FRISK Software International

Virus Info > Virus Threats > Msblast.B


Summary of W32/Msblast.B
Alias:Lovsan, Poza, Blaster
Length: 5.360 bytes
Discovered: 13 Aug 2003
Definition files: 13 Aug 2003
Risk Level: Low
Distribution:Low
Infection Method:W32/Msblast.B scans in a random fashion IP ranges looking for systems, vulnerable to the RPC DCOM buffer overrun vulnerability.
 
Jump to:
Technical description
Removal Instructions

Technical Description
W32/Msblast.B is a new variant of the W32/Msblast worm, packed with FSG file compressor and has the size of 5.360 bytes. It spreads under the name of teekids.exe. Although very similar to the A variant, there are minor differences. Following the initialization routine, the worm creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Key: "Microsoft Inet Xp.."
Value: "teekids.exe"


The W32/Msblast.B creates a mutex with the name of 'BILLY'. This is the same Mutex name used by both A and C variant, which results in only one variant being actively running at any given point in time.

Neither the scanning procedure nor the exploitation process does differ from the A variant.

Although this worms distributes itself in the same manner as the A variant, it's reported to have been released in a package, containing the following three files:

File: Size: Description:
index.exe 32.045 bytes This is a dropper for both the W32/Msblast.B and W32/Lithium.B, after dropping each file on the system it executes them.
teekids.exe 5.360 bytes The W32/Msblast.B worm
root32.exe 19.798 bytes The W32/Lithium.B is a backdoor intended for use on Windows system. The sample distributed with this package is compressed with UPX executable packer. It's detected by F-Prot as "is a security risk named W32/Lithium.B".


There are couple of strings within the virus body, which are not exposed to users at any given point during execution:

"Microsoft can [censored] my left [censored]!"
"Bill Gates can [censored] my right [censored]! And All Antivirus Makers Can [censored] My Big Fat [censored]"


Removal Instructions
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelihood again become infected almost immediately.

After the patch has been downloaded and applied, find a process called 'teekids.exe' using the task manager, and terminate that process.

Then run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.B and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..'

from the registry using the 'regedit' program in Windows.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cycle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net