Net-Worm:W32/Lovsan

Classification

Category :

Malware

Type :

Net-Worm

Aliases :

Lovesan, W32/Msblast

Summary

Lovsan is a network worm that spreads by exploiting the RPC/DCOM (MS03-026) vulnerability in Windows.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

CAUTION Manual disinfection is a risky process; it is recommended only for advanced users.

  • Boot up the infected computer
  • If you keep getting the "Shutdown in 60 seconds" dialog, click Start / Run, and execute command 'shutdown -a'
  • Download and save the F-LOVSAN tool to your desktop from: ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip
  • If you're running Windows XP, Windows System Restore might restore the infection afterwards. Disable it.
  • Download and run the Microsoft patch to close the RPC hole:
    • Download for Windows 2000 from www.microsoft.com: http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1
    • Download for Windows XP from www.microsoft.com: http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA
  • The patch installer will reboot the machine in the end. When the machine reboots, enter SAFE MODE by keeping F8 pressed when the computer screen goes black for a moment, then choose "1) Safe mode".
  • When the computer has booted up in Safe Mode, log in and execute the F-LOVSAN tool you downloaded in step 3.
  • Reboot normally - and you're done.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

  • UPDATE (2003-09-11 08:55 GMT)Another RPC/DCOM vulnerability (MS03-039) has been found. Systems patched against MS03-026 must be repatched. The patch against MS03-039 fixes the MS03-026 vulnerability as well. More information is available at: http://www.microsoft.com/technet/security/bulletin/MS03-039.asp. Note: The Lovsan worm can not exploit this new vulnerability.
  • UPDATE (2003-09-01 09:00 GMT)Another new variant of Lovsan worm - Lovsan.F was found.
  • UPDATE (2003-08-29 03:00 GMT)Another new variant of Lovsan worm - Lovsan.E was found.
  • UPDATE (2003-08-19 10:01 GMT)Another new variant of Lovsan worm - Lovsan.D was found. Also, the Welchi worm removes Lovsan.A and patches the systems.
  • UPDATE (2003-08-16 08:00 GMT)We monitor Lovsan's DDoS attack against windowsupdate.com at: http://www.f-secure.com/lovsan/
  • UPDATE (2003-08-13 17:21 GMT)Another new variant of Lovsan worm - Lovsan.C was found.
  • UPDATE (2003-08-13 14:22 GMT)A new variant of Lovsan worm - Lovsan.B was found.
  • UPDATE (2003-08-12 13:03 GMT)F-Secure is upgrading the Lovsan worm (also known as Msblast) to Level 1 as it continues to spread rapidly. Currently it is the most widespread virus in the world. Symptoms include XP machines rebooting.
  • UPDATE (2003-08-11 21:40 GMT)First sample of the Lovsan worm was received at 19:22 GMT on 11th of August, 2003. This 6176 byte executable "msblast.exe" contains about 11kB of uncompressed worm code.

The Vulnerability

Lovsan exploits a vulnerability, "Buffer Overrun In RPC Interface" which is also known as DCOM/RPC and MS03-026. This vulnerability was discovered on July 16th, 2003. More information is available on this vulnerability at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.

This version of the worm will only infect Windows 2000 and Windows XP machines. Systems such as Windows 95, 98 and Me are unaffected.

The worm might try to exploit Windows XP machines with Windows 2000 exploit. In many cases the worm causes XP machines to start rebooting periodically with this error message:

This system is being shut down in 60 seconds by NT Authority/System due to an interrupted Remote Procedure Call (RPC)

This dialog is coming from Windows itself, and will show the error message in the localized language.

For example:

Note: you might see a similar error message on Windows 2003 too. Also, this might happen on Windows XP and 2003 even if you've applied the right patches. However, the machine won't get infected in these cases - just rebooted.

YOU CAN STOP THE SHUTDOWN TIMER. If you're machine keeps rebooting so often you can't even download the patches, use the 'shutdown' command to abort the reboot. When you see the Shutdown dialog, click Start / Run and type 'shutdown -a' and hit Enter.

