W32.Blaster.E.Worm is a worm that exploits the DCOM RPC vulnerability (described in
Microsoft Security Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000 and Windows XP computers. While Windows NT and Windows 2003 Servers are vulnerable to the aforementioned exploit (if not properly patched), the worm is not coded to replicate to those systems. This worm attempts to download the Mslaugh.exe file into the %Windir%\System32 folder, and then execute it.
W32.Blaster.E.Worm does not have a mass-mailing functionality.
Additional information is available in the Microsoft article, "
What You Should Know About the Blaster Worm and Its Variants."
We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if you do not use the following applications:
- TCP Port 135, "DCOM RPC"
- UDP Port 69, "TFTP"
The worm also attempts to perform a Denial of Service (DoS) on kimble.org. At the time of writing this description, kimble.org resolved to 127.0.0.1.
Click
here for more information on the vulnerability that this worm exploits, and to find out which Symantec products can help mitigate risks from this vulnerability.
NOTE: Virus Definitions dated prior to August 29, 2003 detect this threat as W32.Blaster.Worm
Symantec Security Response has developed a removal
tool to clean the infections of W32.Blaster.E.Worm.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
