Search Solo Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info SRN Micro Privacy Statement

 


MSBLAST.EXE PROCESS INFORMATION

Process Name  : msblast.exe

Process Path : %System%\msblast.exe" [ C:\Windows\System32\msblast.exe ]

Process type    : Internet Worm

Malware Name :W32.Blaster.Worm

Alias             : Worm/Lovsan, W32/Blaster-A, W32/Lovsan.Worm, WORM_MSBLAST.A, Blaster, Lovesan, Win32.Poza, W32.Blaster.B, Lovsan.B, I-Worm/Generic

Threat level : Low

Process Details :

                     Msblast.exe is the main component dropped by blaster worm. It exploits a vulnerability DCOM RPC [ Buffer Overrun In RPC Interface ] to infect target systems. The worm randomly scans for IP addresses [ X.X.X.0  Example: 202.124.64.0 ] and infects the vulnerable systems. This worm targets Windows NT, 2000, XP, and Windows Server 2003 systems. Solo Antivirus can detect and remove blaster worm and its variants safely.

                     Blaster worm copies to Windows System32 folder as msblast.exe and modifies the registry RUN section to load automatically. Then it scans other vulnerable systems and infects them. The registry modification is given below.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"windows auto update"= "msblast.exe" 

                      Blaster worm can be avoided by installing security patches from Microsoft. If you have not installed, you can get a copy at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

                      After August 15th, Blaster worm will launch a distributed denial-of-service attack on windowsupdate.com server. The worm infected users will receive the error messages like 

System Shutdown

This system is shutting down. Please save all
work in progress and log off. Any unsaved
changes will be lost. This shutdown was
initiated by NT AUTHORITY\SYSTEM

Time before shutdown : 00:00:59

Message
Windows must now restart because the
Remote Procedure Call (RPC) service
terminated unexpectedly

                      Blaster worm infected systems may reboot every few minutes. This will stop the infected users from downloading security patches and antivirus software. You can disable DCOM temporarily to download patches and antivirus software. After installing security patches and antivirus software, you can enable the distributed COM. 

Blaster worm contains the following string within the worm body

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Blaster worm variants:

                   Two new variants of Blaster worm spreading in the wild. Blaster.B will create the file penis32.exe in system32 folder. Blaster.C worm will create the file teekids.exe in the system32 folder. These variants are packed with backdoor programs, which can be used to steal data from the infected systems.

How can I protect my system?

                   Solo has incorporated msblast.exe in its signature file to protect users from this worm attack. Make sure that you have installed registered version of Solo Antivirus to protect your system from all virus threats. 

How to remove this worm?

                   If you are already infected with this worm, download and install security patches from the link http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Then run Solo anti-virus scanner to remove the worm components.

                   Solo antivirus can detect and remove msblast.exe and its variants safely. Use the following link to Download 30 day trial version of Solo antivirus to remove viruses from your computer.

                   Solo anti-virus not only scans for all viruses, it contains a unique System Integrity Checker to protect you from New Internet Worms, Backdoors and malicious VB, Java Scripts. It also effectively removes all existing Internet Worms, File viruses, malicious VB, Java scripts, Trojans, Backdoors, boot sector, partition table and macro viruses.

You can purchase Solo antivirus using the link