TUCoPS :: Malware :: n-133.txt

Blaster Worm (CIAC N-133)


                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

          Blaster Worm (aka: W32.Blaster, MSBlast, Lovsan, Win32.Poza)
                          [CERTŪ Advisory CA-2003-20]

August 12, 2003 14:00 GMT                                         Number N-133
PROBLEM:       The Blaster worm exploits the Microsoft RPC DCOM vulnerability 
               to propagate as described in CIAC Bulletin N-117. The purpose 
               of this malicious code is to infect as many computers as 
               possible to carry out a Distributed Denial of Service Attack   
               against the web site www.windowsupdate.com, which has been 
               coded in this worm to take place on August 16, 2003.
PLATFORM:      Microsoft Windows NT 4.0 
               Microsoft Windows 2000 
               Microsoft Windows XP 
               Microsoft Windows Server 2003 
DAMAGE:        Once installed on a machine, Blaster scans random IP ranges, 
               with the aim of finding more PCs to infect. In addition, it 
               creates a file in the system called msblast.exe which contains 
               the code of the worm.  It creates a registry key to ensure it 
               is started when the operating system is restarted.
SOLUTION:      Apply Microsoft patches as described in CIAC Bulletin N-117. 
               Keep anti-virus definition files updated. 
VULNERABILITY  The risk is HIGH. Blaster is a high-profile and fast-spreading 
ASSESSMENT:    worm. A remote attacker could exploit the RPC/DCOM 
               vulnerability to execute arbitrary code with Local System 
               privileges or to cause a denial-of-service condition. 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-133.shtml 
 ORIGINAL BULLETIN:  http://www.cert.org/advisories/CA-2003-20.html
 INFORMATION:        - Microsoft MS03-026:
                     - Microsoft Knowledge Base article 823980  
                     - DHS/FedCIRC Advisory FA-2003-20
                     - Computer Associates - Win32.Poza worm
                     - F-Secure Lovsan, MSBlast, Blaster worm 
                     - ISS Xforce MSRPC DCOM Worm Propagation
                     - Network Associates - W32/Lovsan.worm	 
                     - Panda Software's Virus Encyclopedia 
                     - Sophos - W32/Blaster-A worm
                     - Symantec - W32.Blaster.Worm
                     - Trend Micro -  WORM_MSBLAST.A
[***** Start CERTŪ Advisory CA-2003-20 *****]

CERTŪ Advisory CA-2003-20 W32/Blaster worm

Original issue date: August 11, 2003
Last revised: --
Source: CERT/CC

A complete revision history is at the end of this file. 

Systems Affected

Microsoft Windows NT 4.0 
Microsoft Windows 2000 
Microsoft Windows XP 
Microsoft Windows Server 2003 


The CERT/CC is receiving reports of widespread activity related to a new 
piece of malicious code known as W32/Blaster. This worm appears to exploit 
known vulnerabilities in the Microsoft Remote Procedure Call (RPC)

I. Description

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC 
interface as described in VU#568148 and CA-2003-16. Upon successful 
execution, the worm attempts to retrieve a copy of the file msblast.exe 
from the compromising host. Once this file is retrieved, the compromised 
system then runs it and begins scanning for other vulnerable systems to 
compromise in the same manner. In the course of propagation, a TCP session 
to port 135 is used to execute the attack. However, access to TCP ports 
139 and 445 may also provide attack vectors and should be considered when 
applying mitigation strategies. Microsoft has published information about 
this vulnerability in Microsoft Security Bulletin MS03-026. 

Lab testing has confirmed that the worm includes the ability to launch 
a TCP SYN flood denial-of-service attack against windowsupdate.com. We 
are investigating the conditions under which this attack might manifest 
itself. Unusual or unexpected traffic to windowsupdate.com may indicate 
an infection on your network, so you may wish to monitor network traffic.

Sites that do not use windowsupdate.com to manage patches may wish to 
block outbound traffic to windowsupdate.com. In practice, this may be 
difficult to achieve, since windowsupdate.com may not resolve to the
same address every time. Correctly blocking traffic to windowsupdate.com 
will require detailed understanding of your network routing architecture, 
system management needs, and name resolution environment. You should not
block traffic to windowsupdate.com without a thorough understanding of 
your operational needs.

We have been in contact with Microsoft regarding this possibility of this 
denial-of-service attack.

II. Impact

A remote attacker could exploit these vulnerabilities to execute arbitrary 
code with Local System privileges or to cause a denial-of-service condition. 

III. Solutions

Apply patches

All users are encouraged to apply the patches referred to in Microsoft 
Security Bulletin MS03-026 as soon as possible in order to mitigate the 
vulnerability described in VU#568148. These patches are also available via
Microsoft's Windows Update service. 

Systems running Windows 2000 may still be vulnerable to at least a 
denial-of-service attack via VU#326746 if their DCOM RPC service is 
available via the network. Therefore, sites are encouraged to use the 
packet filtering tips below in addition to applying the patches supplied 
in MS03-026. 

