Introduction to Worms

Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers. The term worm was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network.

Classification of Worms
Like viruses, worms are often sub-divided according to the means they use to infect a system, i.e. how they deliver copies of themselves to new victim machines. The following are the different types of worms

Email Worms
Email worms spread via infected email messages. The worm may be in the form of an attachment or the email may contain a link to an infected website. However, in both cases email is the vehicle. In the first case the worm will be activated when the user clicks on the attachment. In the second case the worm will be activated when the user clicks on the link leading to the infected site. Email worms harvest email addresses from victim machines in order to spread further.

Instant Messaging Worms

These worms have a single propagation method. They spread using instant messaging applications like MSN messenger, ICQ, etc by sending links to infected websites to everyone on the local contact list. The only difference between these worms and email worms which send links is the media chosen to send the links.

P2P Worms
P2P worms copy themselves into a shared folder, usually located on the local machine. Once the worm has successfully placed a copy of itself under a harmless name in a shared folder, the P2P network takes over: the network informs other users about the new resource and provides the infrastructure to download and execute the infected file.

Internet Worms
Virus writers use several techniques to distribute computer worms. These methods include Copying the worm to networked resources Penetrating public networks Piggy-backing: using other malware to act as a carrier for the worm The worms locate remote machines and copy themselves into folders, which are open for read and write functions. These network worms scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. They will then attempt to connect to these machines and gain full access to them. In another case, he worms scan the Internet for machines that have not been patched, i.e. have operating systems with critical vulnerabilities still open to exploitation. The worm sends data packets or requests, which install either the entire body of the worm or a section of the worm's source code containing down loader functionality. If this code is successfully installed the main worm body is then downloaded. In either case, once the worm is installed it will execute its code and the cycle continues.

Blaster Worm (W32/Lovsan.worm.a)

One of the most common viruses (subtype: internet worm) is the Blaster 32 Worm, also known as Lovesan. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

Lovesan Lovsan.H (F-Secure) msblast.exe tftp W32.Blaster.Worm (Symantec)

W32/Blaster.worm.a W32/Blaster.worm.gen W32/Blaster.worm.k W32/Lovsan.worm W32/Lovsan.worm.gen Win32.Poza (CA) Worm/Lovsan.G (Central Command) WORM_MSBLAST.A (Trend) WORM_MSBLAST.H (Trend)

Background of Blaster
The worm was first noticed on August 11. The rate at which it spread increased until the number of infections peaked on August 13. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster The worm was programmed to start a SYN Flood on August 15 against port 80 of windowsupdate.com, thereby creating a distributed denial service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm. The worm contains two messages hidden in strings. The first: I just want to say LOVE YOU SAN!! Hence it is sometimes called the Lovesan virus. The second: billy gates why do you make this possible ? Stop making money and fix your software!! This is an apparent message to Bill Gates, the target of the worm.

Side Effects of the Worm

Although the worm can only spread on systems running Windows 2000 and Windows XP, it can cause instability in systems running Windows NT, Windows XP, and

Windows Server 2003. If the worm detects a connection to the Internet (regardless of dial-up or broadband), this can even lead to the system becoming so unstable that it displays the following message and then restarts: Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly.

Symptoms
Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory Error messages about the RPC service failing (causes system to reboot) Presence of unusual TFTP files

Methods Of Infection
This worm spreads by exploiting a recent vulnerability in Microsoft Windows. The worm scans the local class C subnet, or other random subnets, on port 135. Discovered systems are targeted. Exploit code is sent to those systems, instructing them to download and execute the file MSBLAST.EXE from a remote system via TFTP. When W32/Lovsan.worm attempts to infect a machine on port 135 it sends a carefully crafted packet designed to cause the buffer overflow. The code execution path after a buffer overflow is specific to files and their locations in memory on a target machine. Normally that means that an exploit would only target a single OS - for example, Windows XP or Windows 2000, as the location of certain files in memory on each platform is usually slightly different. W32/Lovsan.worm actually semi-randomly tries the Windows 2000 exploit (with 20% probability) and the Windows XP exploit (with 80% probability) in turn - if it "guesses" correctly then it will infect your machine, if it "guesses" incorrectly then it will crash your machine! The author didn't code anything for Windows NT 4, so therefore it will only crash this platform! The worm contains a payload to initiate a Denial of Service attack against windowsupdate.com after August 16. The worm only checks the local system date upon execution. If an infected system is left on and the date rolls over to Aug 16, the payload will not kick off until the system is restarted. This payload involves sending 40 byte SYN packets to windowsupdate.com on TCP port 80 for the purpose of preventing users from patching their systems via Windows Update. The source IP address is spoofed on each packet, using a random local CLASS B IP. Computers that have up-to-date antivirus software will detect the worm executable (msblast.exe) upon download and prevent that machine from becoming a host for W32/Lovsan.

