ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security management Toolkit

Protecting yourself from the MSBlast worm

Robert Vamosi ZDNet

Published: 12 Aug 2003 10:15 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A new worm scans Internet to find vulnerable Windows 2000, NT, and XP systems

MSBlast, also known as Lovsan, is an Internet worm that exploits a known vulnerability in Windows 2000, NT, and XP. The worm takes advantage of the Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, which was patched in MS03-026, on 17 July, 2003. Because many people have yet to patch their systems, the worm is very active. MSBlast spreads quickly via the Internet and could damage infected system files, therefore, this worm rates a 7 on the ZDNet Virus Meter.

How it works
MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer.

At this time, antivirus vendors are still analyzing what msblast.exe does.

MSBlast updates the system Registry with the following line so that it will run each time the computer is rebooted.

Hkey_local_machine\software\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! Bill

Prevention
Users who have not yet patched their Windows 2000, NT, and XP systems should do so.

Windows NT 4.0 Server
Windows NT 4.0 Terminal Server Edition
Windows 2000
Windows XP 32-bit Edition
Windows XP 64-bit Edition
Windows Server 2003 32-bit Edition
Windows Server 2003 64-bit Edition

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee, Symantec, and Trend Micro.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
63 out of 136 people found this useful


Talkback

Post a comment


Full Talkback thread

97 comments

  1. help - i am running windows 2000 and when I clik o... Anonymous
  2. It appears that my computer may have already been... Anonymous
  3. my computer has problems and i think it has b... Ishaya Gajere
  4. When I try to run the XP 32 bit patch it tells me... Duane Schowiak
  5. Since microsoft update doesn't work, why doesn't m... Anonymous
  6. Is it the case that MSBlast does not affect system... DIck Lawrence
  7. this worm is the first bug/virus that i have! it w... Anonymous
  8. I believe the person or persons who do this ought... Anonymous
  9. wat if u have windows MILLENIUM FERIDUNAK
  10. What is MSBLAST.EXE-09FF84F2.pf it is in my C:\W... Anonymous
  11. Further to comment by Dick Lawrence, I have Win 98... Anonymous
  12. i have the worm virus on my computer and i have fo... edward stanley
  13. I had the virus MSBLAST. Norton Antivirus 2002 was... Mark Kempner
  14. Windows ME is not affected. It is only NT based sy... Jason
  15. It won't you fetch updates from Mirosoft site (and... Wish
  16. It's a bit difficult to download the patch once in... Paul Scholefield
  17. I am having trouble downloading the firewall from... Kat
  18. www.grisoft.com the free AVG software caught and s... Robin Jackson
  19. I have Windows ME and it is not on your list for p... Anonymous
  20. If you previously had the virus before you patched... Anonymous
  21. i cant remove the blast worm with any tool or anti... Ehab M. Mostafa
  22. We are also experiencing a lot of SVCHOST.EXE erro... Anonymous
  23. I'm unable to stay online long enough to download... Anonymous
  24. MS Blast is cleaned off my hard drive, but this va... Bryan
  25. what was the registry edit under hkey local machin... deborah mckown
  26. When you see the pop up window that is telling you... Kevin Dyer
  27. well u all better watch it, i no a gang of guys th... Anonymous
  28. I would like to know the phone number to call if y... Anonymous
  29. I have another computer which seems to be infected... Anonymous
  30. Was able to get through to the Microsoft sight yes... Brendan Moran
  31. WATCH IT GUYS some guys called VG got a code copy... Cisco
  32. He doesn't want to worry about the virus. He shoul... The Headmaster
  33. i have XP and the instructions are to complicated.... delly bad
  34. This particualr file can be deleted without a prob... Damian Rees
  35. HELP!I have XP and i cant tell if im 32-bit or 64-... Michael Fossey
  36. I used Windows 98 computer to download XP security... Mike Miller
  37. Help: I want to load the patch against Mblast but... Mike Tebbitt
  38. How do you know if you have 32 or 64 bit XP. Esme Bunce
  39. Do i need to download if i am using windows ME????... Pamela
  40. hi i am using windows 98 so do i need to run the m... Anonymous
  41. is ms blast the same as peopsystem or joesustem th... Anonymous
  42. Avg sucks use Norton Its the best just keep it upd... Anonymous
  43. go into the control panel and into display. look... Anonymous
  44. Please could you advise me where I can get the pat... Anonymous
  45. hi i was wondering how do i find out how my pc has... emma
  46. here is a direct link to the windows xp 32bit patc... Nick
  47. here is a direct link to microsoft website 4 the b... Nick
  48. windows xp home edition is 32bit and windows xp pr... Anonymous
  49. This new virrus does not attack Windows 98 so ther... Anonymous
  50. i have windows xp but how do i know if i have the... Anonymous
  51. I downloaded the e-mailed instructions dated 88/15... Anonymous
  52. A friend of mine has problem with his pc. when he... Marife Cariaga
  53. dont know whitch xp patch to use. running xp pro.... Anonymous
  54. i have windows 2000ME and when i download your pat... Anonymous
  55. I am running windows millenium which was already o... Anonymous
  56. i have just got new pc not sure if 32bit or 64 i a... Anonymous
  57. i just got rid of this nasty beggar!!!! type http:... anon
  58. ha ha ha.sorry i shouldnt laugh but im glad i run... thehornet_1
  59. http://vil.nai.com/vil/stinger/ is the actual site... MJH
  60. does anyone know if the blaster worm will affect w... Anonymous
  61. i HAVE A computer with window98 and ever thing two... Anonymous
  62. How do i know if i have got the virus?what will it... Anonymous
  63. Window,s Me is not infected by this worm,But you s... Larry
  64. how do i know if my xp is 32bit or 64? Anonymous
  65. I have the same problem.This whole virus scare is... Laura Keates
  66. im having that trouble too help me 32 bit or 64 bi... joanne
  67. i have been told that this virus has been latched... bill flynn
  68. my computer have this problem as nfected by this v... Anonymous
  69. how do i know if my xp is 32bit or 64? andi
  70. click on my computer, go in to local drive, then w... karl corner
  71. I think that it could be made a bit easier to find... concerned user
  72. I have Windows '98 but seem to have all the sympto... Caz
  73. Trying using anti - virus program PC-CILLIN, this... paul chapman
  74. i would like to try the protections against viruse... charles stewart
  75. Unable to get rid of worm blaster. Keep closing co... Anonymous
  76. HELP!!How can I get on to the internet while havin... I.T
  77. Dont worry about the MSBLAST.EXE-09FF84F2.pf file... Anonymous
  78. Hi, usual question from a technophobic but how do... Rebeka
  79. Yes, it seems my computer's caught the worm as wel... Yiin Tham
  80. I have problem inwindows after 5 mint windows is c... Anonymous
  81. Go to www.evesham.com where you will find a compre... Gilson Chapple
  82. I have windows millenium every time i reboot... Anonymous
  83. go to norman antivirus and download trial software... stephen
  84. To stop your computer shuting down try typing "shu... Kate
  85. I deleted msblast from windows task manager proces... Kate
  86. I tried removing msblast using avg and once it was... Kate
  87. I see I am not the only one getting an error messa... Melissa Ballenger
  88. I have a severe problem..going through some old un... Travis Gibeaut
  89. What a really anoying virrus one minute browsing t... Michael Shellshear
  90. IF UNABLE TO GET RID OF BLAST WORM E-MAIL ME @ msh... Michael Shellshear
  91. I Ran the Blaster removal tool from Symantec, and... Anonymous
  92. i cant remove iciba programs in add and romove pro... dowson tay
  93. First I have noticed so much garbage out here sinc... Kathy Garcia
  94. i want to update my current anti virus Anonymous
  95. I have Windows XP. When on the web, I hear a fog... jsbj
  96. Help. Please! I have AVG anti virus (Free Edition... Dr. Pedro Rodriguez
  97. Norton SUCKS NORTON SUCKS my brothers friend had i... Anonymous

