( blaster ) it is new worm virus . This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans random ranges of IP addresses on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP.
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com.
Computers that have up-to-date antivirus software will detect the worm executable upon download. However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash due upon receiving malformed exploit code.
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied.
Ensure that your system is not at risk from this exploited vulnerability:
Apply the MS03-026 patch to all vulnerable systems.
Stand alone remover
Stinger has been updated to include detection/removal of this threat.
Sniffer Customers: Download a Sniffer filter to detect W32/Lovsan.worm traffic (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Apply the MS03-026 patch
Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
Edit the registry
Delete the "windows auto update" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com.
Computers that have up-to-date antivirus software will detect the worm executable upon download. However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash due upon receiving malformed exploit code.
Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a “crash loop” where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied.
Ensure that your system is not at risk from this exploited vulnerability:
Apply the MS03-026 patch to all vulnerable systems.
Stand alone remover
Stinger has been updated to include detection/removal of this threat.
Sniffer Customers: Download a Sniffer filter to detect W32/Lovsan.worm traffic (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Apply the MS03-026 patch
Terminate the process msblast.exe
Delete the msblast.exe file from your WINDOWS SYSTEM32 directory (typically c:\windows\system32 or c:\winnt\system32)
Edit the registry
Delete the "windows auto update" value from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Comment