| VID |
24064 |
| Severity |
40 |
| Port |
4444 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The backdoor of the MS Blast worm seems to be installed on the Windows system.
The MS Blast worm propagates by exploiting the vulnerability described in Microsoft Security Bulletin MS03-026, titled, "Buffer Overrun In RPC Interface Could Allow Code Execution" announced July 16, 2003. It starts by scanning the entire subnet for open 135 port, then moves on to scan randomly selected class B subnets (255.255.0.0) to start scanning. If an open 135 port is found, it uses the exploit mentioned above to gain entry and create a remote shell on the exploited machine. It then assumes the exploit succeeded and attempts to connect to port 4444 of the remote machine. If successfully connected, it instructs the remote machine to download MSBLAST.EXE (size: 6,176 bytes, UPX packed) from its FTP service using TFTP.EXE; TFTP.EXE is an utility included by default in Windows installation of Windows 2000 and later versions. It then sends an instruction to start MSBLAST.EXE on the remote machine.
Once run, the worm creates the registry key (may be either of the following):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update" = msblast.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
* References:
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
http://www3.ca.com/virusinfo/virus.aspx?ID=36265
http://www.datafellows.com/v-descs/msblast.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://xforce.iss.net/xforce/alerts/id/150
http://vil.nai.com/vil/content/v_100547.htm
http://www.cert.org/advisories/CA-2003-19.html
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove it from the infected computer by using a anti-virus program (vaccine program). If you do not have an anti-virus program installed, download and install one of the following free worm cleaners:
1. Trend Micro System Cleaner at http://www.trendmicro.com/download/tsc.asp
2. CA Virus Information Center Cleaning Utility at http://www3.ca.com/Files/VirusInformationAndPrevention/ClnPoza.zip
3. Symantec DCOM Cleaner at http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
-- OR --
Remove the worm manually by performing the following steps:
1. Terminate the running malware process from memory.
1) Press CTRL+SHIFT+ESC, then click Windows Task Manager, and click the Processes tab.
2) In the list of running programs, locate the process MSBLAST.EXE
3) Select the malware process, then click the the End Process button.
4) Close Task Manager.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
2. Remove Autostart entries from the registry prevents the malware from executing during startup.
1) Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2) In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
3) In the right panel, locate and delete the entry:
"windows auto update" = MSBLAST.EXE
4) Close Registry Editor.
-- AND --
Apply the appropriate patch for your system, as listed in Microsoft's security bulletin MS03-026 at http://www.microsoft.com/technet/security/bulletin/ms03-026.asp |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
