Blaster
Worm Information (3 Variants)
8.14.2003 4:15am
|
Sarc Info
http://www.sarc.com/avcenter/venc/data/w32.blaster.worm.html
Executable
msblast32.exe
Notes
1.
Distribution # 1 Executable
file in email
a. Does not
mass email
2.
Distribution # 2 Port 135
Exploit
3.
IN Cmd.exe
listens on TCP port 4444
a. Hacker can
issue remote commands
4.
OUT Listens on
UDP port 69
a. After DCOM
RPC exploit, penis.exe will be send via TFTP on this port
5.
Timebomb DOS attack on Windows Update begins
on August 16th until the end of the year
Removal Tool
http://www.maitek.com/avtools/blaster/FixBlast.exe
Sarc Info
http://www.sarc.com/avcenter/venc/data/w32.blaster.b.worm.html
Executable
penis32.exe
Notes
1. Distribution # 1 Executable file in email
a. Does not
mass email
2. Distribution # 2 Port 135 Exploit
3. IN Cmd.exe listens on TCP port 4444
a. Hacker can
issue remote commands
4. OUT Listens on UDP port 69
a. After DCOM
RPC exploit, penis.exe will be send via TFTP on this port
5. Timebomb DOS attack on Windows Update begins
on August 16th until the end of the year
Removal Tool
http://www.maitek.com/avtools/blaster/FixBlast.exe
Sarc Info
http://www.sarc.com/avcenter/venc/data/w32.blaster.c.worm.html
Executable
teekids.exe
Notes
1.
Distribution # 1 Executable
file in email
a. Does not
mass email
2.
Distribution # 2 Port 135
Exploit
3.
IN Cmd.exe
listens on TCP port 4444
a. Hacker can
issue remote commands
4.
OUT Listens on
UDP port 69
a. After DCOM
RPC exploit, msblast.exe will be send via TFTP on this port
5.
Timebomb DOS attack on Windows Update begins
on August 16th until the end of the year
Removal Tool
None
Manual Removal
Disable
System Restore
Windows Update
Exploits
DCOM RPC vulnerability
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Antivirus Update
End Worm Process
Scan and Delete Infected Files
Remove Registry Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Or
msconfig.exe and then STARTUP (Not on 2000)