HighProventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, BlackICE Agent for Server, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection:
This signature detects a TFTP attempt to transfer the msblast.exe file.
Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network, BlackICE Agent for Server, BlackICE PC Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection: Any legitimate use of TFTP to transfer msblast.exe file will trigger this event.
High
Proventia Network MFS: 1.0, Proventia Network IDS: XPU 21.1, Proventia-G 1.1 and earlier: G Series, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Server Sensor: XPU 21.1, RealSecure Network: XPU 21.1, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cpa, RealSecure Desktop: baseline
Microsoft Windows NT: 4.0, Microsoft Windows NT: 4.0 Terminal Server, Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows 2003 Server
Suspicious Activity
The MS Blast Worm, also known as the W32/Lovsan.worm, Lovsan, W32.Blaster.Worm, and Blaster, propagates by exploiting a buffer overflow vulnerability in the Microsoft Windows Distributed Component Object Model (DCOM) interface of the RPC (Remote Procedure Call) service. Denial of Service (DoS) functionality against windowsupdate.com is incorporated into the worm, which performs the attack if the date is later than August 15th, 2003 and prior to December 31st 2003.
The worm scans sequentially for systems with TCP port 135 open and uses a TFTP server to pull the binary. The worm adds the "SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update" registry key, which contains the value "msblast.exe", to initiate itself upon reboot. The worm will also open TCP port 4444, which could allow an attacker to execute commands on the system.
For Microsoft Windows 2000:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS06-018. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-051, which were superseded by the patch released with MS06-018.
For Windows XP and Windows Server 2003:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS05-051. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039, MS04-012, and MS05-012, which was superseded by the patch released with MS05-051.
For Microsoft Windows NT 4.0:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-029. See References.
Note: Microsoft originally provided a patch for this vulnerability in MS3-026, but it was superseded by the patch released with MS03-039 and MS04-012, and then superseded by the patch released with MS04-029.
BugTraq Mailing List, Mon Aug 11 2003 - 15:49:37 CDT
New Windows DCOM Worm - msblast.exe (fwd)
http://archives.neohapsis.com/archives/bugtraq/2003-08/0118.html
BugTraq Mailing List, Mon Aug 11 2003 - 16:36:24 CDT
DCOM worm analysis report: W32.Blaster.Worm
http://archives.neohapsis.com/archives/bugtraq/2003-08/0119.html
DeepSight Threat Management System Threat Alert
MS DCOM RPC Worm
https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
McAfee Security Virus Profile -W32/Lovsan.worm
W32/Lovsan.worm
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547
Trend Micro Virus Encyclopedia
WORM_MSBLAST.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST.A
Microsoft Security Bulletin MS03-026
Buffer Overrun In RPC Interface Could Allow Code Execution (823980)
http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
Microsoft Knowledge Base Article 823980
Buffer Overrun in RPC Interface May Allow Code Execution
http://support.microsoft.com/?kbid=823980
CERT Advisory CA-2003-20
W32/Blaster worm
http://www.cert.org/advisories/CA-2003-20.html
BugTraq Mailing List, Thu Aug 14 2003 - 15:44:17 CDT
Analysis/decompilation of main() of the msblast worm
http://archives.neohapsis.com/archives/bugtraq/2003-08/0160.html
CIAC Information Bulletin N-133
Blaster Worm (aka: W32.Blaster, MSBlast, Lovsan, Win32.Poza)
http://www.ciac.org/ciac/bulletins/n-133.shtml
Cisco Security Notice 44522
W32.BLASTER Worm Mitigation Recommendations
http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml
Sun Alert ID: 56780
Recent Mass Mailing of "Worms" or Mail Viruses May Cause Network and Application Performance Degradation
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56780&zone_32=category%3Asecurity
Microsoft Security Bulletin MS05-012
Vulnerability in OLE and COM Could Allow Remote Code Execution (873333)
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
Microsoft Security Bulletin MS04-012
Cumulative Update for Microsoft RPC/DCOM (828741)
http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx
Microsoft Security Bulletin MS03-039
Buffer Overrun In RPCSS Service Could Allow Code Execution (824146)
http://www.microsoft.com/technet/security/bulletin/ms03-039.mspx
Microsoft Security Bulletin MS05-051
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
Microsoft Security Bulletin MS04-029
Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
http://www.microsoft.com/technet/security/bulletin/ms04-029.mspx
Microsoft Security Bulletin MS06-018
Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
http://www.microsoft.com/technet/security/Bulletin/MS06-018.mspx
ISS X-Force
MS Blast worm
http://www.iss.net/security_center/static/12866.php