W32.Blaster.worm Last Updated 8/12/03 11:41am

A new worm, W32.Blaster.worm is spreading in the wild. The worm takes advantage of the Microsoft DCOM RPC vulnerability (see "What's New"). Presently the worm's action appears to be replication only.

The worm may indirectly cause windows machines to reboot by hanging the RPC service. By default when the service is hung Windows will reboot the machine. This affects incorrectly patched machines. see "What's New" regarding patch information.

The worm copies itself to the default Windows system directory as MSBLAST.EXE and creates the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

NAI heuristically detects W32.Blaster.Worm with the 4283 Dat/SuperDat. NAI will detect/remove W32.Blaster.Worm with the 4284 Dat/SuperDat. The 4284 DAT/SuperDat is now available.

Symantec Antivirus definitions Dated 08-11-2003 or later detect and remove W32.Blaster.worm. Use the Symantec (Norton) LiveUpdate feature of Symantec Antvirus to update your software.

Blaster Removal tool is available here (Stinger version 1.8.3)

For Admins and ISSO's only, Retina Scanning tool available here.

Microsoft Blaster Worm Removal Tool for Windows XP and Windows 2000: (KB833330) - 12/31/2003

Microsoft Windows Malicious Software Removal Tool: (KB890830) - 1/10/2005

More information will be posted as it becomes available.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.