August 13, 2003

Communnilink has received many reports of this worm from the wild.

A new worm known as W32.Blaster.Worm (also known as MBlaster, W32/Lovsan.worm, MSBlast, W32.blaster.worm, Win32.posa.worm, Win32.poza.worm) has been identified that is seeking to exploit the vulnerability patched with Microsoft Security Bulletin MS03-026. Blaster is designed to launch a denial of service attack against Microsoft's Windows Update Web site.

Description
W32/Blaster-A is a worm that uses the internet to exploit the DCOM vulnerability in the RPC (Remote Procedure Call) service. The DCOM vulnerability was first reported by Microsoft in mid-July. This worm does not use email to spread.

Targeted computers include the following Microsoft operating systems:
Windows NT 4.0
Windows NT 4.0 Terminal Services Edition
Windows XP
Windows Server 2003

Prevention
Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available from http://www.microaasoft.com/security/security_bulletins/ms03-026.asp.

"Blaster attempts to knock Microsoft's windowsupdate.com website off the internet," explained Graham Cluley, senior technology consultant for Sophos Anti-Virus. "By attempting a denial of service attack on the windowsupdate.com website, the virus author is deliberately trying to make it difficult for computer users to download the patch they need to secure their copies of Windows against the worm. It's an extremely devious trick by Blaster's author." --- Sophos

The Blaster worm does not spread via email, but does distribute itself via the internet looking for vulnerable computers that have not been patched against a security hole first reported by Microsoft in mid-July.

Auto Worm Cleaner:
http://www.trendmicro.com/download/tsc.asp

Technical Information:-
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=15888

News Contact