However, unless the system has been (MS03-026) patched, it is susceptible to the buffer overflow attack from an infected host machine. An infected machine (running msblast.exe) will send out malformed packets across the local subnet to the RPC service running on port 135. When these packets are received by any unpatched system, it will create a buffer overflow and crash the RPC service on that system. All this can occur without the worm actually being on the machine. This means that the remote shell will still get created on TCP port 4444, and the system may unexpectedly crash upon receiving malformed exploit code. Other symptoms may include:

inability to cut/paste inability to move icons Add/Remove Programs list empty dll errors in most Microsoft Office programs generally slow, or unresponsive system performance

By applying the MS03-026 patch to the machine, it will prevent the RPC service from failing, in-turn solving these symptoms. It is very important that the machine is rebooted after the patch has been installed. The machine can then be updated to the latest dats/engine/config and an on-demand scan run to pick up msblast.exe, IF it exists. All of these symptoms are related to the RPC vulnerability and not necessarily due to W32/Lovsan running locally. Msblast.exe may not be present at all.

Removal of the Worm

Microsoft Patches
It is imperative that infected systems are patched prior to disinfecting a system. Some systems may be in a crash loop where each time the system is restarted, SVCHOST.EXE crashes and the user has 60 seconds before the system restarts. This action can continue to happen even after the virus is removed if the patch is not applied. It may be necessary to install/configure a firewall prior to downloading/installing this patch. Microsoft has outlined the necessary steps to address Windows issues when removing this virus.

Virus Removal:
Use the current DAT file for detection an removal. The 4283 DAT files will detect this threat as a variant of Exploit-DcomRpc. Infected systems must be patched prior to removal of the virus (see below). Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations Stand alone remover Stinger has been updated to include detection/removal of this threat.

Sniffer Customers: A new filter has been developed that will look for any traffic exploiting the RPC Exploit, plus traffic on port 4444 (Lovsan) and traffic on 707 (Nachi) (Sniffer Distributed 4.3 and Sniffer Portable 4.7.5).

Manual Removal Instructions

This error message and the Windows restart can be avoided by changing the properties of the Shutdown service, buying an infected user enough time to remove the virus from their system and install a patch removing the vulnerability. The procedure is done as follows:

Go to Start->Run Type "services.msc" and press Enter Find the "Remote Procedure Call" service (not RPC Locator), right-click, and select Properties Select the Recovery tab, and set all failure actions to "Take no Action" Select OK

Because the Remote Procedure Call is an integral part of Windows, the failure actions should be reset to "Restart the Computer" as soon as the Blaster worm is removed. Another method to stop the computer from restarting is as follows:

Go to Start->Run Type "shutdown -a" and press Enter

If run as an Administrator, this will stop the reboot (-a stands for "Abort"). The above procedure must be done within the time limit displayed in the shutdown notice. The "shutdown.exe" file is not available within Windows 2000 unless you extract it from the Windows 2000 resource kit. Additionally, systems running the Open Software Foundation's Distributed computing environment can be affected by traffic generated from the worm. Packets generated by the worm can cause DCE to crash causing a Denial of Service of DCE. A rule-of-thumb for users of Microsoft Windows is that they should remain vigilant in keeping up-to-date with updates from Microsoft, as well as anti-virus software. Windows Update is especially crucial because malware such as the Blaster are often created upon vulnerabilities that are addressed by recent software patches, in hopes that many users are not yet fully protected.

Threatscan users
The latest ThreatScan signature (2003-08-12) includes detection of the W32/Lovsan.worm virus.This signature is available for ThreatScan v2.0, v2.1, and v2.5. To update your ThreatScan installations with the latest signatures perform the following tasks: 1. From within ePO open the Policies tab.

2. Select McAfee ThreatScan and then select Scan Options 3. In the pane below click the Launch AutoUpdater button. 4. Using the default settings proceed through the dialogs that appear. Upon successful completion of the update a message will appear stating that; update 2003-08-12 has completed successfully. 5. From within ePO create a new AutoUpdate on Agent(s) task. 6. Go into the settings for this task and ensure that the host field is set to ftp.nai.com , the path is set to /pub/security/tsc20/updates/winnt/ and that the user and password fields are both set to ftp .Note that tsc20 in the above path is used for ThreatScan 2.0 and 2.1.The correct path for ThreatScan 2.5 is tsc25. 7. Launch this task against all agent machines. 8. When the task(s) complete information will be available in the Task Status Details report. To create and execute a new task with the new Hot Fix functionality do the following: 1. 2. 3. 4. Create a new ThreatScan task. Edit the settings of this task. Edit the Task option, Host IP Range to include all desired machines to scan. Select the Remote Infection Detection category and Windows Virus Checks template. -orSelect the Other category and Scan All Vulnerabilities template. 5. Launch the scan.

Variants

W32/Lovsan.worm.g W32/Lovsan.worm.k