Home / malware Win32.Msblast.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Msblast.A is also known as W32.Blaster.Worm, (NAV.
Explanation :
Once ran the worm creates a mutex called BILLY to signal its presence in the system, installs itself in %SYSTEM%MSBlast.exe (e.g. C:WindowsSystem32) and creates a new value in the registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
The value is called windows auto update and points to copied file in order to remain in computer’s memory each time it is restarted.
It spreads exploiting Microsoft Windows DCOM RPC vulnerability. When detects a vulnerable system it issues via the exploit a TFTP command on it to fetch a copy of the worm, which afterwards is executed.
As payload the worm initiates denial of service (DoS) attacks on windowsupdate.com after the 15th of August 2003.
In its body there are included two strings, which are not used:
I just want to say LOVE YOU SAN!!
and
billy gates why do you make this possible ? Stop making money and fix your software!!
The worm was written in C and compiled with LCC-Win32.Last update 21 November 2011
