TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_MSBLAST.GEN
Overview
Solution

Malware type: Worm

Aliases: Net-Worm.Win32.Lovesan.a (Kaspersky), W32/Blaster.worm.gen (McAfee), W32.Blaster.Worm (Symantec), Worm/Blaster.B (Avira), W32/Blaster-A (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm is Trend Micro's generic and proactive detection for the MSBLAST family of worms, which use the RPC DCOM BUFFER OVERFLOW to propagate. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

The vulnerability affects unpatched systems running Windows NT, 2000, XP, and Server 2003. This worm, however, can only propagate into systems running Windows 2000 and XP.

This worm has been observed to continuously scan random IP addresses and send data to vulnerable systems on the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:

  • On the 16th to the 31st day of the following months:

    • January
    • February
    • March
    • April
    • May
    • June
    • July
    • August

  • Any day in the months of September to December.

Important: Users of affected systems are strongly advised to apply the necessary patches, which may be downloaded from the following Microsoft page:

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 13, 2003 7:30:55 PM GMT -0800
Description updated: Aug. 15, 2003 7:53:56 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.