Microsoft news update about MS Blaster

Microsoft news update about MS Blaster

Author
Discussion

abels

Original Poster:

606 posts

289 months

Wednesday 13th August 2003
quotequote all
Virus Characteristics:
This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.
When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].
Once run, the worm creates the registry key (may be either of the following):
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
This will appear in regedit as:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
Run "windows auto update" = msblast.exe


Symptoms
- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown
Top of Page


Method Of Infection
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16.
Computers that have up-to-date antivirus software will detect the worm executable upon download. However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash due upon receiving malformed exploit code.
Top of Page


Removal Instructions
All Users:
Use the 4284 DAT files for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below).
Alternatively, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied.
Ensure that your system is not at risk from this exploited vulnerability:
Apply the MS03-026 patch to all vulnerable systems.
Stand alone remover
Stinger has been updated to include detection/removal of this threat.
Sniffer Customers: Download a Sniffer filter to detect W32/Lovsan.worm traffic (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
1. Apply the MS03-026 patch
2. Terminate the process msblast.exe
3. Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:windowssystem32 or c:winntsystem32)
4. Edit the registry
Delete the "windows auto update" value from
HKEY_LOCAL_MACHINESOFTWAREMicrosoft
WindowsCurrentVersionRun
Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5.
To update your ThreatScan installations with the latest signatures perform the following tasks:
1. From within ePO open the “Policies” tab.
2. Select “McAfee ThreatScan” and then select “Scan Options”
3. In the pane below click the “Launch AutoUpdater” button.
4. Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-11 has completed successfully.
5. From within ePO create a new “AutoUpdate on Agent(s)” task.
6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that “tsc20” in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is “tsc25”.
7. Launch this task against all agent machines.
8. When the task(s) complete information will be available in the “Task Status Details” report.
To create and execute a new task with the new Hot Fix functionality do the following:
1. Create a new ThreatScan task.
2. Edit the settings of this task.
3. Edit the “Task option”, “Host IP Range” to include all desired machines to scan.
4. Select the “Remote Infection Detection” category and “Windows Virus Checks” template.
-or-
Select the “Other” category and “Scan All Vulnerabilities” template.
5. Launch the scan.
Top of Page


Variants
Name
Type
Sub Type
Differences




Top of Page


Aliases
Name
msblast.exe
tftp
W32.Blaster.Worm (Symantec)
Win32.Poza (CA)
WORM_MSBLAST.A (Trend)
Top of Page
Update 11 Aug 2003 --
W32/Lovsan.worm is proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).
-- Update 08 Aug 2003 --
A popular DCOM RPC vulnerability scanner is detected with the 4283 DAT files as the Exploit-DcomRpc trojan.
File details
Name: RetinaRPCDCOM.exe
Size: 794,624 bytes
Description: Retina Scanner
Company: eEye Digital Security
MD5:0x52EB5902772808F56D42D761BDF47E11
This detection occurs as a result of enhanced exploit detection in the DAT files and the Retina Scanner's use of exploit code as a means to assess the vulnerability state of target systems. The intention of this scanner is not malicious. However, AVERT does recognize the ability for an attacker to user this beneficial tool in a malicious manner. For this reason, the 4285 DAT file will contain detection for this tool as a "Potentially Unwanted Program". For those users who would like to suppress the trojan detection of this tool when using the 4283 DAT file, an EXTRA.DAT file is available for downloading.
What's an EXTRA.DAT?
-- Update 07 Aug 2003 --
In 4283 DATs AVERT has made this detection as generic as possible to enhance the proactive protection from any malware based on exploitation of MS03-026 vulnerability. If you have a sample detected as Exploit-DcomRpc please submit it to AVERT. (Please also do the same if you believe any program is incorrectly identified as Exploit-DcomRpc.)
--
This detection covers exploit tools that makes use of the RPC Interface Buffer Overflow (7.17.03) vulnerability also known as MS03-026.
These exploit tools may, for example, create a remote shell to provide access to a compromised system or execute alien code on the remote computer.
Top of Page


