MSBlast W32.Blaster.Worm / LovSan :: removal instructions

Reply Tue 12 Aug, 2003 11:42 am
'MSBlast' / LovSan Write up

Also Known As:
W32/Lovsan.worm [McAfee], Win32.Poza [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda]

Posted to www.able2know.com (this can be freely distributed with no restrictions).

Quick Links

History of this exploit/worm:

Around July 16th the Last Stage of Delirium (Polish 'White Hat' hackers) created 'proof of concept' (i.e. they actually executed a theoretical exploit) code to exploit a stack buffer overflow vulnerability in "Windows 2000 (sp 1-4), Windows XP (sp 1) and Windows 2003 Server (regardless of the service packs installed)" ( http://lsd-pl.net/special.html ). Special thanks go out to LSD for their responsibility in not releasing their code. Microsoft also thanks them. A pity their responsibility made little difference.

An American hacker and a Chinese hacking group (XFocus) released code for this exploit on July 25th ( http://www.xfocus.org/documents/200307/2.html ) without any code or special information to work with proving that with very vague details of an exploit malicious code can be created quickly, even without disclosure of the exploit's details. They only released code to work on 3 Windows Operating Systems but the code can easily be modified to use on the other vulnerable systems.

HD Moore (founder of the Metasploit Project) modified the code to exploit 7 operating systems. "I don't like broken exploits, so I fixed it," he said. He posted the code on a machine he hosted and was innundated with traffick and was taken offline. He had planned to disseminate the code off of a web server but I did not verify that it has happened.

The release of code to execute this exploit gave System administrators little time to patch and home users who are typically slower to do so even less.

Soon exploit tools were released allowing hackers to send commands through IRC networks. On aug 2nd the first traces of these attack programs were found but they were not worms. They did not self-propagate.

The next step was for someone to create a worm to tie into this exploit.

With the DefCon hacker convention on the weekend of Aug 2,3 it was widely expected that a worm would be released (not necessarily by people attending DefCon but simply because of the attention to hacking that the conference brings) that utilized this exploit. The Department of Homeland Security issued an alert on Aug 1st and the Federal Computer Incident Response Center (FedCIRC), the National Communications System (NCS) and the National Infrastructure Protection Center (NIPC) were keeping an eye out for the exploits.

The worm became an internet threat yesterday (Aug 11th). It was named "MSBlast" by its author. The Internet Storm Center ( http://isc.incidents.org/ ) has claimed that it is spreading quickly (my anecdotal evidence backs this up). By midafternood on Aug 11th at least 7000 machines had been compromised according to cnet.

This worm has not yet reached it's peak. It will be fine-tuned by other hackers and modified to become more dangerous. This morning some hackers were already claiming to do so in some IRC channels.
Craven de Kere
Reply Tue 12 Aug, 2003 11:43 am
How the exploit works:

Sending malicious data to TCP port 135 on an unpatched machine grants SYSTEM privileges. Most firewalls would protact against this exploit. From reports (I have not yet run the code) this could be specially formatted data or simply a brute attack on the RPC (remote procedure call ) process. With SYSTEM privilidges the exploit can be used to install an FTP application and upload malicious code.
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 11:44 am
How MSBlast ( W32.Blaster.Worm ) Works:

After using the above exploit, MSBlast installs the Trivial File Transfer Protocol (TFTP) server and then uses it to download its code to the computer. It adds a registry key to reboot with the machine. It is often noticed by a message telling the user that the machine is shutting down:

"System is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.

Windows must now restart because the Remote Procedure Call (RPC) terminated unexpectedly."

The worm also sends out a "greet" to other hackers and executes a DoS attack on windowsupdates. The following messages are also sent to windows: "billy gates why do you make this possible?" and "Stop making money and fix your software!!"
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 11:47 am
Vulnerable Systems

In MSB MS03-026 Microsoft detailed this exploit and after their extensive tests determined that it affects the following operating systems:

Microsoft Windows NT® 4.0
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server™ 2003

How to Check Which Windows Version You Have

Microsoft Security Bulletin MS03-026

End User write up
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 11:51 am
How to prevent being exploited and getting this worm

Waaaay back in July Microsoft released a patch to this exploit. If you want to avoid being hacked keep your software updated!

To update Windows:


The worm was identified on the same day by most antivirus companies. Yesterday new virus definistions were released.

Update your virus definitions! To do this follow the instructions particular to your AV software.

Lastly this partcular exploit is folied by most firewalls.Enable Widows XP's Internet Connection Firewall
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 11:53 am
How to Check Which Version You Have

If you are unsure whether a product you are running is affected by this issue, check the version.

To determine which version of Microsoft Windows you are running:

  1. On the taskbar at the bottom of your screen, click Start, and then click Run.
  2. In the Run dialog box, type winver
  3. Click OK.
  4. A dialog box displays the version that you are running.
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 11:54 am
How to remove MSBlast

The first step should be to try automated removal tools:

Symantec W32.Blaster.Worm Removal Tool

Download the removal Tool

With both methods of removal prepare and then perform the removal offline.

