, SecurityFocus 2003-08-11
A malicious worm that exploits last month's RPC DCOM vulnerability struck the Internet Monday afternoon, targeting unpatched Windows 2000 and Windows XP machines.The worm, dubbed "Blaster" and "LovSan" by security and anti-virus companies, attacks vulnerable machines over TCP port 135, then spawns a shell and initiates a TFTP file transfer to retrieve the worm's code.
The worm apparently has no malicious payload, but is reportedly crashing some PCs as it attempts to infect them. Additionally, according to an analysis from Symantec's DeepSight Threat Management System, the malware is programmed to launch a denial of service attack against Microsoft's windowsupdate.com site on August 16th. [Symantec publishes SecurityFocus.]
The SANS Institute's Internet Storm Center describes the worm as an 11,000 byte executable named msblast.exe. It arrives UPX-compressed to about 6,000 bytes, then unpacks itself and begins scanning IP addresses sequentially for vulnerable machines.
A comment hidden in the code reads, "billy gates why do you make this possible ? Stop making money and fix your software!!," according to SANS and Symantec.
A worm has been generally expected by the security community since Microsoft announced a critical hole in RPC and released a patch on July 16th. Public and private exploit programs have already lead to mass compromising of PCs at universities like U.C. Berkeley and Stanford, and, reportedly, some sizable corporations. Some ISPs have already blocked port 135 and the other vulnerable ports.