Hello!

You’re about to visit our web page in English
Would you like to continue?

Yes, I want to visit the web page in English No, I want to visit the web page in

If this is not what you’re looking for,

Visit our Welcome Page!

My Account

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Blaster

 
Threat LevelModerate threat
DamageHigh
DistributionNot widespread

At a glance

Common name:Blaster
Technical name:W32/Blaster
Threat level:Low
Alias:W32/Lovsan.worm, W32.Blaster.Worm, WORM_MSBLAST.A, Win32.Poza, WORM_MSBLAST.H
Type:Worm
Effects:  It launches denial of service attacks against the windowsupdate.com website. It restarts the affected computer.

Affected platforms:

Windows 2003/XP/2000/NT

Detection updated on:Jan. 2, 2004
StatisticsNo
Proactive protection:
Yes, using TruPrevent Technologies
Repair utility:Panda QuickRemover

Brief Description 

    

Blaster is a worm that affects Windows 2003/XP/2000/NT computers only. Blaster exploits the Buffer Overrun in RPC Interface vulnerability to spread to as many computers as possible.

Blaster launches denial of service (DoS) attacks against the windowsupdate.com website. Whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year, Blaster sends a 40 byte packet every 20 milliseconds, using the TCP port 80.

Blaster spreads by attacking IP addresses generated at random and exploits the vulnerability mentioned above to download a copy of itself to the compromised computer. In order to do this, Blaster incorporates its own TFTP (Trivial File Transfer Protocol) server.

If you have a Windows 2003/XP/2000/NT computer, it is highly recommendable to download the security patch from the Microsoft website. Access the web page for downloading the patch.

Visible Symptoms 

    

Some clear indications that Blaster has reached the computer are the following:

  • The network traffic increases on the TCP 135 and 4444 and UDP 69 ports.
  • The attacked computer blocks and restarts, due to programming errors in the code of the worm.

Tech details

Effects

Blaster has the following effects:

  • It launches denial of service (DoS) attacks against the windowsupdate.com website whenever the system date is between the days 15 and 31 of every month, or every day during the months September through December of every year.
  • It can block and restart the attacked computer, due to programming errors in the code of the worm.
  • It increases the network traffic on the TCP 135 and 4444, and UDP 69 ports.

Infection strategy 

Blaster creates the file MSBLAST.EXE in the Windows system directory. This file is a copy of the worm.

Blaster creates the following entry in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    windows auto update = msblast.exe
    By creating this entry, Blaster ensures that it is run whenever Windows is started.

Blaster follows the infection routine below:

  • The worm creates a mutex called BILLY in order to check if it is already activated. Blaster checks that the version of Winsock is 1.00, 1.01 or 2.02, and that a connection to the Internet is available. If it is not, Blaster checks for an Internet connection every 20 seconds.
  • Blaster generates IP addresses at random, first within the network of the computer on which it is running, and then in class B networks (networks whose mask is 255.255.0.0).
  • Blaster attempts to exploit the Buffer Overrun in RPC Interface vulnerability in the remote computer, identified by the IP address generated.
  • If successful, Blaster logs on remotely, and opens a connection from the TCP 4444 port of the affected computer to the UDP 69 port of the attacking computer.
  • Once the connection is established, the attacking computer sends a copy of the worm via TFTP. The worm incorporates its own TFTP server.
  • Once the download is completed, the file sent is run remotely, and as a result the worm can spread from the attacked computer.

Means of transmission 

Blaster spreads by attacking IP addresses generated at random. These IP addresses belong to the computers in the same network as the attacked computer, as well as B class networks (whose mask is 255.255.0.0).

Blaster attempts to exploit the Buffer Overrun in RPC Interface vulnerability in those computers. If successful, it downloads a copy of itself to the attacked computer. Blaster incorporates its own TFTP server.

Further Details  

Blaster is written in the Assembler language. This worm is 6,176 bytes in size when it is compressed with UPX, and 11,296 bytes in size once decompressed.

The code of Blaster contains several text strings, which are not displayed at any time:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

>

Solution

See solution

Anytech logo

Call us 24/7 and get a FREE DIAGNOSIS

+1 (323) 395 2630

logo

Panda Security, a WatchGuard Technologies brand, offers the most advanced protection for your family and business. Its Panda Dome range provides maximum security against viruses, ransomware and computer espionage, and is compatible with Windows, Mac, Android and iOS.

    About Panda
    Company Info Reviews Awards and certifications Panda Worldwide Blog Security Info
    Home Users
    Panda Dome portfolio Customer Login Page Online Antivirus Downloads Free Antivirus Free VPN Offers
    Business - WatchGuard Technologies
    WatchGuard Endpoint Security Network Security Authpoint MFA Secure Wi-Fi Partners
    Visa Master Card Maestro Pay Pal Apple Pay
    Bank Transfer iDeal Klarna
    Privacy Policy Legal Notice Cookie Policy Return Policy