MS Blaster Worm Roundup
by HNS Staff - last update: 01 August 2003, 4:27 AM CET (added: news on the capture of the virus author)
The Blaster worm uses a series of components to successfully infect a host. The first component is a publicly available RPC DCOM exploit that binds a system level shell to port 4444. This exploit is used to initiate a command channel between the infecting agent and the vulnerable target. Once the target is successfully compromised, the worm transmits the msblast.exe executable (the main body of the worm) via TFTP to infect the host. The payload used in the public DCOM exploit, as well as the TFTP functionality, are both encapsulated within msblast.exe.

Cisco Systems - W32.BLASTER Worm Mitigation Recommendations

Cisco customers are currently experiencing attacks due to a new worm that is active on the Internet. The signature of this worm appears as UDP traffic to port 69 and high volumes of TCP traffic to port 135 and 4444. Affected customers have been experiencing high volumes of traffic from both internal and external systems. Symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces. This document focuses on both mitigation techniques and affected Cisco products which need software supplied by Cisco to patch properly.

DNS Commentary - Blaster Only Set to Stun

Once again, it appears that the worm authors had caught system administrators with their trousers down. Despite the availability of a patch since mid-July to fix the vulnerability exploited by W32.Blaster, the widespread infection of both business and home computers showed that in the vast majority of cases, it had not been applied. Such was the infection rate that, at its pinnacle, the worm was taking only 30 seconds to find an uninfected computer somewhere in the world.

Virus vendors on the MS SQL worm

Sophos: W32/Blaster-A

RAV: Win32/MSBlast.A

BitDefender: Win32.Msblast.A

McAfee: W32/Lovsan.worm

F-Secure: Lovsan Worm

Norman: Blaster.A

Panda Software: W32/Blaster

Symantec: W32.Blaster.Worm


Computer Associates: Win32.Poza

ESET NOD32: Win32/Lovsan.A

Kaspersky Lab: Worm.Win32.Lovesan

Removal tool: BitDefender Anti Blaster Worm

Removal tool: Astonsoft Anti MSBlast Worm

Trojan info: New Trojan Disguised as Blaster Worm Fix


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th