You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Blaster.C

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Blaster.C has the following effects:

  • It launches denial of service (DoS) attacks against the windowsupdate.com website whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year.
  • It can block and restart the attacked computer, due to programming errors in the code of the worm.
  • It increases the network traffic on the TCP 135 and 4444, and UDP 69 ports.

Infection strategy 

Blaster.C creates the file TEEKIDS.EXE in the Windows system directory. This file is a copy of the worm.

Blaster.C creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    Microsoft Inet XP.. = teekids.exe
    By creating this entry, Blaster.C ensures that it is run whenever Windows is started.

Blaster.C follows the infection routine below:

  • The worm creates a mutex called BILLY in order to check if it is currently activated. Blaster.C checks that the version of Winsock is 1.00, 1.01 or 2.02, and that a connection to the Internet is available. If it is not, Blaster.C checks for an Internet connection every 20 seconds.
  • Blaster.C generates IP addresses at random, first within the network of the computer on which it is running, and then in class B networks (networks whose mask is 255.255.0.0).
  • Blaster.C attempts to exploit the Buffer Overrun in RPC Interface vulnerability in the remote computer, identified by the IP address above.
  • If successful, Blaster.C logs on remotely, and opens a connection from the TCP 4444 port of the affected computer to the UDP 69 port of the attacking computer.
  • Once the connection is established, the attacking computer sends a copy of the worm via TFTP. The worm incorporates a TFTP server.
  • Once the download is completed, the file sent is run remotely, and as a result the worm can spread from the attacked computer.

Means of transmission 

Blaster.C spreads by attacking IP addresses generated at random. These IP addresses belong to the computers in the same network as the attacked computer, as well as B class networks (whose mask is 255.255.0.0).

Blaster.C attempts to exploit the Buffer Overrun in RPC Interface vulnerability in those computers. If successful, it downloads a copy of itself to the attacked computer. Blaster.C incorporates its own TFTP server.

Further Details  

Blaster.C is written in the Assembler language. This worm is 5,360 bytes in size when it is compressed with FSG, and 12 Kbytes once decompressed.

>