Thread: OT virus/NOT A HOAX
View Single Post
  #1   Report Post  
Old 12-08-2003, 03:17 PM
NJ
 
Posts: n/a
Default OT virus/NOT A HOAX

"danrahan" wrote in message
...
This appears to be a variation on an old hoax. Ms Blast.exe appears to
be a legit file. This virus does not show up on Symantic's list.

I just received a warning from my antivirus program (E-Trust) warning me of
the virus, along with a full report of how it works. NO HOAX. Update your
antivirus NOW. Here is a snippet of what E-Trust sent me this morning:
***********************************************
Win32.Poza is a worm using the exploit described in MS03-026 to gain access
to unpatched Windows installation. More information about the exploit can
be found in our Vulnerabilities Library or at the Microsoft site he
http://www.microsoft.com/technet/sec...n/MS03-026.asp

Method of Installation

It creates a mutex "BILLY" to avoid running multiple instances of itself,
and creates a registry value to activate on Windows restart:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wind ows auto update =
"msblast.exe"

The worm runs a FTP service listening on port 69 waiting for exploited
machine to connect.
Method of Distribution

It starts by scanning the entire subnet for open 135 ports, then moves on to
scan randomly selected class B subnets (255.255.0.0) to start scanning. If
an open 135 port is found, it uses the exploit mentioned above to gain entry
and create a remote shell on the exploited machine. It then assumes the
exploit succeeded and attempts to connect to port 4444 of the remote
machine. If successfully connected, it instructs the remote machine to
download MSBLAST.EXE (size: 6,176 bytes, UPX packed) from its FTP service
using TFTP.EXE. It then sends an instruction to start MSBLAST.EXE on the
remote machine.

Note: TFTP.EXE is an utility included by default in Windows installation of
Windows 2000 and later versions.

The worm is capable of keeping live connections to 20 exploited machines
simultaneously.

Payload

If the day of the month is 16 or later, or the month is between January and
August, the worm creates a working thread to send random data to
windowsupdate.com almost continuously. This effectively launches a
Distributed Denial of Service attack against windowsupdate.com.

Additional Information

The worm body contains these strings:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your
software!!

CA has also received reports from several sources that this worm may be
seen, associated with crashes of svchost.exe.

************************************************** **



Reply With QuoteReply With Quote