell on the
exploited host on port 4444. The worm incorporates two global offsets used for the exploitation and resulting payload, one for
Windows 2000 and another one Windows XP. Depending on the outcome of a semi-random function, either one is used. If the
exploitation is not successful, it can cause system instability or system crash on the remote system. The worm immediately attempts
to connect to the remote shell on port 4444 and if successful retrieves a copy of the worm from the system responcible for the attack
by executing a "get" command with the tftp.exe (Trivial File Transfer Protocol service) tool located on every Windows NT 4, 2000 and XP system. That copy is then executed through the shell and following that the shell is terminated.
The worm has a built-in DOS routine, aimed at windowsupdate.com. Whether this function is executed, depends on the local system date
settings. If the day is above the 15th, then the DOS routine is executed in parallel to the main scanning procedure. By
constructing a raw-socket, the worm sends out a TCP packet with the SYN flag set (the first step of the three-way handshake required
by the TCP protocol) this packet has a spoofed source-address to the webserver located at windowsupdate.com. This is a classic
example of a SYN-flood attack. When performing this routine, the worm modifies the last two octals of the localhost IP address and
replaces them with random ones. The traffic might look like the following, where xxx.xxx are the first octals of the local systems
IP address:
| Source: |
Destination: |
Protocol: |
Info: |
| xxx.xxx.ran.ran |
IP-address of the server |
TCP |
(Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| xxx.xxx.ran.ran |
IP-address of the server |
TCP |
(Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| xxx.xxx.ran.ran |
IP-address of the server |
TCP |
(Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| xxx.xxx.ran.ran |
IP-address of the server |
TCP |
(Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
| xxx.xxx.ran.ran |
IP-address of the server |
TCP |
(Source port) http [SYN] SequenceNumber Ack=0 Win=16384 Len=0 |
Couple of strings inside the worms body, are not exposed to the user at any given point.
"I just want to say LOVE YOU SAN!!"
billy gates why do you make this possible ?
Stop making money and fix your software!!
|
| Removal Instructions |
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:
If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelyhood again become infected almost immediatly.
After the patch has been downloaded and applied, find a process called 'msblast.exe' using the task manager, and terminate that process.
Then run F-Prot Antivirus, latest version, with the latest virus signature files available. F-Prot Antivirus will find all files containing W32/Msblast.A and delete them, if set to delete suspicious files.
The last step is to delete this registry value:
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update'
from the registry using the 'regedit' program in Windows. |
Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International |
|
