News & Media
Become a member »
» AU-2003.011 -- AusCERT Update - Worm (MSBLASTER) pro...
AU-2003.011 -- AusCERT Update - Worm (MSBLASTER) propagation for recent Microsoft RPC vulnerability
18 August 2003
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- AusCERT Update AU-2003.011 - Worm (MSBLASTER) propagation for recent Microsoft RPC vulnerability 12 August 2003 First released 12 August 2003 Revised 18 August 2003 AusCERT has received reports of the propagation of a new worm. This worm exploits the Microsoft Windows DCOM RPC vulnerability announced July 16, 2003. Details of the original can be obtained via  and  (see the REFERENCES below). The new worm propagates by first gaining access to the target machine via TCP port 135. After infection, the machine downloads the viral binary, msblast.exe and begins scanning for vulnerable targets to repeat the process. Additionally, an infected machine will listen for tftp connections from other infected hosts and provide a hidden backdoor process for remote command connections. On or after August 15, the infected machine will attempt to conduct a DoS (denial of service) attack against Microsoft's "Windows Update" site. Due to the combined impact of this DoS attack and increased, legitimate attempts to contact http://www.windowsupdate.com, network administrators should be aware that the outbound connections generated at this time have the potential to cause local network congestion. If your machine is not currently infected, the patch available at  should be applied and network filtering applied at both the network perimeter and on vulnerable hosts (where possible) as follows: Block all unnecessary traffic for the following ports (as per ,  and ): * 135/TCP * 135/UDP * 139/TCP * 139/UDP * 445/TCP * 445/UDP * 593/TCP An infected machine may also listen on the following ports which at a minimum should be also blocked for inbound and, for 69/UDP, outbound connections: * 69/UDP * 4444/TCP A default network policy of denying inbound network connections to ports on which no service should be available can prevent other connections to machines infected with this or possible future variants of this worm. If your machine becomes infected: o Disconnect the machine from any network o Apply the patch  o Remove the worm , either manually or with a tool o Ensure that anti-virus software is up to date o Ensure that your firewall is enabled or install a personal firewall If your machine is infected, the worm may shut down your computer and prevent you from downloading the patch. In many cases, one or more of these steps may help: o enable the Internet Connection Firewall (ICF) on Windows XP, or install a personal firewall such as Kerio, Tiny or ZoneAlarm - see  for help enabling ICF or for links to personal firewall vendors. o change the settings for the RPC service, detailed in  under the "Important Notes" section. This worm also has the aliases of W32.Blaster.Worm (Symantec), W32/Lovsan.worm (McAfee), WORM_MSBLAST.A (Trend Micro), Win32.Posa.Worm (CA), Lovsan (F-secure) and MSBLASTER,Win32.Poza. See the REFERENCES ( to ) or contact your anti-virus vendor for detailed description of this worm. REFERENCES:  AL-2003.11 -- Buffer Overrun In RPC Interface Could Allow Code Execution (Q823980) http://www.auscert.org.au/render.html?it=3260  ESB-2003.0525 -- CERT Advisory CA-2003-19 -- Exploitation of Vulnerabilities in the Microsoft RPC Interface http://www.auscert.org.au/render.html?it=3299  AU-2003.010 -- AusCERT Update - Exploit Code Publicly Available For Recent Microsoft RPC Vulnerability http://www.auscert.org.au/render.html?it=3291  Microsoft Security Bulletin MS03-026 http://www.microsoft.com/technet/security/bulletin/MS03-026.asp  F-Secure Virus Descriptions http://www.datafellows.com/v-descs/msblast.shtml  Symantec Security Response - W32.Blaster.Worm http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html  Computer Associates Virus - Win32.Poza http://www3.ca.com/virusinfo/virus.aspx?ID=36265  McAfee Security http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547  Trend Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A  Sophos virus analysis: W32/Blaster-A http://www.sophos.com/virusinfo/analyses/w32blastera.html  What You Should Know About the Blaster Worm http://www.microsoft.com/security/incident/blast.asp Regards, The AusCERT Team =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBP0BxLSh9+71yA2DNAQFZ2AP/WtfrcwgzGflR06t8OCq+cKE/80hpPAkT QiSFrBccbkbgz//9yQpBwC7RJyqB1mxHbb99r58SkhDNK4CpM9Daa4MPfe4jMobI rLlczWP++V0cZqkAmRXkB0NV/TjT6Hnna2qQe6rDhRcLJZT3hsrujVt7SfsPsi0F LrTH6gJvITs= =7KMU -----END PGP SIGNATURE-----
Comments? Click here