A self-propagating worm has made its way around the Internet today, reportedly infecting over 125,000 computers, but the actual numbers could be higher. The worm, known as “LovSan” or “MSBlast,” has even brought down all the computers at the Maryland Department of Motor Vehicles–they were forced to close their doors earlier today.

The worm propagates itself using the DCOM RPC protocol on TCP 135 and causes the infected host computer to continue infecting other hosts on the same subnet using TCP 135, to listen for TFTP connections on UDP 69, and to set up a hidden remote command shell that listens on TCP 4444. Additionally, the worm also has a “time bomb” element to it that will instruct all computers infected with the worm to perform a distributed denial of service (DDoS) attack against the Windows Update web site when the system date reaches August 15th. Read more about the worm, and how to get rid of it here.

This thing is downright nasty! Last night, I helped my friend Mark J. Asher clear his computer of the virus manually, and it is a pain in the ass, especially if other computers on your subnet are infected. The denial of service function of the worm makes it really scary. It is equivalent to giving people a deadly disease and then taking away the only known cure. Be sure to patch your computer now!

1 Comment »

  1. My department is still trying to clean up the mess at good ole NSU. When Mr. Norton sends a security bulletin about RPC vulnerabilities, people should listen! Bitches.

    #1 by Mr. Norton — August 12, 2003 @ 7:46 am

RSS feed for comments on this post.

Leave a comment

If you Connect with Facebook your email address will not be published.

Enter the anti-spam code displayed above (required)