Blaster worm updates


Looks like a worm based on the recent windows RPC exploit is slowly infecting the windows hosts on the net. In the past hour, there has been a lot of traffic and random machine reboots ( of even machines that are not even connected directly to the net, but inside a LAN - a sure sign of a worm).

If you are sysadmin please block ports 135/139/445 and 4444 ( the worm executes commands remotely via this port ) at your router.

I suspect it wont take down the net like what slammer did, but will cause lot of frustration to windows users.


Updates ( last update : Sun Aug 17 14:19:00 EDT 2003 )
- A new varient of the worm called "Nachi" is doing its rounds today. It seems to be flooding lot of networks with ping ( ICMP ) packets. More info here. This worm exploits the same RPC vulnerability
- www.windowsupdates.com is up and running ( which is the URL that is used by windows update), windowsupdates.com has been removed ( The URL that the worm was suppose to attack )
- even though the attack on microsoft has been disabled, the worm continues to spread slowly.

[updated : Sat Aug 16 09:25:10 EDT 2003]
- so far none of the infected machines have started a DDOS attack. Looks like the microsoft's move paid off
- microsoft removed the DNS entry for windowsupdates.com and hence all the infected machines which are designed to attack this site will fail on Aug 16th

[updated : Wed Aug 13 16:40:47 EDT 2003]
- many offices were shut down around the globe because of this worm. Reports here and here
- Looks like there are many varients of the worm going around. Few of them just make your windows act weird.
- Worm removal tool is availabe. You can get it from here or here

- nice summery by symantec here
- McAfee, symantec and other anti virus companies have issued alerts and updates. Don't bother with them. Just install the MS patch and remove the file and you are done.
- To fix the RPC bug on your machine, install this Microsoft patch : http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
- Its Officially called "MSBLASTER" worm
- the scanning algorithm of the worm seems to be weak and pretty inefficient
- removing the file msblast.exe prevents your machine from rebooting, but it can be easily infected again
- the worm seems to fire off several concurrent TCP 135 scan threads
- The worm survives a reboot. So it has to be removed manually
- most people are getting the following error on their windows machines - "Windows must now restart because the remote procedure call RPC service terminated unexpectedly NT Authority System has initiated the shutdown since the RPC service terminated unexpectedly."
- this worm might synflood windowsupdates.com on the 16th
- lot of people are complaining about their machine rebooting randomly. Watch out, coz you are next ;)
- apparently its named BILLY worm
- Once it finds a vulnerable system, it will spawn a shell and use it to download the actual worm via tftp
- The name of the binary is msblast.exe

So far it exhibits the following properties:

- Scans sequentially for machines with open port 135, starting at a presumably random IP address
- uses multiple TFTP servers to pull the binary
- adds a registery key to start itself after reboot ( reg key : SOFTWARE\Microsoft\Windows\CurrentVersion\Run, name: 'windows auto update')

Strings of interest:
msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
windowsupdate.com
start %s
tftp -i %s GET %s
%d.%d.%d.%d
%i.%i.%i.%i
BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Copyright ©1980-2003 Kalyan Varma. All Rights Reserved