MS Blaster Worm Roundup
by HNS Staff - last update: 01 August 2003, 4:27 AM CET (added: news on the capture of the virus author)
Blaster Worm scans the Internet for computers that are vulnerable to its attack. Once found, it tries to enter the system through the port 135 to create a buffer overflow. One indication of infection is unusual activity on this port. This is a roundup of information covering the Blaster worm.

CERT/CC - CERT Advisory CA-2003-20 - W32/Blaster worm

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies

Microsoft PSS Security Response Team Alert - New Worm: W32.Blaster.worm

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. Best practices, such as applying security patch MS03-026 should prevent infection from this worm. If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.

Microsoft Security Bulletin MS03-026 - Buffer Overrun In RPC Interface Could Allow Code

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135.

Internet Storm Centar (SANS) - RPC DCOM Worm (Msblaster)

A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003.

ISS X-Force - "MS Blast" MSRPC DCOM Worm Propagation

ISS X-Force has captured active samples of an automated Internet worm that propagates via the MS RPC DCOM vulnerability documented in ISS X-Force Alert titled "Flaw in Microsoft Windows RPC Implementation". MS Blast is currently propagating aggressively across the Internet.

eEye - 'Blaster' Worm Description and Technical Details


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th