Windows 2000 users won't see the timer. However, they might see other effects from the RPC exploit. Such as:

  • 1. Problems when creating email messages at least in Outlook and Outlook Express
  • 2. Visual problems with Control panel
  • 3. Add/Remove Programs does not work
  • 4. Drag & Drop function does not work
  • 5. Copy / Paste function does not work
  • 6. some executables don't work
  • 7. Problems with javascript
  • 8. Some programs won't Save at all

Spreading Algorithm

The worm uses a sequential scanning algorithm with random starting points. The algorithm has a mode when it favors networks surrounding the infected host. Note: An IP address has a following structure: A.B.C.D

First the worm fetches the IP address of the infected host and puts it into the variables above. Based on a random number between 1 and 20 either the hosts IP is used as a basis of scanning or a totally random IP is generated.

If random number is greater or equal to 12 the host IP is used. In this case if C is greater then 20 the worm subtracts 20 from it. D is always set to 0.

If the worm chooses to use a totally random start IP it generates A B and C from random numbers:

  • A from 1 to 254
  • B from 0 to 253
  • C from 0 to 253
  • D is always 0

Using these base addresses Lovsan starts to scan for vulnerable hosts. The algorithm scans 20 hosts at a time, the targets are successive IP address starting from the base address. The worm tries to connect to port 135 on all the 20 hosts and check if the connection is successful. In that case Lovsan uses one of many different DCOM exploits to infiltrate the host.

There are two hardcoded values in the exploit which are randomly chosen. These values make the exploit work on either Windows 2000 or Windows XP systems. When the exploit starts on the remote machine it opens a shell through which the worm copies itself to the host using TFTP (Trivial File Transfer Protocol). The client for FTPS comes with Windows 2000/XP systems and the worm has a built-in TFTP server. After the worm is copied to the remote host it is started there through the shell.

In the following graphic, showing the relative amount of TCP Syn packets that our network sensor system received between 1st and 20th of August, can be appreciated an clear increase in the number of occurrences of packets in the port 135 (In red).

Infection

When Lovsan enters a vulnerable system it is called 'msblast.exe' which it adds to the registry as:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update'

This way the worm will be started every time Windows starts up.

Payload

Starting from 16th of August machines infected with Lovsan will send massive amount of packets to windowsupdate.com. 40 byte packets are sent in 20 millisecond intervals to port 80. This will perform a Distributed Denial-of-Service attack on that website.

The payload trigger routine checks the day of the month first. If the day is 16 or later it triggers immediately otherwise it checks the month. If the month is September or later the payload is activated.

In practice this logic will start the DDoS attacks on 16th of August and will continue until the end of the year. Next year it will attack from 16th to the end of each month until 16th of August when it starts the non-stop attack until the end of the year.

The payload trigger is checked only once when the worm is started so computers running the worm will start the DDoS attack only when the Windows is first restarted after 16th of August. This might mean that the attack volume will start growing on August 16th and continues growing until Monday the 18th - when people come back to work on Monday and boot up their work computers.

The attack packets will be difficult to filter without filtering normal web access to windowsupdate.com. However, at least Windows 98, Me, 2000 and Windows XP machines do NOT connect to windowsupdate.com when "Windows Update" function is selected from the Start menu.

These machines connect either to:

  • windowsupdate.microsoft.com

or to URLs like:

  • www.microsoft.com/isapi/redir.dll?prd=Win2000&ar=WinUpdate

So, in a nutshell: unless Microsoft changes the IP address of windowsupdate.com before the attack starts to 127.0.0.1, windowsupdate.com will most likely go down under DDoS. If they change the IP, the site will be inaccessible anyway. However, Windows Update service will probably stay up, as it's not running on that machine in the first place.

The worm contains these texts (which are not displayed):

  • I just want to say LOVE YOU SAN!!
  • billy gates why do you make this possible ? Stop making money and fix your software!!