Flux rss

The LovSan/Blaster virus

Introduction to the LovSan virus

Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first virus to exploit the security hole in the RPC/DCOM feature (Remote Procedure Call) in Microsoft Windows which allows remote processes to communicate. By exploiting the hole with a buffer overflow, malware (like the LovSan virus) may take control of a vulnerable machine. Windows NT 4.0, 2000, XP and Windows Server 2003 are all affected.

What the virus does

The LovSan / Blaster worm is programmed to scan a random range of IP addresses looking for systems vulnerable to the RPC hole on port 135.

When a vulnerable machine is found, the worm opens a remote shell on TCP port 4444, and makes the remote computer download a copy of the worm into the directory %WinDir%\system32 by running aTFTP command from the infected machine (UDP port 69) to start the file transfer.

Once the file is downloaded, it is run, and then creates entries in the registry so that it will automatically run again every time the computer restarts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
    

What's more, the LovSan/Blaster virus attacks the Microsoft Windows Update service in order to disrupt the updating of vulnerable machines.

Symptoms of infection

Exploiting the RPC vulnerability causes several malfunctions on affected systems related to deactivating RPC (the process svchost.exe / rpcss.exe). Vulnerable systems have the following symptoms:

  • Copy/Paste is defective or unusable
  • Opening a hyperlink in a new window is impossible
  • Moving icons is impossible
  • Windows file search is erratic
  • Port 135/TCP is closed
  • Windows XP reboots: The system is consantly being restarted by NT AUTHORITY\SYSTEM with the following message(s):
    Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
    The system is shutting down in 60 seconds. Please save all work in progress
    and log off. This shutdown was initiated by NT AUTHORITY\SYSTEM.
    Windows must now restart

Eradicating the virus

To eradicate the LoveSan virus, the best method is to first disinfect the system using the following virus removal tool:
Download the virus removal tool

If your system is rebooting constantly, you must disable automatic restart:
  • First, go to Start / Run and then enter the following command to prevent automatic restarts from taking place:
    shutdown -a
  • Right-click on My Computer
  • Click on Properties / Advanced / Startup and Recovery / Settings
  • Uncheck the "Automatically restart" box.
You can turn this option back on once your system is running normally again.

You should then update the system, either by using Windows Update or by downloading and installing whichever patch is right for your operating system:

What's more, since the virus spreads using Microsoft Windows networking, it is strongly recommended to install a personal firewall on your machines which are connected to the Internet, and also to filter ports TCP/69, TCP/135 to TCP/139 and TCP/4444.