Manual Removal (from Symantec's Write Up)


  1. Disable System Restore (Windows XP).
  2. Update the virus definitions.
  3. End the Trojan process.
  4. Run a full system scan and delete all the files detected as W32.Blaster.Worm.
  5. Reverse the changes that the Trojan made to the registry.

1. Disabling System Restore (Windows XP)If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
"How to disable or enable Windows Me System Restore"
"How to turn off or turn on Windows XP System Restore"

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions

This depends on your antivirus program. Post a help request here on this thread if you need help with this.

3. Ending the Worm process
To end the Trojan process:
  1. Press Ctrl+Alt+Delete once.
  2. Click Task Manager.
  3. Click the Processes tab.
  4. Double-click the Image Name column header to alphabetically sort the processes.
  5. Scroll through the list and look for msblast.exe.
  6. If you find the file, click it, and then click End Process.
  7. Exit the Task Manager.

4. Scanning for and deleting the infected files

Use your antivirus program to do a full scan of your computer and delete all infected files. Instructions for this are dependant on your antivirus software so post a help request if you need help with this step.

5. Reversing the changes made to the registry

Editing the registry is tricky. Make sure to backup your registry first!

"How to make a backup of the Windows registry,"

  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit
  3. Then click OK. (The Registry Editor opens.)
  4. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  5. In the right pane, delete the value: "windows auto update"="msblast.exe"
  6. Exit the Registry Editor.

Removal instructions are by Douglas Knowles and are found in the symantec Write Up the instructions have been slightly modified here to help infected users who do not use Norton Anti Virus.
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 11:57 am
Credits and Links

Besides the links posted throughout this write up I'd also like to credit the following people.

Special thanks to Murray S. for alerting us yesterday. And for providing many useful instructions and links.

Special thanks to roger and realjohnboy for providing us with the text for the exploit message.

Related Links

Microsoft Security Bulletin MS03-026

Scan for Viruses online

McAfee Write Up

Symantec (Norton) Write Up
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 12:43 pm
I'm finished with the write-up for now and this thread is unlocked. Feel free to ask questions here.
0 Replies
Reply Tue 12 Aug, 2003 12:50 pm
No questions. I followed the very clear instructions, checked to see what version I'm running (although I already knew, I needed reassurance), and apparenty Windows 98 is unaffected.

This was clear as a bell. All tech writers should take a lesson from this. Thanks.
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 12:58 pm
Widows 98 is not vulnerable to this particular exploit. Good new for you! ;-)
0 Replies
Reply Tue 12 Aug, 2003 12:59 pm
That should do it Craven !! Simple enough to follow and get what is needed fast !!

0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 01:11 pm
I have more good news. I infected an offline box (so no DoS) with this worm and am now running the removal tool on it.

the good news is that the worm doesn't yet target Symantec's products so it doesn't shut down the removal tool.

When I tested some Klez variants the removal tool would be shutdown and deleted from the test computer meaning I had to make hundreds of copies to get it to work or do the manual removal.

Let's hope nobody modifies this worm to target Symantec products or the removal will become a pain.
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 01:22 pm
Ok, after infecting and removing on some test systems I have one edit to make to the removal process. It's a no-brainer but in case anyone doesn't catch it:

Do the removal offline!

Edit: My first tests have completed. After the removal process (it takes a while) the tool launches a dialogue allowing you to click "yes" to go online and download the patch.

You can skip that if you want and just run the regular windows updates.
0 Replies
Reply Tue 12 Aug, 2003 01:37 pm
my anti-virus didn't work. If my computer reboots this evening (it wouldn't this a.m.) I'll do the steps listed her. Thanks Craven, a million times.
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 01:38 pm

Thing is, I don't think your problem is this one. I am not sure but it has shown none of the symptoms.

You might want to try an online scan if your AV program isn't working:

0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 04:32 pm
Another heads up:

I just finished some phoen support for a friend who had this worm. She used the removal tool and that didn't work for her and I had to walk her through a manual removal.

Moral of the story:

If you use the automatic removal toll still check the registry etc to see if it was indeed removed.
Reply Tue 12 Aug, 2003 06:45 pm
Good work, Craven. Thanks.
0 Replies
Reply Tue 12 Aug, 2003 07:39 pm
Is it definite that Windows 98 is invulnerable? I have all kinds of strange things going on. (I have Windows 98.)
0 Replies
Craven de Kere
Reply Tue 12 Aug, 2003 07:40 pm
It's not vulnerable to this particular exploit.
0 Replies

Related Topics

  1. Forums
  2. » MSBlast W32.Blaster.Worm / LovSan :: removal instructions
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 02/22/2024 at 08:14:31