The LovSan/Blaster virus

July 2015

Introduction to the LovSan virus

Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first virus to exploit the security hole in the RPC/DCOM feature (Remote Procedure Call) in Microsoft Windows which allows remote processes to communicate. By exploiting the hole with a buffer overflow, malware (like the LovSan virus) may take control of a vulnerable machine. Windows NT 4.0, 2000, XP and Windows Server 2003 are all affected.

What the virus does

The LovSan / Blaster worm is programmed to scan a random range of IP addresses looking for systems vulnerable to the RPC hole on port 135.

When a vulnerable machine is found, the worm opens a remote shell on TCP port 4444, and makes the remote computer download a copy of the worm into the directory %WinDir%\system32 by running aTFTP command from the infected machine (UDP port 69) to start the file transfer.

Once the file is downloaded, it is run, and then creates entries in the registry so that it will automatically run again every time the computer restarts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
    

What's more, the LovSan/Blaster virus attacks the Microsoft Windows Update service in order to disrupt the updating of vulnerable machines.

Symptoms of infection

Exploiting the RPC vulnerability causes several malfunctions on affected systems related to deactivating RPC (the process svchost.exe / rpcss.exe). Vulnerable systems have the following symptoms:

  • Copy/Paste is defective or unusable
  • Opening a hyperlink in a new window is impossible
  • Moving icons is impossible
  • Windows file search is erratic
  • Port 135/TCP is closed
  • Windows XP reboots: The system is consantly being restarted by NT AUTHORITY\SYSTEM with the following message(s):
    Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
    The system is shutting down in 60 seconds. Please save all work in progress
    and log off. This shutdown was initiated by NT AUTHORITY\SYSTEM.
    Windows must now restart

Eradicating the virus

To eradicate the LoveSan virus, the best method is to first disinfect the system using the following virus removal tool:
Download the virus removal tool

If your system is rebooting constantly, you must disable automatic restart:
  • First, go to Start / Run and then enter the following command to prevent automatic restarts from taking place:
    shutdown -a
  • Right-click on My Computer
  • Click on Properties / Advanced / Startup and Recovery / Settings
  • Uncheck the "Automatically restart" box.
You can turn this option back on once your system is running normally again.

You should then update the system, either by using Windows Update or by downloading and installing whichever patch is right for your operating system:

What's more, since the virus spreads using Microsoft Windows networking, it is strongly recommended to install a personal firewall on your machines which are connected to the Internet, and also to filter ports TCP/69, TCP/135 to TCP/139 and TCP/4444.

More information about the virus

For unlimited offline reading, you can download this article for free in PDF format:
The-lovsan-blaster-virus .pdf

See also


El virus LovSan/Blaster
El virus LovSan/Blaster
Das Virus Blaster/LovSan
Das Virus Blaster/LovSan
Le ver Blaster / LovSan
Le ver Blaster / LovSan
Il virus - Blaster / LovSan
Il virus - Blaster / LovSan
O vírus Blaster/LovSan
O vírus Blaster/LovSan
This document entitled « The LovSan/Blaster virus » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.