1. Symantec/
  2. Security Response/
  3. W32.Blaster.C.Worm


Risk Level 2: Low

August 13, 2003
February 13, 2007 12:05:22 PM
Also Known As:
W32/Blaster-B [Sophos], W32/Lovsan.worm.b [McAfee], Win32.Poza.B [CA], WORM_MSBLAST.C [Trend], Worm.Win32.Lovesan.a [Kaspersk
Systems Affected:

W32.Blaster.C.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. The worm targets only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003 Server machines are vulnerable to the aforementioned exploit if it is not properly patched, the worm is not coded to replicate to those systems.

This worm attempts to download the Teekids.exe file to the %WinDir%\System32 folder, and then execute it. This worm does not have any mass-mailing functionality.

W32.Blaster.C.Worm may have been distributed in a package that also contained a Backdoor Trojan.

The package would have had the following characteristics:
  • index.exe (32,045 bytes): Drops the worm and Backdoor components. It is detected as W32.Blaster.C.Worm.
  • root32.exe (19,798 bytes): Backdoor component detected as Backdoor.Lithium.
  • teekids.exe (5,360 bytes): Worm component detected as W32.Blaster.C.Worm.

We recommend that you block access to TCP port 4444 at the firewall level, and then block the following ports, if they do not use the following applications:
  • TCP Port 135, "DCOM RPC"
  • UDP Port 69, "TFTP"

The worm also attempts to perform a Denial of Service (DoS) on the Microsoft Windows Update Web server (www.windowsupdate.com). This is an attempt to prevent you from applying a patch on your computer against the DCOM RPC vulnerability.

Click here for more information on the vulnerability that this worm exploits, and to find out which Symantec products can help mitigate risks from this vulnerability.

Antivirus Protection Dates

  • Initial Rapid Release version August 13, 2003
  • Latest Rapid Release version August 8, 2016 revision 023
  • Initial Daily Certified version August 13, 2003
  • Latest Daily Certified version August 9, 2016 revision 001
  • Initial Weekly Certified release date August 13, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube