Rubrik: Virenwarnung/Aktuelle Meldungen

Norman: Der Wurm "W32/Blaster.A" (Alias: MSBlast.A ) ist "in the wild" aufgetaucht

Der Virus Wurm wird von Norman als "High-Risk" eingestuft

(12.08.03) - Norman warnt vor "W32/Blaster.A" (Alias: MSBlast.A ) und empfiehlt zudem, das Microsoft-Security-Patch unter dem folgenden Link einzuspielen:

Anzeige

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp.

W32/Blaster.A Explanation of the different characteristics used below.

General characteristics

Type: Worm

Alias: MSBlast.A

Spreading mechanism: Network

Destructivity: High

Payload: Performs a denial of service attack

Detected by virus detection files published: 12 Aug 2003

Virus characteristics first published: 12 Aug 2003 01:28 (CET)

Virus characteristics latest update: 12 Aug 2003 03:17 (CET)

Additional description of malicious program

Type

This worm spreads using a buffer overflow exploit in Windows DCOM RPC service. The file, called MSBlast.exe, is 6176 bytes long, and compressed using UPX.

Spreading mechanism

·         When run, the worm will first install itself in the registry though the key

·         HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Currentversion/Run "windows auto update" = MSBlast.exe

·         This enables it to start from bootup. It checks if it is already running by attempting to create a mutex called "BILLY".

·         It generates random IP addresses that it attempts to spread to. This is done by sending specifically formatted data to port 135 on the remote machines. If these machines are vulnerable to this attack, they will connect back to the infected machine using TFTP, and download the original worm file.

·         The buffer overrun performed on target machines may have detrimental effect on the stability of these machines.

Destructivity and Payload

The worm checks the time on the infected computer. If the date is the 16th or higher of any month; or if the date is lower than 16th, but month is higher than August, the worm will initiate an attack on www.windowsupdate.com, sending a lot of packets on port 80.

This attack takes place in a separate thread; the worm's original infection routine is still running as well.

Detection and removal

·         Definition files to detect and remove this worm were issued Aug 12. 2003.

·         It is also very advisable that machines are patched up to protect against the security flaw that this worm uses.

Information and patch is available from: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp. (ma)

Norman Data Defense Systems

Leserkontakt

Tel. (0212) 26718-0, Fax (0212) 26718-15

E-Mail: norman@norman.de

Pressekontakt: Jeannette Peters

Tel. (02307) 28997-0 oder (0212 ) 26718-0

Fax. (02307) 28997-20 oder (0212) 26718-15

E-Mail: jpeters@norman.de

Web: www.norman.de

Diesen Beitrag per E-Mail versenden Diesen Beitrag ausdrucken