FRISK Software International


Summary of W32/Msblast.D
Alias:Lovsan, Poza, Blaster,
Length: 11.776 bytes
Discovered: 18 Aug 2003
Definition files: 18 Aug 2003
Risk Level: Low
Distribution:Low
 
Jump to:
Technical description
Removal Instructions

Technical Description
The W32/Msblast.D is the latest variant of the W32/Msblast worm currently spreading in the wild. The D variant internal functions work in an identical manner to the A variant. It's packed with the ASpack executable compressor and has the size of 11.776 bytes. This variant spreads under the name of mspatch.exe. This is reflected in the name of the infected file and the name of the running process, once its successfully infected a computer. The W32/Msblast.D variant, creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runon]

Key: "Nonton Antivirus"
Value: "mspatch.exe"

This registry value does not automatically execute the worm, upon Windows startup. This is most likely a spelling error made by the author.

The W32/Msblast.D creates a mutex with the name of 'BILLY'. This is the same Mutex name used by both the other W32/Msblast variants, which results in only one variant being actively running at any given point in time.

There is a string within the virus body, which is not exposed to users at any given point during execution:

"This is a patch to fixedRPC Problem! Your computer has been Protected by me. Your have not need update your Windows XP.."


Removal Instructions
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelyhood again become infected almost immediatly.

After the patch has been downloaded and applied, find a process called 'mspatch.exe' using the task manager, and terminate that process.

Then run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.D and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runon\Nonton Antivirus'

from the registry using the 'regedit' program in Windows.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is