Virus Lovesan (Blaster)
Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026)
using TCP port 135. The worm targets only Windows 2000 and Windows XP machines.
The worm copies itself to:
%System%\msblast.exe (lovesan.a)
%System%\penis32.exe (lovesan.b)
%System%\teekids.exe (lovesan.c)
%System%\mspatch.exe (lovesan.d)
%System%\mslaugh.exe (lovesan.a)
%System%\enbiei.exe (lovesan.f)
NOTE: %System% is a variable.
The worm locates the Windows installation folder (by default, this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.
The worm adds the value:
"windows auto update" = "msblast.exe" (lovesan.a)
"windows auto update" = "penis32.exe" (lovesan.b)
"Microsoft Inet Xp.." = "teekids.exe" (lovesan.c)
"Nonton Antivirus " = "mspatch.exe" (lovesan.d)
"windows automation" = "mslaugh.exe" (lovesan.e)
"www.hidro.4t.com" = "enbiei.exe" (lovesan.f)
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
© Copyright 2000-2008 AnVir Software. All Rights Reserved.
