# MSBlast W32.Blaster.Worm / LovSan : Removal Instructions



## foxfire (Jun 24, 2004)

'MSBlast' / LovSan Write up 

Also Known As: 
W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]


----------



## foxfire (Jun 24, 2004)

*History of this exploit/worm: * 

Around July 16th the Last Stage of Delirium (Polish 'White Hat' hackers) created 'proof of concept' (i.e. they actually executed a theoretical exploit) code to exploit a stack buffer overflow vulnerability in "Windows 2000 (sp 1-4), Windows XP (sp 1) and Windows 2003 Server (regardless of the service packs installed)" ( http://lsd-pl.net/special.html ). Special thanks go out to LSD for their responsibility in not releasing their code. Microsoft also thanks them. A pity their responsibility made little difference. 

An American hacker and a Chinese hacking group (XFocus) released code for this exploit on July 25th ( http://www.xfocus.org/documents/200307/2.html ) without any code or special information to work with proving that with very vague details of an exploit malicious code can be created quickly, even without disclosure of the exploit's details. They only released code to work on 3 Windows Operating Systems but the code can easily be modified to use on the other vulnerable systems. 

HD Moore (founder of the Metasploit Project) modified the code to exploit 7 operating systems. "I don't like broken exploits, so I fixed it," he said. He posted the code on a machine he hosted and was innundated with traffick and was taken offline. He had planned to disseminate the code off of a web server but I did not verify that it has happened. 

The release of code to execute this exploit gave System administrators little time to patch and home users who are typically slower to do so even less. 

Soon exploit tools were released allowing hackers to send commands through IRC networks. On aug 2nd the first traces of these attack programs were found but they were not worms. They did not self-propagate. 


The next step was for someone to create a worm to tie into this exploit. 

With the DefCon hacker convention on the weekend of Aug 2,3 it was widely expected that a worm would be released (not necessarily by people attending DefCon but simply because of the attention to hacking that the conference brings) that utilized this exploit. The Department of Homeland Security issued an alert on Aug 1st and the Federal Computer Incident Response Center (FedCIRC), the National Communications System (NCS) and the National Infrastructure Protection Center (NIPC) were keeping an eye out for the exploits. 

The worm became an internet threat yesterday (Aug 11th). It was named "MSBlast" by its author. The Internet Storm Center ( http://isc.incidents.org/ ) has claimed that it is spreading quickly (my anecdotal evidence backs this up). By midafternood on Aug 11th at least 7000 machines had been compromised according to cnet. 

This worm has not yet reached it's peak. It will be fine-tuned by other hackers and modified to become more dangerous. This morning some hackers were already claiming to do so in some IRC channels.


----------



## foxfire (Jun 24, 2004)

*How the exploit works: * 

Sending malicious data to TCP port 135 on an unpatched machine grants SYSTEM privileges. Most firewalls would protact against this exploit. From reports (I have not yet run the code) this could be specially formatted data or simply a brute attack on the RPC (remote procedure call ) process. With SYSTEM privilidges the exploit can be used to install an FTP application and upload malicious code.


----------



## foxfire (Jun 24, 2004)

*How MSBlast ( W32.Blaster.Worm ) Works: * 

After using the above exploit, MSBlast installs the Trivial File Transfer Protocol (TFTP) server and then uses it to download its code to the computer. It adds a registry key to reboot with the machine. It is often noticed by a message telling the user that the machine is shutting down: 

Quote: 
"System is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM. 

Windows must now restart because the Remote Procedure Call (RPC) terminated unexpectedly." 


The worm also sends out a "greet" to other hackers and executes a DoS attack on windowsupdates. The following messages are also sent to windows: "billy gates why do you make this possible?" and "Stop making money and fix your software!!"


----------



## foxfire (Jun 24, 2004)

Vulnerable Systems 

In MSB MS03-026 Microsoft detailed this exploit and after their extensive tests determined that it affects the following operating systems: 




> Microsoft Windows NT® 4.0
> Microsoft Windows 2000
> Microsoft Windows XP
> Microsoft Windows Server™ 2003


----------



## foxfire (Jun 24, 2004)

How to prevent being exploited and getting this worm 

Waaaay back in July Microsoft released a patch to this exploit. If you want to avoid being hacked keep your software updated! 

To update Windows: 

http://windowsupdate.microsoft.com/ 

The worm was identified on the same day by most antivirus companies. Yesterday new virus definistions were released. 

Update your virus definitions! To do this follow the instructions particular to your AV software. 

Lastly this partcular exploit is folied by most firewalls.Enable Widows XP's Internet Connection Firewall


----------



## foxfire (Jun 24, 2004)

*How to Check Which Version You Have * 

If you are unsure whether a product you are running is affected by this issue, check the version. 

To determine which version of Microsoft Windows you are running: 




On the taskbar at the bottom of your screen, click Start, and then click Run. 

In the Run dialog box, type winver 

Click OK. 

A dialog box displays the version that you are running.


----------



## foxfire (Jun 24, 2004)

How to remove MSBlast 

The first step should be to try automated removal tools: 

Symantec W32.Blaster.Worm Removal Tool 

Download the removal Tool 

With both methods of removal prepare and then perform the removal offline. 

Manual Removal (from Symantec's Write Up) 

Steps 




Disable System Restore (Windows XP). 

Update the virus definitions. 

End the Trojan process. 

Run a full system scan and delete all the files detected as W32.Blaster.Worm. 

Reverse the changes that the Trojan made to the registry. 



1. Disabling System Restore (Windows XP)If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. 

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. 

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat. 

2. Updating the virus definitions 

This depends on your antivirus program. Post a help request here on this thread if you need help with this. 

3. Ending the Worm process 
To end the Trojan process: 



Press Ctrl+Alt+Delete once. 

Click Task Manager. 

Click the Processes tab. 

Double-click the Image Name column header to alphabetically sort the processes. 

Scroll through the list and look for msblast.exe. 

If you find the file, click it, and then click End Process. 

Exit the Task Manager. 



4. Scanning for and deleting the infected files 

Use your antivirus program to do a full scan of your computer and delete all infected files. Instructions for this are dependant on your antivirus software so post a help request if you need help with this step. 

5. Reversing the changes made to the registry 

Editing the registry is tricky. Make sure to backup your registry first! 

"How to make a backup of the Windows registry," 




Click Start, and then click Run. (The Run dialog box appears.) 

Type regedit 

Then click OK. (The Registry Editor opens.) 

Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 

In the right pane, delete the value: "windows auto update"="msblast.exe" 

Exit the Registry Editor. 



Removal instructions are by Douglas Knowles and are found in the symantec Write Up the instructions have been slightly modified here to help infected users who do not use Norton Anti Virus.


----------

