MS Blaster Worm Roundup
by HNS Staff - last update: 01 August 2003, 4:27 AM CET (added: news on the capture of the virus author)
Blaster Worm scans the Internet for computers that are vulnerable to its attack. Once found, it tries to enter the system through the port 135 to create a buffer overflow. One indication of infection is unusual activity on this port. This is a roundup of information covering the Blaster worm.



CERT/CC - CERT Advisory CA-2003-20 - W32/Blaster worm

The W32/Blaster worm exploits a vulnerability in Microsoft's DCOM RPC interface. Upon successful execution, the worm attempts to retrieve a copy of the file msblast.exe from the compromising host. Once this file is retrieved, the compromised system then runs it and begins scanning for other vulnerable systems to compromise in the same manner. In the course of propagation, a TCP session to port 135 is used to execute the attack. However, access to TCP ports 139 and 445 may also provide attack vectors and should be considered when applying mitigation strategies



Microsoft PSS Security Response Team Alert - New Worm: W32.Blaster.worm

The Microsoft Product Support Services Security Team is issuing this alert to inform customers about a new worm named W32.Blaster.Worm which is spreading in the wild. Best practices, such as applying security patch MS03-026 should prevent infection from this worm. If you have any questions regarding this alert please contact your Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US, outside of the US please contact your local Microsoft Subsidiary.



Microsoft Security Bulletin MS03-026 - Buffer Overrun In RPC Interface Could Allow Code

There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135.



Internet Storm Centar (SANS) - RPC DCOM Worm (Msblaster)

A worm has started spreading early afternoon EDT (evening UTC Time) and is expected to continue spreading rapidly. This worms exploits the Microsoft Windows DCOM RPC Vulnerability announced July 16, 2003.



ISS X-Force - "MS Blast" MSRPC DCOM Worm Propagation

ISS X-Force has captured active samples of an automated Internet worm that propagates via the MS RPC DCOM vulnerability documented in ISS X-Force Alert titled "Flaw in Microsoft Windows RPC Implementation". MS Blast is currently propagating aggressively across the Internet.



eEye - 'Blaster' Worm Description and Technical Details

Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //