A fast-spreading new computer worm tries to prevent vulnerable machines seeking protection by attacking a vital update server. The "Blaster" worm has already infected thousands of computers worldwide, security companies say.
The worm, also known as "Lovsan", exploits a software bug affecting most versions of Microsoft's Windows operating system. The bug was revealed on 16 July and Microsoft also released a software fix on the same day.
After infecting a vulnerable computer, the worm is programmed to send a volley of bogus traffic to Microsoft's software update service, windowsupdate.com on 16 August. If enough machines are infected this will overwhelm the site, preventing system administrators from using it to download the software patches needed prevent other machines being infected.
"It's an extremely devious trick by Blaster's author," says Graham Cluley, of UK anti-virus company Sophos. "Blaster attempts to knock Microsoft's windowsupdate.com website off the internet."
<snip>
Buffer overrun
To exploit the Windows flaw on a vulnerable system, Blaster sends irregular network packets of data that cause a "buffer overrun" error. This means the system's normal security controls can be bypassed, allowing remote commands to be carried out.
Blaster scans for vulnerable machines via the standard network protocols TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). Once a susceptible machine has been located it gains control of the machine and downloads a full executable copy of itself, "msblaster.exe", which it starts running. The worm also installs a TFTP (Trivial File Transfer Protocol) server so that it can pass more copies of itself to other hosts.
Some analysts say the worm may not spread as effectively as some other specimens because it relies on TFTP messages, which are automatically blocked by some firewalls.
Traffic spike
But US network security company TruSecure has already reported a fivefold increase in network traffic directed at computer ports associated with the data sent by the worm. Other security companies have issued alerts about the worm, as has the Computer Emergency Response Team (CERT), an organisation funded by the US government.
US company Network Associates says the worm "is spreading quickly to thousands of machines around the globe," based on reports from the company's customers.
The SANS Institute, a network administrators training organisation in the US, recommends blocking incoming requests that could come from the worm at a network's firewall and physically disconnecting machines thought to have been infected.
The worm's code also includes a brief insult aimed at Bill Gates, founder and chief software architect at Microsoft. The offending message says: "billy gates why do you make this possible? Stop making money and fix your software!!"
Thanks xStainDx for the following information posted in our Back Page News section of the forum.
1.- Patch Your System with the appropriate MS03-026 Patch 2.- After Installation of the Patch, Reboot your system. 3.- Download and run"FIXBLAST".exe to remove the MSBLAST.exe file, terminate the process and remove added registry keys by the worm. 4.- Reboot your pc one last time. 5.- Visit WindowsUpdate.com more often and take note of our repeated warnings to keep your system updated.
Result: Your System will no longer shutdown after 60secs, please follow the steps above to remove the worm off your computer and return your system to UPDATED safe status.
