WORM_MSBLAST.A

Malware type: Worm

Aliases: W32.Blaster.Worm, W32/Blaster-A, W32/Blaster.worm, W32/Msblast.A, Win32/Poza!Worm

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

TrendLabs has received several infection reports of this new worm, which exploits the RPC DCOM BUFFER OVERFLOW. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

The vulnerability affects unpatched systems running Windows NT, 2000, XP, and Server 2003. This worm, however, can only propagate into systems running Windows 2000 and XP.

This worm has been observed to continuously scan random IP addresses and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:

  • On the 16th to the 31st day of the following months:

    • January
    • February
    • March
    • April
    • May
    • June
    • July
    • August

  • Any day in the months of September to December.

Important: Users of affected systems are strongly advised to apply the necessary patches, which may be downloaded from the following Microsoft page:

Users are also advised to visit the following page for more information from Microsoft:

For general overview of the MSBLAST family of worms, please refer to the Virus Encyclopedia entry for WORM_MSBLAST.GEN.

For additional information about this threat, see:

Description created: Aug. 11, 2003 1:44:43 PM GMT -0800
Description updated: Feb. 3, 2004 11:09:08 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 6,176 Bytes (compressed)
11,296 Bytes (decompressed)

Initial samples received on: Aug 11, 2003

Payload 1: Performs DDoS attack against windowsupdate.com

Trigger condition 1: See Technical details for complete trigger condition

Details:

Important: Since this worm exploits known security holes on Windows systems, Trend Micro strongly advises all users to apply the necessary critical patches. A failure to do so might result to possible reinfection. Please see the Solution section for the link to the necessary patches.

Autostart Technique and Memory-Residency Checking

Upon execution, this worm creates the following autorun registry entry so that it executes every time Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"windows auto update" = MSBLAST.EXE

It creates a mutex named �BILLY,� which it uses to check if another copy is already running. If it finds that another copy is running, it simply terminates.

If no other copy is running, it continues with the rest of its routines. It sleeps at 20 second intervals and wakes to check for Internet connection, until it is able to establish this connection. It also checks the infected machine's Winsock version number. It runs on Winsock versions 1.0, 1.01, and 2.02.

Distributed Denial of Service Attack

Once it secures an Internet connection, this worm checks for the current system date. On the following system dates, it launches a thread that performs a Distributed Denial Of Service attack against windowsupdate.com:

  • On the 16th to the 31st day of the following months:

    • January
    • February
    • March
    • April
    • May
    • June
    • July
    • August

  • Any day in the month of September to December.

When performing the DDoS attack, this worm constructs a specially crafted packet, around 40 bytes in size, and continuously sends it as a SYN packet request to windowsupdate.com every 20 milliseconds.

The packet contains no data except for its TCP/IP header. It is constructed such that the worm can spoof the sender IP address.

Also, if the worm fails to resolve the name, windowsupdate.com, it uses 255.255.255.255 instead as destination address for the DDoS attack.

As of this writing, Microsoft had already disabled the redirection of http://www.windowsupdate.com to the real Windows Update site, http://microsoft.windowsupdate.com. This prevents the Windows Update site from being attacked by the worm�s DDoS payload.

Exploiting the RPC DCOM Buffer Overflow

This worm exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, to infect remote machines. The vulnerability allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:

Note:

  • On Windows XP and 2003, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and cause NTAUTHORITY\SYSTEM to reboot the machine in 60 seconds (this is a new security mechanism in XP/2003). The machine restarts when the RPC service is under attack. To prevent the system from restarting, please apply the Microsoft DCOM RPC patch.
  • On Windows 2000, when the DCOM RPC attack takes place, the Remote Procedure Call (RPC) service stops and it does NOT reboot automatically. Since many services depend on RPC, it is given that some services might not work properly.

Network Infection

To infect vulnerable machines, this worm attempts to connect to other target systems via port 135. It does this by opening 20 TCP threads or connections which scans for IP addresses starting from the base IP address. It then sends SYN packets to remote IP addresses, and consequently uses TCP port 135 for its attack.

It uses two methods to scan for IP addresses as follows:

  • First Method

    The first method uses the IP address of the infected machine as its base IP address, A.B.C.D. It sets D to zero and checks the value of C. If C is greater than 20, a random value less than 20 is subtracted from C. Otherwise, it retains the value of C. For example, if the infected machine�s IP address is 210.23.69.101, The value 69 is changed to any number from 50 � 69 because 69 is greater than 20 and the worm subtracts a random value less than 20 from it. The value 101 is then changed to zero. Thus, the worm uses the IP address 210.23.[50-69].0 as its base IP address. Moreover, if the infected machine�s IP address is 210.23.19.88, the base address will then be 210.23.19.0

  • Second Method

    However, after creating 20 threads or connection attempts, it uses another method which generates random IP addresses. It again opens 20 random TCP listening ports, which could range from 1000 - 5000 (these port numbers still vary). The IP address in this case is drawn sequentially ranging from 0.0.0.0 - 255.255.255.0.

This worm also opens port 4444, using this port for its remote shell. It then simulates a Trivial FTP server that listens at port 69 on the infected machine.

This worm then instructs its remote target machine, using the remote shell, to download its copy MSBLAST.EXE into the Windows System32 folder, which is usually C:\Windows\System32 or C:\WINNT\System32.

Finally, this worm instructs the target machine to execute the downloaded file. This begins another life cycle for the worm on the newly infected machine.

Other Details

The worm utilizes a certain TFTP.EXE to download its copy on a target machine. During this download routine, a temp file named TFTP* is created. It eventually takes the name of the worm file when the download routine is completed. However, this renaming does not happen when the download process is interrupted or not completed. Thus, TFTP* files may be found in some infected systems as a result of this failed routine.

The following text strings are visible in this worm's body:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!




Analysis by: Marvin Cruz

Revision History:

First pattern file version: 676
First pattern file release date: Aug 11, 2003

SOLUTION


Minimum scan engine version needed: 5.600

Pattern file needed: 2.530.00

Pattern release date: Apr 3, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Important: To fully protect systems against this security threat, users are advised to apply the critical patches first before performing the Removal Instructions. The importance of applying these patches cannot be overstated and should be strictly implemented across the network. Failure to apply the specified patches may possibly result to remote attacks. Additionally, cleaning the system without prior installation may result to immediate reinfection or system instability.

Applying Patches

  1. Apply the patches issued by Microsoft from the following page:
  2. TrendLabs also asks users to filter access to port 135 and allow trusted and internal sites only.

RPC DCOM Buffer Overflow Vulnerability Scanning Tool

TrendLabs advises users to download the scanning tool released by Microsoft that can identify host machines in their network that do not have the MS03-026 security patch installed.

This Microsoft Scanning Tool is available for download at: http://support.microsoft.com?kbid=826369.

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs, locate the process:
    MSBLAST.EXE
  3. Select the malware process, then press the End Process button.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    "windows auto update" = MSBLAST.EXE
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.

For corporate product specific solutions, refer to Solution 15888 of Trend Micro's Knowledge Base.

For Pc-cillin and Housecall users refer to Solution 15904 of Trend Micro's Knowledge Base.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.