W32.Blaster.Worm (Worm/Lovsan.A) is only able to infect Windows NT/2000/XP systems.

Computer Virus Outbreak News

So is your computer infected?

Right click on the 'task bar' and select 'Task Manager'. Click on the 'Processes' tab. If you can find a process called msblast.exe, then your system is infected.

How to remove it?

Delete the worm's executable file, msblast.exe. However, its process must be stopped first (use the task manager).  Then removing the registry key created by the worm.

Or using Symantec W32.Blaster.Worm Removal Tool to remove it [ NA-FixBlast.exe ].

How to prevent it from catching it?

Read this - Microsoft Security Bulletin MS03-026

Download locations for this patch from microsoft:

• Windows NT 4.0 Server [ MS-Q823980-NT.EXE ]
• Windows NT 4.0 Terminal Server Edition
• Windows 2000 [MS-Q823980-2K.exe]
• Windows XP 32 bit Edition [ MS-Q823980-XP.exe ]
• Windows XP 64 bit Edition
• Windows Server 2003 32 bit Edition
• Windows Server 2003 64 bit Edition

How it spreads?

From an system infected, the internet worm  then calculates a random IP address, attempting to find and exploit other computers.  It then use the DCOM RPC vulnerability of a target system by using TCP port 135. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and execute it.

If successful, it copies itself into the \windows\%system% directory under the filename "msblast.exe". Worm/Lovsan.A will download and run the file msblast.exe using Trivial File Transfer Protocol (Tftp). The system will be restarted after 60 seconds and the due to RPC error. 

So that it gets run each time a user restart their computer the following registry key gets added:

- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"windows auto update"="msblast.exe"

What it does to the infected system?

The infected system then tries to execute the worm to further infect other system.

Utilizes Cmd.exe to create a hidden remote shell process that will listen on TCP port 4444, allowing an attacker to issue remote commands on the infected system.

Listens on UDP port 69. When the worm receives a request from a computer it was able to connect to using the DCOM RPC exploit, it will send that computer msblast.exe and tell it to execute the worm.

The worm packed with the run time compression program UPX tries to develop a connection over port 135. It spreads by randomly scanning a given range of IP addresses on TCP port 135 for other vulnerable systems. The following ASCII text is visible in the file: "I just want to say LOVE YOU SAN!! billy gates why DO you make this possible? Stop making money and fixed your software!!" On the 16th and 31st of the months January, February, March, April, May, June, July and August it will launch a Distributed Denial of Service DDoS attack on windowsupdate.com. Likewise, it will launch such an attack each day in the months- September, November, October and December.

NOTES:  While W32.Blaster.Worm cannot spread to Windows NT or Windows 2003 Server, unpatched computers running these operating systems may crash as the result of attempts by the worm to exploit them. However, if the worm is manually placed and executed on a computer that is running these operating systems, it can run and spread.

Windows 9x/ME systems are not affected. However, if you manually place the file msblast.exe on your system and execute it is also able to spread and infect other systems.

---

Additional notes on W32/Nachi.worm

How it works - Like MSBlast, Nachi does not arrive via email but via Internet port 135. And, like MSBlast, it attacks Windows 2000 and Windows XP machines that do not have the DCOM RPC patch from Microsoft installed. When it attacks, the unpatched machine may crash--whether or not the machine has been previously infected with MSBlast.

Nachi installs two files in Windows subdirectory WinNT\system 32:

• C:\winnt\system32\wins\dllhost.exe (10,240 bytes) (Be aware that a legitimate file system name dllhost.exe also exists. The legitimate file is typically only 5-6KB.)
• C:\winnt\system32\wins\svchost.exe or tftpd.exe

The tftpd.exe file is the Trivial File Transfer Protocol used to download and install the DCOM RPC patches.

Additionally, Nachi uses the WebDav buffer-overflow flaw to spread to other Windows NT 4.0, 2000, and XP machines, but, ironically, it does not bother to patch this vulnerability.

Prevention - If you haven't already installed the DCOM RPC patch from Microsoft, do so now. Additionally, if you do not have a desktop firewall installed, you should consider installing one to avoid infection by either MSBlast or Nachi.