It has been reported that some affected machines are not able to stay 
connected to the network long enough to download patches from Microsoft. 
For hosts in this situation, the CERT/CC recommends the following: 

1.Physically disconnecting the system from the network 
2.Check the system for signs of compromise. 
In most cases, an infection will be indicated by the presence of the 
registry key 
auto update" with a value of msblast.exe. If this key is present, remove 
it using a registry editor. 
3.If you're infected, terminate the running copy of msblast.exe using 
the Task Manager. 
4.Take one of the following steps to protect against the compromise 
prior to installing the Microsoft patch: 
Disable DCOM as described below 
Enabling Microsoft's Internet Connection Filter (ICF), or another 
host-level packet filtering program to block incoming connections for 
5.Reconnect the system to the network and apply the patches in the 
recommended manner 

Trend Micro, Inc. has published a set of steps to accomplish these goals. 
Symantec has also published a set of steps to accomplish these goals. 

Disable DCOM

Depending on site requirements, you may wish to disable DCOM as 
described in MS03-026. Disabling DCOM will help protect against this 
vulnerability but may also cause undesirable side effects. Additional 
details on disabling DCOM and possible side effects are available in 
Microsoft Knowledge Base Article 825750. 

Filter network traffic

Sites are encouraged to block network access to the following relevant 
ports at network borders. This can minimize the potential of 
denial-of-service attacks originating from outside the perimeter. The 
specific services that should be blocked include 


Sites should consider blocking both inbound and outbound traffic to these 
ports, depending on network requirements, at the host and network level. 
Microsoft's Internet Connection Firewall can be used to accomplish
these goals. 

If access cannot be blocked for all external hosts, the CERT/CC 
recommends limiting access to only those hosts that require it for 
normal operation. As a general rule, the CERT/CC recommends filtering 
all types of network traffic that are not required for normal operation. 

Because current exploits for VU#568148 create a backdoor, which is in 
some cases 4444/TCP, blocking inbound TCP sessions to ports on which no 
legitimate services are provided may limit intruder access to compromised

Recovering from a system compromise

If you believe a system under your administrative control has been 
compromised, please follow the steps outlined in

Steps for Recovering from a UNIX or NT System Compromise


The CERT/CC is tracking activity related to this worm as CERT#30479. 
Relevant artifacts or activity can be sent to cert@cert.org with the 
appropriate CERT# in the subject line. 

Appendix A. Vendor Information

This appendix contains information provided by vendors. When vendors 
report new information, this section is updated and the changes are 
noted in the revision history. If a vendor is not listed below, we 
have not received their comments. 


Please see Microsoft Security Bulletin MS03-026. 

Appendix B. References

CERT/CC Advisory CA-2003-19 - http://www.cert.org/advisories/CA-2003-19.html 
CERT/CC Vulnerability Note VU#561284 - http://www.kb.cert.org/vuls/id/561284 
CERT/CC Vulnerability Note VU#326746 - http://www.kb.cert.org/vuls/id/326746 
Microsoft Security Bulletin MS03-026 
  - http://microsoft.com/technet/security/bulletin/MS03-026.asp 
Microsoft Knowledge Base article 823980 
  - http://support.microsoft.com?kbid=823980 


Our thanks to Microsoft Corporation for their review of and input to 
this advisory. 

Authors: Chad Dougherty, Jeffrey Havrilla, Shawn Hernan, and Marty Lindner

This document is available from: 

CERT/CC Contact Information

                 Email: cert@cert.org
                 Phone: +1 412-268-7090 (24-hour hotline)
                 Fax: +1 412-268-6989
                 Postal address:
                      CERT Coordination Center
                      Software Engineering Institute
                      Carnegie Mellon University
                      Pittsburgh PA 15213-3890

CERT/CC personnel answer the hotline 
08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are
on call for emergencies during other hours, on U.S. holidays, and on 

Using encryption

We strongly urge you to encrypt sensitive information sent by email. 
Our public PGP key is available from 


If you prefer to use DES, please call the CERT hotline for more information. 

Getting security information

CERT publications and other security information are available from 
our web site 


To subscribe to the CERT mailing list for advisories and bulletins, 
send email to majordomo@cert.org. Please include in the body of your message

subscribe cert-advisory 

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent 
and Trademark Office. 

Any material furnished by Carnegie Mellon University and the Software 
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon 
University makes no warranties of any kind, either expressed or implied as 
to any matter including, but not limited to, warranty of fitness for a 
particular purpose or merchantability, exclusivity or results obtained 
from use of the material. Carnegie Mellon University does not make any 
warranty of any kind with respect to freedom from patent, trademark, or 
copyright infringement. 

Conditions for use, disclaimers, and sponsorship information 

Copyright 2003 Carnegie Mellon University.

Revision History 

August 11, 2003: Initial release 

[***** End CERTŪ Advisory CA-2003-20 *****]

CIAC wishes to acknowledge the contributions of CERT  for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-123: SGI Login Vulnerabilities
N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text
N-125: Cumulative Patch for Microsoft SQL Server
N-126: Microsoft Unchecked Buffer in DirectX Could Enable System Compromise
N-127: Buffer Overflows in EXTPROC of Oracle Database Server
N-128: Oracle Buffer Overflow in E-Business Suite
N-129: Oracle Unauthorized Disclosure of Information in E-Business Suite
N-130: SGI IRIX nsd Server AUTH_UNIX gid list Vulnerability
N-131: Sun Solaris Runtime Linker ld.so.1(1) Vulnerability
N-132: Red Hat  wu-ftpd Buffer Overflow Vulnerability

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH