Re: Computer prob?
W32.Blaster.Worm <br />Discovered on: August 11, 2003 <br />Last Updated on: August 11, 2003 04:38:47 PM <br /><br />W32.Blaster.Worm is a worm that will exploit the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. It will attempt to download and run the file Msblast.exe.<br /><br />When W32.Blaster.Worm is executed, it does the following:<br /><br />Creates a Mutex named "BILLY". If the mutex exists, the worm will exit.<br /><br />Adds the value:<br /><br />"windows auto update"="msblast.exe"<br /><br />to the registry key:<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br /><br />so that the worm runs when you start Windows.<br /><br />Calculates the IP address, based on the following algorithm, 40% of the time:<br /><br />Host IP: A.B.C.D<br /><br />sets D equal to 0.<br /><br />if C > 20, will subtract a random value less than 20.<br /><br />Once calculated it will start attempting to exploit the computer based on A.B.C.0 and count up.<br /><br />NOTE: This means the Local Subnet will become saturated with port 135 requests prior to exiting the local subnet.<br /><br />Calculates the IP address, based on many random numbers, 60% of the time:<br /><br />A.B.C.D<br /><br />set D equal to 0.<br /><br />sets A, B, and C to random values between 0 and 255.<br /><br />Sends data on TCP port 135 that may exploit the DCOM RPC vulnerabilty to allow the following actions to occur on the vulnerable computer:<br /><br />Create a hidden Cmd.exe remote shell that will listen on TCP port 4444.<br /><br />NOTE: Due to the randomness with how it constructs the exploit data, it may cause computers to crash if it sends incorrect data.<br /><br />Listens on UDP port 69. When it recieves a request, it will send back the Msblast.exe binary.<br /><br />Sends the commands to the remote computer to connect back to the infected host and download and run the Msblast.exe.<br /><br />If the current month is after August, or if the current date is after the 15th it will perform a denial of service on "windowsupdate.com"<br /><br />With the current logic, the worm will activate the Denial of Service attack on the 16th of this month, and continue until the end of the year.<br /><br />The worm contains the following text which is never displayed:<br /><br />I just want to say LOVE YOU SAN!!<br />billy gates why do you make this possible ? Stop making money and fix your software!!