ure ALERT TSA 03-011
TSA 03-011 W32/Lovsan.worm - ALERT
Threat Type: Malicious Code: Worm
TS Action Alert ID: TSA 03-011
IntelliShield ID: 6477
Urgency: 5 - Incidents Reported
Credibility: 5 - Confirmed
Severity: 3 - Mild Damage
TEP: 5 - Red Hot
First Published: Aug 11, 2003; 06:18 PM EDT
Last Published: Aug 11, 2003; 06:18 PM EDT
Ports: 135, 4444
CVE: Not Available
W32/Lovsan.worm is a worm that exploits the RPC DCOM vulnerability and installs a TFTP server. The worm arrives as the file msblast.exe over port 4444/tcp. Virus definitions are available.
Variants are unavailable.
Virus Name: W32.Lovsan.worm (Aliases include Win32.Poza (Computer Associates), Lovsan (F-Secure) and W32.Blaster.Worm (Symantec).)
W32.Lovsan.worm is a worm the propagates by exploiting the RPC DCOM vulnerability reported in TruSecure Vulnerability Alert 6307. The worm scans for vulnerable systems over TCP and UDP ports 135 and exploits vulnerable systems. The worm launches a command shell and uses TFTP to connect to other infected systems to download the worm's executable. The file is then executed on the system and the registry is altered to ensure that the worm is executed when Windows starts.
Virus definitions are available.
W32/Lovsan.worm installs a TFTP server on the infected machine and propagates. The worm's propagation routine could cause network congestion.
The presence of the file msblast.exe may indicate an infection.
This worm often causes error messages or reboots of infected device. Helpdesks may receive calls that workstations are constantly rebooting.
The worm contains the following strings:
I just want to say LOVE YOU SAN!!
The worm adds the value windows auto update = "msblast.exe I just want to say LOVE YOU SAN!! bill" to the following registry key to ensure the worm executes when Windows starts:
This worm does not use e-mail as a means of propagation and it will launch a denial of service attack against Microsoft's Windows Update system on August 16th.
Threat is High due to the spread in the wild.
Vulnerability Prevalence is Medium for TruSecure protected corporations
Cost is Medium primarily due to the cleanup cost
W32/Lovsan.worm attempts to exploit the RPC vulnerability reported in Microsoft Security Bulletin MS03-026 and TruSecure Alert 6307. The worm propagates by connecting to systems with port 135/tcp open. TruSecure data shows approximately a five-fold increase in alert traffic today associated with port 135/tcp. Normal traffic averages about 3,100 events compared with the 13,668 events recorded today.
The worm began propagating with a list of twenty-eight TFTP host servers, but this list is growing dynamically as each infected system becomes a new server on the list. Many ISPs are have seen activity related to this worm and are blocking the original twenty-eight TFTP host server addresses to impair its propagation. Additionally, some ISPs are also blocking port 135/tcp traffic.
TruSecure does not expect this to be as bad as Code Red, Nimda or SQL Slammer:
TruSecure does not expect LANs to suffer from denial of service conditions due to this infection, even if it becomes infected. This is because internal infections will only propagate if outbound TFTP requests are allowed. If a source is found it can be blocked at either the firewall or router.
Most TruSecure clients are relatively protected from this worm as a result of the default deny inbound and outbound perimeter. These policies effectively slow or stop inside propagation if inside infection occurs.
There have been numerous problems with Windows Update and St. Bernard's Update Expert -- both of which showed that MS 03-026 patch was installed when it wasn't.
Windows 2000 Machines that were at SP3, then patched, then updated to SP4 will be vulnerable (unless the DCOM service is also disabled as suggested in TruSecure alert TSA 03-009 issued July 25).
We expect that TFTP backdoors will persist over the near future on infected machines. We expect TFTP scanning and offshoot attacks against these infected machines in the next few weeks much like the code red 1 caused CMD.EXE to become ROOT.EXE and to provide a persistent backdoor.
The TruSecure Security Operations center reports the following traffic:
Administrators are encouraged to implement the following protective measures:
Implement a default deny inbound policy using router ACLs or firewall policies. Outbound perimeter default deny will add significantly to inbound protection as it will stop progression of inside infection originating from partner networks, VPN connections, or similar vectors.
Administrators can disable the DCOM feature. This is detailed further in IntelliShield Alert 6307 or TSA 03-009.
Administrators are strongly encouraged to download and install the applicable Microsoft patch from Microsoft Security Bulletin MS03-026.
Administrators are advised to block ports TCP and UDP port 135, and 69 (blocking TFTP both inbound and outbound). The worm also uses port 4444/tcp to download the file and communicate with the attacker.
Users are advised to install the latest virus definitions.
The Computer Associates Virus Threat for Win32.Poza, as well as the signature and engine information, is available at the following link: [Computer Associates]
(SecureFlorida update: the above link is no longer active please click here)
The security vulnerability applies to the following combinations of products.
[TruSecure] Action Alert: Original Release
[Microsoft, Inc.] Windows 2000: Advanced Server (Base, SP1, SP2, SP3, SP4), Professional (Base, SP1, SP2, SP3, SP4), Server (Base, SP1, SP2, SP3, SP4) [Microsoft, Inc.] Windows NT: 3.5, 3.51 (Base, SP1, SP2, SP3, SP4, SP5), 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6a) [Microsoft, Inc.] Windows NT Server Enterprise Edition: 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a) [Microsoft, Inc.] Windows NT Terminal Server: 4.0 (Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a) [Microsoft, Inc.] Windows Server 2003: Datacenter Edition, Datacenter Edition, 64-bit, Enterprise Edition, Enterprise Edition, 64-bit, Standard Edition, Web Edition [Microsoft, Inc.] Windows XP: Home Edition (Base, SP1), Professional Edition (Base, SP1), Professional Edition, 64-bit (Base, SP1)
Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability.
Copyright (c) 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS.“ The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.
Check our calendar for C-SAFE classes and important training events. Subscribe in your Google calendar.