 aw3dhg
join:2001-09-05
Bloomingburg, NY
 ·EarthLink
| fromCA about 20 minutes after I saw this article Just got this from my av supplier they have renamed it apparently
Virus Alert Notification
Win32.Poza
Alias: W32.Blaster.Worm (Symantec) ,
W32/Lovsan.worm (McAfee),
W32/Msblast.A (F-Secure),
Win32/Poza.Worm ,
WORM_MSBLAST.A (Trend)
Category: Win32
Type: Worm
Published Date: 8/11/2003
Last Modified: 8/11/2003
CHARACTERISTICS
Win32.Poza is a worm using the exploit described in MS03-026 to gain access to unpatched Windows installation. More information about the exploit can be found in our Vulnerabilities Library or at the Microsoft site here: »www.microsoft.com/technet/securi···-026.asp
Method of Installation
It creates a mutex "BILLY" to avoid running multiple instances of itself, and creates a registry value to activate on Windows restart:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = "msblast.exe"
The worm runs a FTP service listening on port 69 waiting for exploited machine to connect.
Method of Distribution
It starts by scanning the entire subnet for open 135 ports, then moves on to scan randomly selected class B subnets (255.255.0.0) to start scanning. If an open 135 port is found, it uses the exploit mentioned above to gain entry and create a remote shell on the exploited machine. It then assumes the exploit succeeded and attempts to connect to port 4444 of the remote machine. If successfully connected, it instructs the remote machine to download MSBLAST.EXE (size: 6,176 bytes, UPX packed) from its FTP service using TFTP.EXE. It then sends an instruction to start MSBLAST.EXE on the remote machine.
Note: TFTP.EXE is an utility included by default in Windows installation of Windows 2000 and later versions.
The worm is capable of keeping live connections to 20 exploited machines simultaneously.
Payload
If the day of the month is 16 or later, or the month is between January and August, the worm creates a working thread to send random data to windowsupdate.com almost continuously. This effectively launches a Distributed Denial of Service attack against windowsupdate.com.
Additional Information
The worm body contains these strings:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
CA has also received reports from several sources that this worm may be seen, associated with crashes of svchost.exe.
For more information about Win32.Poza worm click here.
To obtain the latest EZ Antivirus Signature files directly from your pc follow the easy steps below for your specific version number:
Product Versions 5.3 and 5.4 - Signature file Version 2554
Product Version 6.0 - Signature file Version 4828
Product Version 6.1 - Signature file Version 4828
For instructions on how to autodownload or download signature files manually click here
Unsure of your product version number?
To find your product version number, right click on the eTrust EZ Antivirus taskbar icon and select "Version". Your product version number will be presented in a pop-up box on your screen.
Please remember that these signature file updates are cumulative: therefore the latest update includes everything from all previous updates as well as the new virus information.
--------------------------------------------------------------------------------
Additional Information on viruses, worms, and trojans can be found in our virus encyclopedia: »www.my-eTrust.com/products/encyclopedia and on our Virus Alerts page: »www.my-eTrust.com/products/virusalerts |
