The LovSan/Blaster virus

Introduction to the LovSan virus

Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first virus to exploit the security hole in the RPC/DCOM feature (Remote Procedure Call) in Microsoft Windows which allows remote processes to communicate. By exploiting the hole with a buffer overflow, malware (like the LovSan virus) may take control of a vulnerable machine. Windows NT 4.0, 2000, XP and Windows Server 2003 are all affected.

What the virus does

The LovSan / Blaster worm is programmed to scan a random range of IP addresses looking for systems vulnerable to the RPC hole on port 135.

When a vulnerable machine is found, the worm opens a remote shell on TCP port 4444, and makes the remote computer download a copy of the worm into the directory %WinDir%\system32 by running aTFTP command from the infected machine (UDP port 69) to start the file transfer.

Once the file is downloaded, it is run, and then creates entries in the registry so that it will automatically run again every time the computer restarts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill

What's more, the LovSan/Blaster virus attacks the Microsoft Windows Update service in order to disrupt the updating of vulnerable machines.

Symptoms of infection

Exploiting the RPC vulnerability causes several malfunctions on affected systems related to deactivating RPC (the process svchost.exe / rpcss.exe). Vulnerable systems have the following symptoms:

Copy/Paste is defective or unusable
Opening a hyperlink in a new window is impossible
Moving icons is impossible
Windows file search is erratic
Port 135/TCP is closed

Windows XP reboots: The system is consantly being restarted by NT AUTHORITY\SYSTEM with the following message(s):

Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly

The system is shutting down in 60 seconds. Please save all work in progress
and log off. This shutdown was initiated by NT AUTHORITY\SYSTEM.
Windows must now restart

Eradicating the virus

To eradicate the LoveSan virus, the best method is to first disinfect the system using the following virus removal tool:
Download the virus removal tool

If your system is rebooting constantly, you must disable automatic restart:

First, go to Start / Run and then enter the following command to prevent automatic restarts from taking place:
```
shutdown -a
```
Right-click on My Computer
Click on Properties / Advanced / Startup and Recovery / Settings
Uncheck the "Automatically restart" box.

You can turn this option back on once your system is running normally again.

You should then update the system, either by using Windows Update or by downloading and installing whichever patch is right for your operating system:

What's more, since the virus spreads using Microsoft Windows networking, it is strongly recommended to install a personal firewall on your machines which are connected to the Internet, and also to filter ports TCP/69, TCP/135 to TCP/139 and TCP/4444.

More information about the virus

Last update on Thursday October 16, 2008 02:43:16 PM.

Previous Klez

Next Sasser

Utilities for Removing Common Viruses and Worms What is a virus removal tool? A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a... en.kioskea.net/contents/virus/desinfection.php3

Lsas.blaster.keyloger i keep receiving a pop out message from Winweb Security saying that my pc is infected with 38 viruses. but i have done a thorough scan of which no infection was detected. What is wrong here and how do i go about resolving this infection issue? thank u en.kioskea.net/forum/affich-43051-lsas-blaster-keyloger

Blaster and Sasser: Causing continuous restart Blaster and Sasser: Causing continuous restart When your computer is infected by the viruses Sasser or Blaster, Windows displays the following error message: Generic Host Process for Win32 Services encountered a problem and needs to... en.kioskea.net/faq/sujet-1494-blaster-and-sasser-causing-continuous-restart

Results for The LovSan/Blaster virus

How to remove the virus CONFICKER / DOWNADUP / KIDO?How to remove the virus CONFICKER / DOWNADUP / KIDO What is the Conficker? How to avoid being infected by Conficker? Disinfect a computer affected by Conficker Preliminary Remove infection What is the Conficker? Conficker (also... en.kioskea.net/faq/sujet-2035-how-to-remove-the-virus-conficker-downadup-kido

[Virus] System Volume Information[Virus] System Volume Information The System Volume Information folder is used by Windows XP for storing data on system configuration and is also used by the System Restore tool to store information and restore points. Restore points... en.kioskea.net/faq/sujet-750-virus-system-volume-information

The First Steps to Virus/Spyware/Adware RemovalThe First Steps to Virus/Spyware/Adware Removal Step 1: Delete Temporary Files How to delete Temporary Files? How to delete Temporary Internet Files? Step 2: Get a good all in one Antivirus/Anti Spyware/ Anti Adware... en.kioskea.net/faq/sujet-205-the-first-steps-to-virus-spyware-adware-removal