Symptoms
N/A This is an attack tool, to exploit vulnerable remote systems.
Top of Page


Method Of Infection
N/A
Top of Page


Removal Instructions
All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.
Additional Windows ME/XP removal considerations

Quite difficult to avoid others useing the same known RPC vulnerability with other attack vector variants built to reach similar effects without msblast.exe (this already happened before with Nimda and Code Red).
Your customer might have been exposed to MS03-026 fix attack variants because of combined lack of MS03-026 fix deployment and appropriate TCP/UDP port filtering.
IMHO best way to recover and to be sure of this would be: 1) restoring from latest good backup (if available) to immediately apply MS03-026 solution, or 2) quickly testing if MS03-026 is the expected solution.
Problem here is is your pc has been infected, you may not know it unless you check the registry, so even if you download the MSFT fix, your PC may still, with NO user interaction, spread the virus that will allow other future viruses to take advantage of the planted one lying dormint. If MS03-026 was installed a month or more ago, chances are good that you are ok. If not, installing it may help (in that it will not be executed) but it will not keep another attack from using the same hole the 1st virus used to execute and propogate blaster......

MS03-026 - This is a little long, but topical and important. Please take the time to read it now. MS Internal, not customer ready. Friday 01 August 1200 GMTfficeffice" />
I'd like to briefly highlight the "hottest" info on MS03-026 for you, to equip you with the best current info and awareness of current issues and misconceptions in the public. Please share with your teams and colleagues. This is not customer ready but should serve to inform you, to handle your own customer communications.
- MS03-026 Does 100% fix the vulnerability that it was intended for.
- MS03-026 does not have any known "common" bugs or side effects.
- AFTER releasing MS03-026, an unrelated RPC exploit was released to the internet (exploit is Denial of Service only, W2K only).
- This exploit ALSO relates to RPC. However it is UNRELATED TO MS03-026.
- This separate issue is currently under investigation.
We have no other information at this time for the post (unrelated) MS03-026 issue. However customers should immediately apply the patch MS03-026 and also evaluate and deploy the other countermeasures in the article (e.g. firewall measures) to help mitigate against these nature of attacks in general.
We will communicate further on the post (unrelated) MS03-026 issue once we have completed our investigation.
Some other points addressing current issues:
- We are aware of public exploits against both the MS03-026 and post (unrelated) MS03-026 issue.
- A reported RAS problem does NOT affect MS03-026. (It does affect MS03-029 for NT4; affected customers should contact PSS for a fix).
- Only NT-kernel platforms are affected (W9x not).
- NT4 is vulnerable. NT4Srv & TS at SP6.0a have a supported patch. This patch will also work for NT4 Workstation 6.0a however is not supported (read: best-effort support only; customers with extended support agreements for WKS are covered here though). Previous SP levels will not install, and no patch will be built for these.
- W2K is supported at SP3 and SP4 only. The patch will install at SP2 but is not supported (read: best-effort support). Previous SP levels will not install, and no patch will be built for these.
- There have been rumours that we will re-release MS03-026 (no, 026 fixes what it's meant to fix and has no problems); or that a new patch for the post (unrelated) MS03-026 issue is imminent. STOP RUMOURS. We are only in the investigation stage on the post-026 issue. We have not announced any plans to patch, or not, or otherwise. We are hearing "should I hold off the effort to deploy 026 until the next patch or SP". No. Deploy it as soon as possible. Any delay will create a "vulnerability gap" - and a worm could come tomorrow. Or today. Deploy the patch 026 and the countermeasures immediately.
- There have been alerts from CERT and news reports about an "imminent worm threat" with 026. There is no denying that 026 is a critical issue - so, deploy the patch + countermeasures! We are on alert for any issues, but to date have not seen any worm-like activity.
www.microsoft.com/security and www.microsoft.com/technet/security - public bulletins and more