TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MSBLAST.A
Overview
Solution

Malware type: Worm

Aliases: W32.Blaster.Worm, W32/Blaster-A, W32/Blaster.worm, W32/Msblast.A, Win32/Poza!Worm

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

TrendLabs has received several infection reports of this new worm, which exploits the RPC DCOM BUFFER OVERFLOW. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

The vulnerability affects unpatched systems running Windows NT, 2000, XP, and Server 2003. This worm, however, can only propagate into systems running Windows 2000 and XP.

This worm has been observed to continuously scan random IP addresses and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:

  • On the 16th to the 31st day of the following months:

    • January
    • February
    • March
    • April
    • May
    • June
    • July
    • August

  • Any day in the months of September to December.

Important: Users of affected systems are strongly advised to apply the necessary patches, which may be downloaded from the following Microsoft page:

Users are also advised to visit the following page for more information from Microsoft:

For general overview of the MSBLAST family of worms, please refer to the Virus Encyclopedia entry for WORM_MSBLAST.GEN.

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 11, 2003 1:44:43 PM GMT -0800
Description updated: Feb. 3, 2004 11:09:08 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.