Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Blaster

 
Threat LevelModerate threat
DamageHigh
DistributionNot widespread

Effects

Blaster has the following effects:

  • It launches denial of service (DoS) attacks against the windowsupdate.com website whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year.
  • It can block and restart the attacked computer, due to programming errors in the code of the worm.
  • It increases the network traffic on the TCP 135 and 4444, and UDP 69 ports.

Infection strategy 

Blaster creates the file MSBLAST.EXE in the Windows system directory. This file is a copy of the worm.

Blaster creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    windows auto update = msblast.exe

    By creating this entry, Blaster ensures that it is run whenever Windows is started.

Blaster follows the infection routine below:

  • The worm creates a mutex called BILLY in order to check if it is already activated. Blaster checks that the version of Winsock is 1.00, 1.01 or 2.02, and that a connection to the Internet is available. If it is not, Blaster checks for an Internet connection every 20 seconds.
  • Blaster generates IP addresses at random, first within the network of the computer on which it is running, and then in class B networks (networks whose mask is 255.255.0.0).
  • Blaster attempts to exploit the Buffer Overrun in RPC Interface vulnerability in the remote computer, identified by the IP address generated.
  • If successful, Blaster logs on remotely, and opens a connection from the TCP 4444 port of the affected computer to the UDP 69 port of the attacking computer.
  • Once the connection is established, the attacking computer sends a copy of the worm via TFTP. The worm incorporates its own TFTP server.
  • Once the download is completed, the file sent is run remotely, and as a result the worm can spread from the attacked computer.

Means of transmission 

Blaster spreads by attacking IP addresses generated at random. These IP addresses belong to the computers in the same network as the attacked computer, as well as B class networks (whose mask is 255.255.0.0).

Blaster attempts to exploit the Buffer Overrun in RPC Interface vulnerability in those computers. If successful, it downloads a copy of itself to the attacked computer. Blaster incorporates its own TFTP server.

Further Details  

Blaster is written in the Assembler language. This worm is 6,176 bytes in size when it is compressed with UPX, and 11,296 bytes in size once decompressed.

The code of Blaster contains several text strings, which are not displayed at any time:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

>