Protecting yourself from the MSBlast worm

What to do about a worm exploiting widely publicised holes in Microsoft Windows

A new worm scans Internet to find vulnerable Windows 2000, NT, and XP systems

MSBlast, also known as Lovsan, is an Internet worm that exploits a known vulnerability in Windows 2000, NT, and XP. The worm takes advantage of the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, which was patched in MS03-026, on 17 July, 2003. Because many people have yet to patch their systems, the worm is very active. MSBlast spreads quickly via the Internet and could damage infected system files, therefore, this worm rates a 7 on the ZDNet Virus Meter.

How it works
MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.

At this time, antivirus vendors are still analyzing what msblast.exe does.

MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.

Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

Users who have not yet patched their Windows 2000, NT, and XP systems should do so.

Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition
Windows Server 2003 32-bit Edition
Windows Server 2003 64-bit Edition

A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Symantec, and Trend Micro.