Madrid, August 17, 2003 - This week's
report looks at five worms, Blaster, Blaster.B, Blaster.C,
RPCSdbot and RPCSdbot.B, which all exploit the same
vulnerability in order to spread to as many computers
as possible, and at the Trojan HatFiend.10.
After its appearance
on Monday, Blaster rapidly infected thousands of computers
and reached the highest position in list of viruses
most frequently detected by the free, online scanner,
Panda ActiveScan.
Blaster spreads
by attacking IP addresses -generated at random- belonging
both to the network of the computer on which it is running,
and to class B networks. This worm tries to exploit,
in these IP addresses, the 'Buffer Overrun in RPC Interface'
vulnerability to download a copy of itself, in a file
named MSBLAST.EXE, to the compromised computer. In order
to do this, Blaster incorporates its own TFTPE server.
Blaster has the following effects:
- Denial of service (DoS) attacks against
the windowsupdate.com website whenever the system date
is between August 16 and December 31, 2003. If this
requirement is met, the worm sends a 40 byte packet
every 20 milliseconds, using the TCP port 80.
- It can block and restart the attacked
computer.
- It increases the network traffic on the TCP 135 and 4444,
and UDP 69 ports.
The Blaster B and C variants are very
similar to the original worm (Blaster). Differences
include the fact that they generate files called PENIS32.EXE
(B) and TEEKIDS.EXE (C).
Due to the number of incidents caused
by these worms, Panda Software has released its PQREMOVE
application designed to clean and repair computers affected
by these viruses. This can be downloaded from:
http://www.pandasoftware.com/downloads/utilities
RPCSdbot and RPCSdbot.B also exploit the 'Buffer Overrun in RPC Interface' vulnerability in order to spread themselves. In order to do so, they follow the same routine as the virus Blaster, since RPCSdbot and RPCSdbot.B attacks IP addresses -generated at random-. By doing so, they download a copy of themselves in the infected computer, by means of their own TFTP server.
RPCSdbot and RPCSdbot.B also drop a backdoor type Trojan, which allows a hacker to install programs, delete and download files, carry out DoS attacks, etc... in the infected computer.
Since Blaster and RPCSdbot exploit the same vulnerability, which affects Windows 2003/XP/2000/NT computers, it is advisable that users of these platforms install the patches provided by Microsoft. These patches can be downloaded from:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
We finish this report with HatFiend.10, a backdoor type Trojan, which allows hackers to gain remote access to other computers, in order to carry out actions that can compromise user confidentiality and impede the tasks performed on the computer. This malicious code goes memory resident, opens the port 1871 in the affected computer, and carries out several actions like logging keystrokes and controlling the hard drives.
For further information about these and other viruses,
visit Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/.
| 
