ISS X-Force Database: ms-blast-worm(12866): MS Blast worm

MS Blast worm

ms-blast-worm (12866)

High Risk

Description:

The MS Blast Worm, also known as the W32/Lovsan.worm, Lovsan, W32.Blaster.Worm, and Blaster, propagates by exploiting a buffer overflow vulnerability in the Microsoft Windows Distributed Component Object Model (DCOM) interface of the RPC (Remote Procedure Call) service. Denial of Service (DoS) functionality against windowsupdate.com is incorporated into the worm, which performs the attack if the date is later than August 15th, 2003 and prior to December 31st 2003.

The worm scans sequentially for systems with TCP port 135 open and uses a TFTP server to pull the binary. The worm adds the "SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update" registry key, which contains the value "msblast.exe", to initiate itself upon reboot. The worm will also open TCP port 4444, which could allow an attacker to execute commands on the system.

Platforms Affected:

Microsoft, Windows 2000
Microsoft, Windows 2003 Server
Microsoft, Windows NT 4.0 Terminal Server
Microsoft, Windows NT 4.0
Microsoft, Windows XP

Remedy:

For Microsoft Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-051, which were superseded by the patch released with MS06-018.

For Windows XP and Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-012, which was superseded by the patch released with MS05-051.

For Microsoft Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-029. See References.

Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039 and MS04-012, and then superseded by the patch released with MS04-029.

Consequences:

Gain Access

References:

BugTraq Mailing List, Mon Aug 11 2003 - 15:49:37 CDT, New Windows DCOM Worm - msblast.exe (fwd) at http://archives.neohapsis.com/archives/bugtraq/2003-08/0118.html.
BugTraq Mailing List, Mon Aug 11 2003 - 16:36:24 CDT, DCOM worm analysis report: W32.Blaster.Worm at http://archives.neohapsis.com/archives/bugtraq/2003-08/0119.html.
BugTraq Mailing List, Thu Aug 14 2003 - 15:44:17 CDT, Analysis/decompilation of main() of the msblast worm at http://archives.neohapsis.com/archives/bugtraq/2003-08/0160.html.
CERT Advisory CA-2003-20, W32/Blaster worm at http://www.cert.org/advisories/CA-2003-20.html.
CIAC Information Bulletin N-133, Blaster Worm (aka: W32.Blaster, MSBlast, Lovsan, Win32.Poza) at http://www.ciac.org/ciac/bulletins/n-133.shtml.
Cisco Security Notice 44522, W32.BLASTER Worm Mitigation Recommendations at http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml.
DeepSight Threat Management System Threat Alert, MS DCOM RPC Worm at https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf.
McAfee Security Virus Profile -W32/Lovsan.worm, W32/Lovsan.worm at http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547.
Microsoft Knowledge Base Article 823980, Buffer Overrun in RPC Interface May Allow Code Execution at http://support.microsoft.com/?kbid=823980.
Microsoft Security Bulletin MS03-026, Buffer Overrun In RPC Interface Could Allow Code Execution (823980) at http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx.
Microsoft Security Bulletin MS03-039, Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) at http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx.
Microsoft Security Bulletin MS04-012, Cumulative Update for Microsoft RPC/DCOM (828741) at http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx.
Microsoft Security Bulletin MS04-029, Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350) at http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx.
Microsoft Security Bulletin MS05-012, Vulnerability in OLE and COM Could Allow Remote Code Execution (873333) at http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx.
Microsoft Security Bulletin MS05-051, Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) at http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx.
Microsoft Security Bulletin MS06-018, Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580) at http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx.
Sun Alert ID: 56780, Recent Mass Mailing of "Worms" or Mail Viruses May Cause Network and Application Performance Degradation at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56780&zone_32=category%3Asecurity.
Trend Micro Virus Encyclopedia, WORM_MSBLAST.A at http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A.

Reported:

Aug 11, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page