1. /
  2. Security Response/
  3. W32.Blaster.D.Worm

W32.Blaster.D.Worm

Discovered:
August 19, 2003
Updated:
February 13, 2007 12:05:11 PM
Also Known As:
WORM_MSBLAST.E [Trend], W32/Lovsan.worm.d [McAfee], W32/Blaster-D [Sophos], Win32.Poza.D [CA]
Type:
Worm
Systems Affected:
Windows 2000, Windows XP


W32.Blaster.D.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers. While computers that are running Windows NT or Windows 2003 Server are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems.

This worm attempts to download the Mspatch.exe file to the %WinDir%\System32 folder, and then execute it. W32.Blaster.D.Worm does not have a mass-mailing functionality.

Refer to the Microsoft article, "What You Should Know About the Blaster Worm and Its Variants," for more information.

We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
  • TCP Port 135, "DCOM RPC"
  • UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Click here for more information on the vulnerability that this worm exploits, and to find out which Symantec products help mitigate risks from this vulnerability.

Symantec Security Response has developed a removal tool to clean the infections of W32.Blaster.D.Worm.

Antivirus Protection Dates

  • Initial Rapid Release version August 20, 2003
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version August 20, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date August 20, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver