Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

W32.Blaster.Worm

Brief Description | Characteristics | Recovery | Protection | Further Information

Brief Description:
--------------------

PLEASE NOTE: Users are strongly urged to contact their Local Support Providers (LSPs) or Information Technology Advisors (ITAs) to determine how best to protect or disinfect their particular computer systems.

W32.Blaster.Worm has been upgraded to a level 4 threat by Symantec due to the level of submissions they are receiving (i.e. the worm is spreading quite rapidly). Symantec definitions version 50811s or Extended Version: 8/11/2003, rev. 19 will detect this worm.

Please note that although Symantec is offering a "removal tool" for W32.Blaster.Worm, we do not recommend its use. Our experience is that tools that are meant to remove and/or disable backdoor/trojan infections are of questionable and inconsistent effectiveness. More to the point, any time there is a significant probablility that a system has been compromised at the administrative level there is no way to be completely certain that all possible backdoors and other malware have been removed without reformatting the drive and re-installing the operating system from original media.

Please be advised that you must apply the Windows patch for the DCOM RPC vulnerability to secure machines. The vulnerability exists in Windows NT, 2000, XP, and Server 2003.

Conflicting reports state which of these OSs the worm can spread to. Regardless of which of the above operating systems you are running, please visit the following site for patch downloads for each of those operating systems.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp


Characteristics:
------------------

W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in the Microsoft Security Bulletin MS03-026 linked above) using TCP port 135. This worm will attempt to download and run the Msblast.exe file.

Symantec advises firewall administrators to block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the applications listed:

TCP Port 135, "DCOM RPC"
UDP Port 69, "TFTP"

When W32.Blaster.Worm is executed, it does the following:

1. Creates a Mutex named "BILLY." If the mutex exists, the worm will exit.

2. Adds the value:

"windows auto update"="msblast.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

3. Calculates a random IP address, A.B.C.0, where A, B, and C are random values between 0 and 255.

NOTE: 40% of the time, if C > 20, a random value less than 20 will be subtracted from C.

4. Once the IP address is calculated, the worm will attempt to find and exploit a computer on the local subnet, based on A.B.C.0. The worm will then count up from 0, attempting to find and exploit other computers, based on the new IP.

5. Sends data on TCP port 135 that may exploit the DCOM RPC vulnerability.

NOTES: (from Symantec – these specifics are not mentioned by other vendors)
-- This means the local subnet will become saturated with port 135 requests.
-- Due to the random nature of how the worm constructs the exploit data, this may cause computers to crash if it sends incorrect data.
-- While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them.

6. Creates a hidden Cmd.exe remote shell that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.

7. Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer Msblast.exe and tell it to execute the worm.

8. Once it secures an Internet connection, this worm checks for the current system date. On the following system dates, it launches a thread that performs a Distributed Denial Of Service attack against windowsupdate.com:

On the 16th to the 31st days of the following months:

January to August

And any day in the months of September through December.

NOTE: On Windows XP and 2003, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and cause NTAUTHORITY\SYSTEM to reboot the machine in 60 seconds (this is a new security mechanism in XP/2003). The machine restarts when the RPC service is under attack (see screenshot below). To prevent the system from restarting, please apply the Microsoft DCOM RPC patch.

On Windows 2000, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and it does NOT reboot automatically. Since many services depend on RPC, it is given that some services might not work properly.



This dialog is coming from Windows itself, and will show the error message in the localized language.


Recovery:
-----------

PLEASE NOTE: Machines compromised via the DCOM RPC vulnerability, whether by W32.Blaster.Worm or by some other means, have been hacked and need to be formatted to completely ensure network and machine data security.

Please note that although Symantec is also offering a "removal tool" for Blaster, we do not recommend its use. Our experience is that these tools are of questionable and inconsistent effectiveness. More to the point, any time there is a significant probablility that a system has been compromised at the administrative level there is no way to be completely certain that all possible backdoors and other malware have been removed without reformatting the drive and re-installing the operating system from original media.


Protection:
------------

Apply the patch found at the following website.

http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

Also, update your virus definitions, via LiveUpdate, to version 50811s or Extended Version: 8/11/2003, rev. 19 or greater to protect against W32.Blaster.Worm. Instructions on how to update NAV definition files are located at:

http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html


Further information:
-----------------------

For more information, see the following sites.

http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html
http://www.f-secure.com/v-descs/msblast.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
http://vil.nai.com/vil/content/v_100547.htm
http://www.sophos.com/virusinfo/analyses/w32blastera.html
http://isc.sans.org/diary.html?date=2003-08-11
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions
University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania