FRISK Software International


Summary of W32/Msblast.E
Alias:Lovsan, Poza, Blaster,
Length: 6.176 bytes
Discovered: 28 Aug 2003
Definition files: 29 Aug 2003
Risk Level: Low
Distribution:Low
 
Jump to:
Technical description
Removal Instructions

Technical Description
The W32/Msblast.E is the latest variant of the W32/Msblast worm currently spreading in the wild. The E variant internal functions work in an identical manner to the A variant. It's packed with the UPX executable compressor and has the size of 6.176 bytes. This variant spreads under the name of mslaugh.exe. This is reflected in the name of the infected file and the name of the running process, once its successfully infected a computer. The W32/Msblast.E variant, creates the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runon]

Key: "Windows Automation"
Value: "mslaugh.exe"

This registry value does not automatically execute the worm, upon Windows startup. This is most likely a spelling error made by the author.

The W32/Msblast.E creates a mutex with the name of 'SILLY'.

There is a string within the virus body, which is not exposed to users at any given point during execution:

I dedicate this particular strain to me ANG3L - hope yer enjoying yerself and dont forget the promise for me B/DAY !!!!"


Removal Instructions
First download and apply the patch against this vulnerability available. The patch is available from Microsofts website at:

If this patch is not downloaded and applied before disinfecting an infected machine, the computer will in all likelyhood again become infected almost immediatly.

After the patch has been downloaded and applied, find a process called 'mspatch.exe' using the task manager, and terminate that process.

Then run F-Prot Antivirus, latest version, with the latest virus signature files available.

F-Prot Antivirus will find all files containing W32/Msblast.E and delete them, if set to delete suspicious files.

The last step is to delete this registry value:

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runon\Windows Automation'

from the registry using the 'regedit' program in Windows.


FRISK Software International - Virus lab
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is