|
The
Blaster Worm
The Blaster worm (also known as Lovsan, W32/Lovsan,
W32.Blaster, Win32.Poza, WORM_MSBLAST.A, and W32/Blaster-A)
is a Windows worm that exploits a well-publicized vulnerability
in Microsoft’s remote procedure call (RPC) interface
(see Microsoft
Security Bulletin MS03-026.) By remotely connecting to
TCP port 135 on each system it attacks, this worm downloads
and then runs msblast.exe on each vulnerable system, thereby
infecting the system. One of the main indications that Blaster
has infected a system is that the system slows down, displays
unexplained error messages, or crashes.
The Blaster Worm makes changes in the Registry of each infected
system to ensure that it restarts every time the infected
system boots. Additionally, it spawns a Trojan horse command
shell that is accessible via TCP port 4444. It also attempts
to cause denial of service in Windows Update to keep each
system from downloading the previously mentioned patch. Finally,
this worm scans for other systems to infect.
To Prevent Infection
The best way to prevent an infection is to download the latest
post service pack fixes Security/Service patch for your system.
Windows NT4
Server
Windows
NT4 Workstation
Windows 2000
Windows XP
To determine what version of Windows your system runs, go
from Start to Run and then enter "winver".
If you've never installed a patch before, see How
to Download the Latest Windows NT, Windows 2000, and Windows
XP Systems Security Patches.
If Your System Is Infected
If your system becomes infected, follow the procedures on
http://www.lbl.gov/ITSD/Security/Scans/monthlyfix/blaster.htm.
If the clean-up tool available at that site does not eradicate
this worm completely, you’ll need to manually clean
up your system using the procedures described on Symantec's
Blaster Worm Security Response Web page. For information
on the vulnerability that this worm exploits, see Critical
Vulnerability in Windows Remote Procedure Call (RPC) Service
<<
Back to Alerts Home
Welchia, a
Blaster Variant
The recent appearance of the W32.Welchia worm
has wreaked havoc on internal networks of large corporations,
making it even more difficult for IT administrators to clean
up after the Blaster worm.
This Blaster variant targets Windows systems already infected
by Blaster. Systems vulnerable to Welchia are the Microsoft
IIS Web Server, Windows 2000, and Windows XP. Welchia, also
known as Blaster.D and Nachi, lives up to the Blaster name
causing system instability on multiple fronts—deleting
files, creating more network traffic, and compromising security
settings.
Once on a system, Welchia deletes msblast.exe (the Blaster
worm), then tries to download the RPC patch from Microsoft's
Windows Update Web site, install the patch, and then reboot
the computer. Although it purports to be a “good”
worm, it can crash systems and can misinstall the patch so
that it doesn’t really work. In addition, once on a
system, Welchia creates more network traffic by pinging [fn1]
to check for active machines to infect, and it exploits a
Windows vulnerability that hackers can also use to remotely
add and manage content on a Web server.
Welchia propagates through TCP port 135 on Windows XP and
Windows 2000 machines that have not patched the vulnerability
in the Windows
Remote Procedure Call (RPC) Service. Additionally, the
worm propagates through TCP port 80 on Microsoft IIS 5.0 systems
that have not patched the vulnerability in the Windows
WebDav (ntdll.dll) Buffer Overflow.
Protecting Your System Against Welchia
Users and administrators are strongly urged to ensure that
patches have been applied to fix vulnerabilities in the Windows
Remote Procedure Call (RPC) Service and Windows
WebDav Buffer Overflow.
THE
TOOLS: Removal Tools
Welchia Removal Tool
Blaster Removal Tool
THE TOOLS: Patches
Windows NT4
Server
Windows
NT4 Workstation
Windows 2000
Windows XP
THE
STEPS: Recovering from Welchia
THE STEPS: Recovering from Welchia
Follow the steps in Recovering
from MS Blaster and its Variant, Welchia. Note: If
you have already run Blaster, you will need to run it
again.
[fn1] Ping: a command that uses the Internet
Control Message Protocol (a TCP/IP extension) to determine
whether a remote computer is active and where it can be contacted.
<<
Back to Alerts Home
|