More information about the virus



Last update on Thursday October 16, 2008 02:43:16 PM.
This document entitled « The LovSan/Blaster virus » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.
Viruses - Worms A worm is a self-reproducing program which can travel over networks using networking mechanisms, without requiring any software or hardware support (such as a hard drive, a host program, a file, etc.) to spread; a worm is therefore a network virus. ... en.kioskea.net/virus/worms.php3
Viruses - Sasser Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local Security Authority Subsystem Service,... en.kioskea.net/virus/sasser.php3
The First Steps to Virus/Spyware/Adware Removal The First Steps to Virus/Spyware/Adware Removal Step 1: Delete Temporary Files How to delete Temporary Files? How to delete Temporary Internet Files? Step 2: Get a good all in one Antivirus/Anti Spyware/ Anti Adware... en.kioskea.net/faq/sujet-205-the-first-steps-to-virus-spyware-adware-removal
MSN/ Windows Live Messenger virusesMSN/ Windows Live Messenger viruses How do I know if this is a virus and not a file sent by one of my contacts? What do I do if I accepted the file? To remove ‘IM-Names’ and PIC1234(1)(1)(1)(1)(1).exe virus Even MSN/WLM program... en.kioskea.net/faq/sujet-151-msn-windows-live-messenger-viruses
A Jpeg file can contain a virus?A Jpeg file can contain a virus? Truth: Links: ==Myth:== A Jpeg file can contain a viru Truth: A JPEG is a file can get infected. However, in order to activate the virus, the file must be run. As the JPEG file is an image file, it... en.kioskea.net/faq/sujet-384-a-jpeg-file-can-contain-a-virus
Virus Removal pack for W32.Beagle@mmVirus Removal pack for W32.Beagle@mm Variants: Removal Packs: There are various virus removal packs available, to handle the following variants of the W32.Beagle@mm virus also named Win32.Bagle : Variants: W32.Beagle.A@mm... en.kioskea.net/faq/sujet-681-virus-removal-pack-for-w32-beagle-mm
Lsas.Blaster.KeylogerHello, Hope you can help me ....somone with limited computer knowledge. I recently got a message from saying my internet explorer is infected with Lsas.Blaster.Keyloger and is trying send my credit card and banking details to a remote host. This... en.kioskea.net/forum/affich-18167-lsas-blaster-keyloger
Best Anti Virus/ Firewall (Solved)Hello guys! I was wondering what you all thought was the best anti virus and firewall? What I mean is what has the best protection and uses the least amount of resources? Thanks in advance.... en.kioskea.net/forum/affich-1104-best-anti-virus-firewall
Download AVG Anti-Virus FreeAVG Antivirus free is an free antivirus : Easy to use, low system resource Automatic update functionality Real-time protection as files are opened and programs are run Full e-mail protection AVG’s Virus Vault for the safe handling of... en.kioskea.net/telecharger/telecharger-64-avg-anti-virus-free
Download Clean Virus MSNViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger.... en.kioskea.net/telecharger/telecharger-992-clean-virus-msn
Download Clean Virus MSNThe viruses meet henceforth a little everywhere on the Net by all the conceivable means. After the emails virus diseases, now they attack with the instant messaging. Clean Virus MSN is a tool which automatically detects the viruses which circulate on... en.kioskea.net/telecharger/telecharger-1438-clean-virus-msn
Phone viruses to spread as telecom, computer worlds merge, say expertsTwo people talk on their mobile phones in Hong Kong. Viruses and hacking on mobile phones are still rare but attacks are a looming danger as increasing numbers of people access the Internet and download files with their handsets, experts say. Viruses... en.kioskea.net/actualites/phone-viruses-to-spread-as-telecom-computer-worlds-merge-say-experts-10118-actualite.php3
Mobile phone viruses are rare, but concern high: surveyTwo people talk on their mobile phones in Hong Kong, 2002. A survey showed that viruses on mobile phones are still rare but nearly three-quarters of mobile phone users in developed countries are worried about security on their handsets. Viruses on... en.kioskea.net/actualites/mobile-phone-viruses-are-rare-but-concern-high-survey-10105-actualite.php3
Pro-Tibet groups bombarded with abusive calls, virusesTibetan demonstrators protest in front of the EU headquarter in Brussels on March 18. Pro-Tibet activists said Wednesday they have been bombarded with abusive phone calls and virus emails as they try to contact witnesses in Tibet and nearby amid a... en.kioskea.net/actualites/pro-tibet-groups-bombarded-with-abusive-calls-viruses-10215-actualite.php3
Viruses - Introduction to viruses A virus is a small computer program found within the body of another program which, when run, loads itself into the memory and carries out the instructions programmed by its author. The definition of a virus may be: « Any computer program which can... en.kioskea.net/virus/virus.php3
Viruses - Removal tools A virus removal tool is a small executable file for cleaning a machine which has been infected by a particular virus. Each removal tool is therefore uniquely capable of eradicating a particular kind of virus, or a particular version of a virus. The... en.kioskea.net/virus/desinfection.php3
Viruses - Nimda Le Nimda virus (code name W32/Nimda) is a worm which spreads by email. It also has four other ways to spread: The web Shared folders Microsoft IIS security holes File transfer At particular risk are users of Microsoft Outlook in Windows 95, 98,... en.kioskea.net/virus/nimda.php3