W32/Blaster.A
| W32/Blaster.A |
Destructivity:  Spreading:  Overall risk: 
|
| • Detected by virus detection files published: 8/12/2003 | • Type: Worm |
| • Virus characteristics first published: 8/12/2003 | • Spreading mechanism: Network |
| • Virus characteristics latest update: 9/20/2005 | • Overall risk: Medium |
| • Alias: MSBlast.A | • Payload: Performs a denial of service attack |
| • Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
When run, the worm will first install itself in the registry though the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run "windows auto update" = MSBlast.exe This enables it to start from bootup. It checks if it is already running by attempting to create a mutex called "BILLY". It generates random IP addresses that it attempts to spread to. This is done by sending specifically formatted data to port 135 on the remote machines. If these machines are vulnerable to this attack, they will open a remote shell on port 4444. The open shell now receives instructions to connect back to the infected machine using TFTP, and download the original worm file. The worm has at this stage set up a FTP server on port 69. Once the download is complete, the worm file is started via the same remote shell. The buffer overrun performed on target machines may have detrimental effect on the stability of these machines. |
||||||||||||||