Related Links

More In Security management



Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

Desktop Support Analyst - Financial Services - West London c30k

Systems, MS 2003 & NT, MS Active Diretory 2000/2003 and MS Exchange messaging Systems. From a qualification standpoint, my client would like you to ...

Technical Support Engineer Windows XP 2003, Microsoft Outlook, LANs, WANs, DNS,

Technical Support Engineer Windows XP 2003, Microsoft Outlook, LANs, WANs, DNS, - Lambeth - 2198 RM helps to push the boundaries of technology to ...

IT Support Engineer (Terminal Services,AD,VMWare,Win Server 2003)

The London office is 30 strong & is a Terminal Server environment, there are no desktops. Candidates MUST have Terminal Services 2003, Windows Server ...

Sentry Posts Blog

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment

The Google Apple Merger: Fantasy or Fu...

The Google Apple Merger: Fantasy or Future? Author: Eric Everson, Founder MyMobiSafe.com Market research suggests that Microsoft controls upwards of 90% of the respective computer-based... More

1 comment

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link

DOWNLOAD

Security Essentials

Security Downloads

There are masses of security suites out there for small businesses. Here's a selection to get you started

Editor’s Rating
1 Norton 360™
2 AVG Anti-Virus Free Edition Rating: 10
3 PC Tools AntiVirus Free Edition
4 Kaspersky Internet Security

See All Software

In association with Symantec