Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Lovsan.A

Aliases: MSBlast, Blaster, Poza

Win32/Lovsan.A worm has been discovered on August 11, 2003. Computers protected by NOD32, with database 1.480 (20030812) and higher are protected. NOD32 cleans the infection by means of deletion.

MS Windows Vulnerability
The worm exploits the vulnerability of the Remote Procedure Call protocol (RPC) described in details in Microsoft Bulletin: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
The vulnerability permits an attacker (e.g. worm) to gain control over the remote computer by various means (installing programs, creating accounts, etc.) Aforementioned MS website provides available patches for affected platforms (Windows 2000 and Windows XP). Do not delay installation of the corresponding patch in spite of an updated antivirus protection.

Note:
Due to the nature of the exploited vulnerability, the worm may infect an unprotected system without any intervention of a user. Win32/Lovsan.A is not a mass mailing worm.

Impact on the infected system:
The worm causes system instabilities and crashes of certain application (e.g. MS Explorer, MS Outlook) and causes the system to reboot (reported).
It adds the following value: “windows auto update”=“msblast.exe” into the registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run providing worm execution upon each system restart.

To attack computers in a network (internet), the worm uses a special random-search algorithm to attempt to identify computers that may be attacked via port 135. The data sent via this port may create a hidden cmd.exe shell that listens on TCP port 4444. The worm also listens on UDP port 69 and upon request it sends its body (msblast.exe). The attacked remote computer is instructed to connect back and download/execute the worm code.
As of August 16 (date > 15 or month >= 8), the infected computer will generate packets sent to windowsupdate.com, creating a DoS attack.

The worm name has been derived from the text hidden in the code of this worm:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

To clean infected computer, the following steps need to be carried out:

  • If you don''t have the above mentioned patch installed yet, please install it from:
  • http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
  • Click the Control Center icon located on the system taskbar
  • Restart computer to the Safe mode
  • Click "Update now" button (to make sure the latest version of NOD32 database is installed)
  • Go to Start > Programs > Eset > NOD32
  • In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
  • Click the "Clean" button
  • When the Win32/Lovsan.A worm is found and an action is offered, click "Clean"
  • Restart the system

NOTE:
Under Windows XP operating system it can happen that the infected files are restoring themselves. This problem can occur with various viruses and it is described here.