F-Secure is issuing an international alert on a new network worm known as
Lovsan or Msblast. This worm spreads to Windows servers and workstations as
MSBLAST.EXE, using the well-known RPC hole. The worm will launch an attack
against windowsupdate.com on 16th of August.
"The IT security industry has been waiting in horror for a new major worm to
appear since the RPC/DCOM hole was found on the 16th of July", says Mikko
Hypponen, Director of Anti-Virus Research at F-Secure. "Now it's here".
First sample of this worm was received to F-Secure Anti-Virus Research Labs
at 20:22 GMT on 11th of August, 2003. The worm spreads in a 6176 byte
executable named MSBLAST.EXE to Windows 2000 and Windows XP systems unless
recent Windows security patches have been applied.
The worm will scan addresses in the internet to locate vulnerable Windows
machines. Once found, it will copy itself over and modify the system so the
worm will be executed every time the machine is started. The worm will keep
on replicating from every infected machine.
The Lovsan worm contains these texts:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your
software!!
"There seems to be clear attack routine in the worm", observes Hypponen. On
the 16th of August the worm will start a distributed denial-of-service attack
against the windowsupdate.com server. "If our initial spreading data is
correct and the worm continues to spread fast, the attack might take down the
whole Windows Update service".
QUESTIONS AND ANSWERS ON THE LOVSAN WORM
Q: What makes this worm special?
A: It spreads using the MS03-026 DCOM/RPC hole, "Buffer Overrun In RPC
Interface" - which is one of the most common security holes in the world
right now.
Q: When was it found?
A: First sample of this worm was received to F-Secure Virus Research Labs at
20:22 GMT on 11th of August, 2003.
Q: How does it spread?
A: If an unprotected machine is connected to the internet, the worm will
access it directly with connections to TCP port 135 and infect it remotely.
The user sees nothing.
Q: Which Windows platforms are vulnerable?
A: At least Windows 2000 and Windows XP. It seems that Windows NT 4 and
Windows 2003 might be affected, but this has not yet been confirmed either
way.
Q: Does Microsoft have a patch to close this hole?
A: Yes, at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
Q: How many machines it could infect?
A: There are potentially tens of millions of machines to infect. For
reference, Slammer worm only had around 100,000 potential SQL servers to
infect and even Code Red had less than 2 million machines IIS web servers.
Then again, most of the workstations with the RPC hole are behind firewalls.
Q: Could it get behind firewalls?
A: In several ways. There might holes in the firewall rules, or people might
make direct unfiltered connections from behind the firewall (with modems or
WLAN). Or somebody might just carry an infected laptop to the company
premises.
Q: Will there be different versions of this worm?
A: Most likely there will be several variants, yes.
Q: What kind of emails does this worm send?
A: None. This is not an email worm. It never sends any emails.
Q: Is this a 'Warhol' worm?
A: No. It has no hitlist and it doesn't spread as fast as for example the
Slammer worm did in February 2003.
Q: Does it do direct damage to infected machines?
A: No. But it does try to take down windowsupdate.com after midnight local
time on 16th of August.
Q: Where is this worm from?
A: We don't know.
Detailed technical description of the worm as well as screenshots are
available in the F-Secure Virus Description Database at
http://www.f-secure.com/v-descs/msblast.shtml
F-Secure Anti-Virus can detect and stop the Lovsan worm. F-Secure Anti-Virus
can be downloaded from http://www.f-secure.com
Free firewall here;
http://www.pcflank.com/sygate.htm
Removal tool;
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
