Important: Since this worm exploits known security holes on Windows systems, Trend Micro strongly advises all users to apply the necessary critical patches. A failure to do so might result to possible reinfection. Please see the Solution section for the link to the necessary patches.
Autostart Technique and Memory-Residency Checking
Upon execution, this worm creates the following autorun registry entry so that it executes every time Windows starts:
"windows auto update" = MSBLAST.EXE
It creates a mutex named �BILLY,� which it uses to check if another copy is already running. If it finds that another copy is running, it simply terminates.
If no other copy is running, it continues with the rest of its routines. It sleeps at 20 second intervals and wakes to check for Internet connection, until it is able to establish this connection. It also checks the infected machine's Winsock version number. It runs on Winsock versions 1.0, 1.01, and 2.02.
Distributed Denial of Service Attack
Once it secures an Internet connection, this worm checks for the current system date. On the following system dates, it launches a thread that performs a Distributed Denial Of Service attack against windowsupdate.com:
On the 16th to the 31st day of the following months:
- Any day in the month of September to December.
When performing the DDoS attack, this worm constructs a specially crafted packet, around 40 bytes in size, and continuously sends it as a SYN packet request to windowsupdate.com every 20 milliseconds.
The packet contains no data except for its TCP/IP header. It is constructed such that the worm can spoof the sender IP address.
Also, if the worm fails to resolve the name, windowsupdate.com, it uses 255.255.255.255 instead as destination address for the DDoS attack.
As of this writing, Microsoft had already disabled the redirection of http://www.windowsupdate.com to the real Windows Update site, http://microsoft.windowsupdate.com. This prevents the Windows Update site from being attacked by the worm�s DDoS payload.
Exploiting the RPC DCOM Buffer Overflow
This worm exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, to infect remote machines. The vulnerability allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:
- On Windows XP and 2003, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and cause NTAUTHORITY\SYSTEM to reboot the machine in 60 seconds (this is a new security mechanism in XP/2003). The machine restarts when the RPC service is under attack. To prevent the system from restarting, please apply the Microsoft DCOM RPC patch.
- On Windows 2000, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and it does NOT reboot automatically. Since many services depend on RPC, it is given that some services might not work properly.
To infect vulnerable machines, this worm attempts to connect to other target systems via port 135. It does this by opening 20 TCP threads or connections which scans for IP addresses starting from the base IP address. It then sends SYN packets to remote IP addresses, and consequently uses TCP port 135 for its attack.
It uses two methods to scan for IP addresses as follows:
- First Method
The first method uses the IP address of the infected machine as its base IP address, A.B.C.D. It sets D to zero and checks the value of C. If C is greater than 20, a random value less than 20 is subtracted from C. Otherwise, it retains the value of C.
For example, if the infected machine�s IP address is 188.8.131.52, The value 69 is changed to any number from 50 � 69 because 69 is greater than 20 and the worm subtracts a random value less than 20 from it. The value 101 is then changed to zero. Thus, the worm uses the IP address 210.23.[50-69].0 as its base IP address.
Moreover, if the infected machine�s IP address is 184.108.40.206, the base address will then be 220.127.116.11
- Second Method
However, after creating 20 threads or connection attempts, it uses another method which generates random IP addresses. It again opens 20 random TCP listening ports, which could range from 1000 - 5000 (these port numbers still vary). The IP address in this case is drawn sequentially ranging from 0.0.0.0 - 255.255.255.0.
This worm also opens port 4444, using this port for its remote shell. It then simulates a Trivial FTP server that listens at port 69 on the infected machine.
This worm then instructs its remote target machine, using the remote shell, to download its copy MSBLAST.EXE into the Windows System32 folder, which is usually C:\Windows\System32 or C:\WINNT\System32.
Finally, this worm instructs the target machine to execute the downloaded file. This begins another life cycle for the worm on the newly infected machine.
The worm utilizes a certain TFTP.EXE to download its copy on a target machine. During this download routine, a temp file named TFTP* is created. It eventually takes the name of the worm file when the download routine is completed. However, this renaming does not happen when the download process is interrupted or not completed. Thus, TFTP* files may be found in some infected systems as a result of this failed routine.
The following text strings are visible in this worm's body:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
Analysis by: Marvin Cruz