✔ 最佳答案
W32.Blaster.Worm Risk Level 2: Low
SUMMARY TECHNICAL DETAILS REMOVAL Discovered: August 11, 2003 Updated: February 13, 2007 12:06:16 PM Also Known As: W32/Lovsan.worm.a [McAfee], Win32.Poza.A [CA], Lovsan [F-Secure], WORM_MSBLAST.A [Trend], W32/Blaster-A [Sophos], W32/Blaster [Panda], Worm.Win32.Lovesan [KAV] Type: Worm Infection Length: 6,176 bytes Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP CVE References: CAN-2003-0352
Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat to a Category 2 from a Category 3 as of February 26, 2004.
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (first described in Microsoft Security Bulletin MS03-026)(users are recommended to patch this vulnerability by applying Microsoft Security Bulletin MS03-039) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the msblast.exe file to the %WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not have a mass-mailing functionality.
Additional information and an alternate site from which to download the Microsoft patch is available in the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
TCP Port 135, "DCOM RPC" UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.
Click here for more information on the vulnerability that this worm exploits, and to find out which Symantec products can help mitigate risks from this vulnerability.
NOTE: Virus definitions will detect this threat having: Defs Version: 50811s Sequence Number: 24254 Extended Version: 8/11/2003, rev. 19
Symantec Security Response has developed a removal tool to clean the infections of W32.Blaster.Worm.
W32.Blaster.Worm Webcast
The following Webcast has been provided, which discusses the mitigation and remediation strategies, as well as provides a detailed description of the DoS attack:
http://enterprisesecurity.symantec.com/content/webcastinfo.cfm?webcastid=63
Security Response has provided some information to aid network administrators in ongoing efforts to track down W32.Blaster.Worm infected machines on their respective network. Please see the document, "Detecting traffic due to RPC worms" for additional information.
Additional information and an alternate site from which to download the Microsoft patch is available in the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants."
Protection Virus Definitions (LiveUpdate™ Weekly) August 11, 2003 Virus Definitions (Intelligent Updater) August 11, 2003 Threat Assessment Wild Wild Level: Low Number of Infections: More than 1000 Number of Sites: More than 10 Geographical Distribution: High Threat Containment: Moderate Removal: Moderate Damage Damage Level: Medium Payload Trigger: If the date is the 16th of the month until the end of that month if it's before August, and every day from August 16 until December 31. Payload: Performs Denial of Service against windowsupdate.com Causes System Instability: May cause machines to crash. Compromises Security Settings: Opens a hidden remote cmd.exe shell. Distribution Distribution Level: Medium Ports: TCP 135, TCP 4444, UDP 69 Target of Infection: Machines with vulnerable DCOM RPC Services running. Writeup By: Douglas Knowles, Frederic Perr