F-Secure Virus Descriptions : Lovsan.B
| NAME: | Lovsan.B |
| ALIAS: | MSBlast, Poza, Blaster, W32/Msblast, Lovesun, Lovesan |
A new variant of Lovsan worm was found on August 13th 2003.
A dropper available on a web page drops two files in Windows
System folder and adds them to the Windows registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
The first file called Root32.exe is a backdoor and the second one
called teekids.exe is the actual worm.
This new variant is functional identical to the previous Lovsan,
only the text and the file name have been changed.
Disinfection
The Lovsan disinfection tool has been updated for
Lovsan.B. The tool can be downloaded from
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.zip
Documentation on the tool is available from
ftp://ftp.f-secure.com/anti-virus/tools/f-lovsan.txt
Detection
F-Secure Anti-Virus detects the dropper and the backdoor as
TrojanDropper.Win32.Freshbind.20 and Backdoor.Lithium.10
respectively.
F-Secure Anti-Virus detects the worm in teekids.exe file with
database updates:
[FSAV_Database_Version]
Version=2003-08-13_02
[Description; Katrin Tocheva and Gergely Erdelyi; 13th of August, 2003]
|
![](/images/pixel.gif"){kind=tracking}
