FRISK Software International


Summary of W32/Msblast.B
Alias:Lovsan, Poza, Blaster
Length: 5.360 bytes
Discovered: 13 Aug 2003
Definition files: 13 Aug 2003
Risk Level: Low
Distribution:Low
Infection Method:W32/Msblast.B scans in a random fashion IP ranges looking for systems, vulnerable to the RPC DCOM buffer overrun vulnerability.
 
Jump to:
Technical description
Removal Instructions

Technical Description
W32/Msblast.B is a new variant of the W32/Msblast worm, packed with FSG file compressor and has the size of 5.360 bytes. It spreads under the name of teekids.exe. Although very similar to the A variant, there are minor differences. Following the initialization routine, the worm creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Key: "Microsoft Inet Xp.."
Value: "teekids.exe"


The W32/Msblast.B creates a mutex with the name of 'BILLY'. This is the same Mutex name used by both A and C variant, which results in only one variant being actively running at any given point in time.

Neither the scanning procedure nor the exploitation process does differ from the A variant.

Although this worms distributes itself in the same manner as the A variant, it's reported to have been released in a package, containing the following three files:

File: Size: Description:
index.exe 32.045 bytes This is a dropper for both the W32/Msblast.B and W32/Lithium.B, after dropping each file on the system it executes them.
teekids.exe 5.360 bytes The W32/Msblast.B worm
root32.exe 19.798 bytes The W32/Lithium.B is a backdoor intended for use on Windows system. The sample distributed with this package is compressed with UPX executable packer. It's detected by F-Prot as "is a security risk named W32/Lithium.B".


There are couple of strings within the virus body, which are not exposed to users at any given point during execution:

"Microsoft can [censored] my left [censored]!"
"Bill Gates can [censored] my right [censored]! And All Antivirus Makers Can [censored] My Big Fat [censored]"


Removal Instructions
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelihood again become infected almost immediately.

After the patch has been downloaded and applied, find a process called 'teekids.exe' using the task manager, and terminate that process.

Then run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.B and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..'

from the registry using the 'regedit' program in Windows.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is