Results for The LovSan/Blaster virus

Lsas.Blaster.KeylogerHello, Hope you can help me ....somone with limited computer knowledge. I recently got a message from saying my internet explorer is infected with Lsas.Blaster.Keyloger and is trying send my credit card and banking details to a remote host. This... en.kioskea.net/forum/affich-18167-lsas-blaster-keyloger

New Virus Hijacks Browser & Disables Update (Solved)Hello,I am writing to express gratitude for Morphine on this forum for solving my problem. This invasive "virus/malware/painintheass" seems to be diffrent on every machine and it may take several tries to find the solution as I discovered. I also... en.kioskea.net/forum/affich-66315-new-virus-hijacks-browser-disables-update

How to delete virus "autorun.inf" for suHello, To whom who might help me (Mr. Ali ?) It seems that I have succeeded to get rid of virus "autorun.inf" by downloading, updating, and running AVG 8.0. But I can still not open hidden files or folders, and I can still not open my C or D drive... en.kioskea.net/forum/affich-22846-how-to-delete-virus-autorun-inf-for-su

Results for The LovSan/Blaster virus

Download Clean Virus MSNViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger.... en.kioskea.net/telecharger/telecharger-992-clean-virus-msn

Download Clean Virus MSNThe viruses meet henceforth a little everywhere on the Net by all the conceivable means. After the emails virus diseases, now they attack with the instant messaging. Clean Virus MSN is a tool which automatically detects the viruses which circulate on... en.kioskea.net/telecharger/telecharger-1438-clean-virus-msn

Results for The LovSan/Blaster virus

CA Anti-Virus r8.1 - 5 Users - Upgrade from any previous version of eTrust Antivirusr 8.1, UPG CA ANTI-VIRUS 5 USER U8.1 F/ANY VERS ETRUST ANTIVIRUS IN en.kioskea.net/guide/509552663-ca-anti-virus-r8-1-5-users-upgrade-from-any-previous-version-of-etrust-antivirus

CA Anti-Virus r8.1 - 1 User - Includes Antivirus protection for the Desktop, Server, Gateway, Groupwr 8.1, CA ANTI-VIRUS 1 USER V8.1 IN en.kioskea.net/guide/612002586-ca-anti-virus-r8-1-1-user-includes-antivirus-protection-for-the-desktop-server-gateway-groupware-and-pocketpc

INTEGO VirusBarrier X5 Dual Protection - W/ Intego NetBarrier X5 - licence - 1 user - MacX 5, Since Mac users can run Windows on a Mac with today's Intel-based Macs, they are vulnerable to a whole range of security threats: viruses, spyware, adware and hackers are all waiting to compromise their Windows installation. When Windows is run... en.kioskea.net/guide/631181651-intego-virusbarrier-x5-dual-protection-w-intego-netbarrier-x5-licence-1-user-mac

Results for The LovSan/Blaster virus

Koobface virus making rounds on Facebook: McAfeeA new variant of a virus known as Koobface is making the rounds on the Facebook social network, a security software firm warned this week. A new variant of a virus known as Koobface is making the rounds on the Facebook social network, a security... en.kioskea.net/actualites/koobface-virus-making-rounds-on-facebook-mcafee-11036-actualite.php3

Microsoft to offer free anti-virus softwareMicrosoft has announced plans to offer free anti-virus software to PC users starting next year. Microsoft has announced plans to offer free anti-virus software to PC users starting next year. The Redmond, Washington-based software giant said the... en.kioskea.net/actualites/microsoft-to-offer-free-anti-virus-software-10959-actualite.php3

Results for The LovSan/Blaster virus

The Sasser wormIntroduction to the Sasser virus Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local... en.kioskea.net/contents/virus/sasser.php3

Viruses - Introduction to virusesVirus A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: « Any computer... en.kioskea.net/contents/virus/virus.php3

The Nimda virusIntroduction to the Nimda virus Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread: The web Shared folders Microsoft IIS security holes File transfer At particular risk are users of... en.kioskea.net/contents/virus/nimda.php3

Results for The LovSan/Blaster virus