Blaster (computer worm)

W32.Blaster (also W32.Lovsan or MSBlast called ) is a computer worm from 2003, the spreads by exploiting a vulnerability in the RPC interface of Microsoft Windows. The distribution will take place exclusively on the operating systems Windows 2000, XP and Windows Server 2003 on TCP port 135.

The Distributed Computing Environment (DCE ), which can be installed on a variety of operating systems, including RPCs used over port 135 Due to a flaw in the implementation of some manufacturers may on some platforms the DCE service be crashed by the worm.

The worm can not tell if the target is already afflicted with an attack. He therefore slows itself in the distribution itself, as it also brings an infected Windows computer to crash. Only if the attack was successful, it is checked whether the file msblast.exe already exists on the hard disk.

The worm should on August 16, 2003 to perform a distributed denial - of-service attack on the update pages from Microsoft, on which also stores the patch for the vulnerability.

Variants

Meanwhile, the worm occurs in numerous variations; some of them combine the worm with Trojan horses.

This development represents a direct threat to system security, because the worm is no longer limited to the distribution, but rather to prepare the systems for a future attack.

The worm enters now into six types:

  • Option A
  • Variant B, in which the worm file has been renamed to " penis32.exe "
  • Variant C, in which the worm file has been renamed to " teekids.exe "
  • Variant D in combination with the Trojan BKDR_LITH.103.A who installs a backdoor
  • Variant E account, inter alia, the terms Nachi, Welchia and Lovsan.D. The pest is also looking on TCP port 135 for vulnerable Windows systems on the Internet. Alternatively, the worm sends data over TCP port 80 to use the discovered in March 2003 WebDAV security holes to spread. About the RPC leakage of worm attacks only machines with Windows XP, while being attacked via the WebDAV vulnerability Systems with Windows 2000 and XP. To recognize he is massively many ICMP Floodings in the local network.
  • Version G

Operation

Denial-of-service attack Trojan horse (computing) Backdoor (computing) Internet Control Message Protocol Trivial File Transfer Protocol
531344
de