Overall risk rating: Medium
Damage Potential: High
Distribution Potential: High
Trend Micro Pattern file required: 604
TrendLabs has received several infection reports of this new worm, mostly in the US and Latin America, which exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.
This worm has been observed to continuously scan and send data to vulnerable systems in the network using port 135. On the following system dates, it performs a Distributed Denial Of Service attack against windowsupdate.com:
* On the 16th to the 31st day of the following months:
o January
o February
o March
o April
o May
o June
o July
o August
* Any day in the months of September to December.
The following text Strings visible in the worm body:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
For more information on the RPC DCOM Buffer Overflow, please visit the following Microsoft page:
Microsoft Security Bulletin MS03-026
Applying Patches
TrendLabs advises all affected users to apply the patch issued by Microsoft available from the following link:
Microsoft Security Bulletin MS03-026
TrendLabs also asks users to filter access to port 135 for trusted and internal sites only.
Additional Windows ME/XP Cleaning Instructions
Running Trend Micro Antivirus
Scan your system with Trend Micro antivirus and delete all files detected as WORM_MSBLAST.A. To do this, Trend Micro customers must download the latest pattern file, available from http://www.trendmicro-europe.com and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner, at http://housecall.trendmicro.com/.
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide.Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit:
http://www.trendmicro-europe.com
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners.
For further information, please contact:
Anna Wright
EMEA PR Manager, Trend Micro
T. +44 (0)1628 400 534
E. anna_wright@trendmicro.co.uk
Lammers van Toorenburg PR
Annegees van Linge
T. +31 (0)30 6565 070
E. annegees@lvtpr.nl