Around July 16th the Last Stage of Delirium (Polish 'White Hat' hackers) created 'proof of concept' (i.e. they actually executed a theoretical exploit) code to exploit a stack buffer overflow vulnerability in "Windows 2000 (sp 1-4), Windows XP (sp 1) and Windows 2003 Server (regardless of the service packs installed)" ( http://lsd-pl.net/special.html ). Special thanks go out to LSD for their responsibility in not releasing their code. Microsoft also thanks them. A pity their responsibility made little difference.
An American hacker and a Chinese hacking group (XFocus) released code for this exploit on July 25th ( http://www.xfocus.org/documents/200307/2.html ) without any code or special information to work with proving that with very vague details of an exploit malicious code can be created quickly, even without disclosure of the exploit's details. They only released code to work on 3 Windows Operating Systems but the code can easily be modified to use on the other vulnerable systems.
HD Moore (founder of the Metasploit Project) modified the code to exploit 7 operating systems. "I don't like broken exploits, so I fixed it," he said. He posted the code on a machine he hosted and was innundated with traffick and was taken offline. He had planned to disseminate the code off of a web server but I did not verify that it has happened.
The release of code to execute this exploit gave System administrators little time to patch and home users who are typically slower to do so even less.
Soon exploit tools were released allowing hackers to send commands through IRC networks. On aug 2nd the first traces of these attack programs were found but they were not worms. They did not self-propagate.
The next step was for someone to create a worm to tie into this exploit.
With the DefCon hacker convention on the weekend of Aug 2,3 it was widely expected that a worm would be released (not necessarily by people attending DefCon but simply because of the attention to hacking that the conference brings) that utilized this exploit. The Department of Homeland Security issued an alert on Aug 1st and the Federal Computer Incident Response Center (FedCIRC), the National Communications System (NCS) and the National Infrastructure Protection Center (NIPC) were keeping an eye out for the exploits.
The worm became an internet threat yesterday (Aug 11th). It was named "MSBlast" by its author. The Internet Storm Center ( http://isc.incidents.org/ ) has claimed that it is spreading quickly (my anecdotal evidence backs this up). By midafternood on Aug 11th at least 7000 machines had been compromised according to cnet.
This worm has not yet reached it's peak. It will be fine-tuned by other hackers and modified to become more dangerous. This morning some hackers were already claiming to do so in some IRC channels.
Sending malicious data to TCP port 135 on an unpatched machine grants SYSTEM privileges. Most firewalls would protact against this exploit. From reports (I have not yet run the code) this could be specially formatted data or simply a brute attack on the RPC (remote procedure call ) process. With SYSTEM privilidges the exploit can be used to install an FTP application and upload malicious code.
After using the above exploit, MSBlast installs the Trivial File Transfer Protocol (TFTP) server and then uses it to download its code to the computer. It adds a registry key to reboot with the machine. It is often noticed by a message telling the user that the machine is shutting down:
"System is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM.
Windows must now restart because the Remote Procedure Call (RPC) terminated unexpectedly."
The worm also sends out a "greet" to other hackers and executes a DoS attack on windowsupdates. The following messages are also sent to windows: "billy gates why do you make this possible?" and "Stop making money and fix your software!!"
The first step should be to try automated removal tools:
Symantec W32.Blaster.Worm Removal Tool
Download the removal Tool
With both methods of removal prepare and then perform the removal offline.
Manual Removal (from Symantec's Write Up)
Disable System Restore (Windows XP).
Update the virus definitions.
End the Trojan process.
Run a full system scan and delete all the files detected as W32.Blaster.Worm.
Reverse the changes that the Trojan made to the registry.
1. Disabling System Restore (Windows XP)If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
2. Updating the virus definitions
This depends on your antivirus program. Post a help request here on this thread if you need help with this.
3. Ending the Worm process
To end the Trojan process:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for msblast.exe.
If you find the file, click it, and then click End Process.
Exit the Task Manager.
4. Scanning for and deleting the infected files
Use your antivirus program to do a full scan of your computer and delete all infected files. Instructions for this are dependant on your antivirus software so post a help request if you need help with this step.
5. Reversing the changes made to the registry
Editing the registry is tricky. Make sure to backup your registry first!
"How to make a backup of the Windows registry,"
Click Start, and then click Run. (The Run dialog box appears.)
Then click OK. (The Registry Editor opens.)
Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value: "windows auto update"="msblast.exe"
Exit the Registry Editor.
Removal instructions are by Douglas Knowles and are found in the symantec Write Up the instructions have been slightly modified here to help infected users who do not use Norton Anti Virus.