Lovsan is a network worm that spreads by exploiting the RPC/DCOM
(MS03-026) vulnerability in Windows.
UPDATE (2003-09-11 08:55 GMT)
Another RPC/DCOM vulnerability (MS03-039) has been found. Systems patched
against MS03-026 must be patched again. The patch against MS03-039 fixes the
MS03-026
vulnerability as well.
F-Secure is upgrading the Lovsan worm (also known as Msblast) to
Level 1 as it continues to spread rapidly. Currently it is the
most widespread virus in the world. Symptoms include XP machines
rebooting.
UPDATE (2003-08-11 21:40 GMT)
First sample of the Lovsan worm was received at 19:22 GMT on 11th of August,
2003.
This 6176 byte executable "msblast.exe" contains about 11kB of uncompressed
worm code, which exploits the MS03-026 DCOM/RPC hole.
Disinfection
QUICK INSTRUCTIONS
How to get rid of Lovsan worm in 8 minutes:
1. Boot up the infected computer
2. If you keep getting the "Shutdown in 60 seconds" dialog, click Start / Run,
and execute command 'shutdown -a'
6. The patch installer will reboot the machine in the end. When the
machine reboots, enter SAFE MODE by keeping F8 pressed when the
computer screen goes black for a moment, then choose "1) Safe mode"
7. When the computer has booted up in Safe Mode, log in and execute
the F-LOVSAN tool you downloaded in step 3.
8. Reboot normally - and you're done.
After this, it would probably be a good idea to
install a firewall (such as the ones provided by F-Secure) to protect the
machine from internet connections. If you can't do that, have a look
at Windows XP's internal network protection settings:
http://www.f-secure.com/support/technical/winxp_fw.shtml
Preprotection
Please note that F-Secure Internet Security protected you against this worm
proactively without updates, with the distributed firewall functionality.
Lovsan exploits a vulnerability, "Buffer Overrun In RPC Interface" which is
also known as DCOM/RPC and MS03-026. This vulnerability was discovered on
July 16th, 2003. More information is available on this vulnerability at
This version of the worm will only infect Windows 2000 and Windows XP machines.
Systems such as Windows 95, 98 and Me are unaffected.
The worm might try to exploit Windows XP machines with Windows 2000 exploit.
In many cases the worm causes XP machines to start rebooting periodically
with this error message:
This system is being shut down in 60 seconds by NT Authority/System
due to an interrupted Remote Procedure Call (RPC)
This dialog is coming from Windows itself, and will show the error message
in the localized language.
For example:
Note: you might see a similar error message on Windows 2003 too. Also, this
might happen on Windows XP and 2003 even if you've applied the right patches.
However, the machine won't get infected in these cases - just rebooted.
YOU CAN STOP THE SHUTDOWN TIMER. If you're machine keeps rebooting so often
you can't even download the patches, use the 'shutdown' command to abort
the reboot. When you see the Shutdown dialog, click Start / Run and type
'shutdown -a' and hit Enter.
Windows 2000 users won't see the timer. However, they might see other effects
from the RPC exploit. Such as:
1. Problems when creating email messages at least in Outlook and Outlook Express
2. Visual problems with Control panel
3. Add/Remove Programs does not work
4. Drag & Drop function does not work
5. Copy / Paste function does not work
6. some executables don't work
7. Problems with javascript
8. Some programs won't Save at all
Spreading algorithm
The worm uses a sequential scanning algorithm with random starting
points. The algorithm has a mode when it favors networks surrounding
the infected host.
An IP address has a following structure: A.B.C.D
First the worm fetches the IP address of the infected host and
puts it into the variables above.
Based on a random number between 1 and 20 either the hosts IP is
used as a basis of scanning or a totally random IP is generated.
If random number is greater or equal to 12 the host IP is used. In
this case if C is greater then 20 the worm subtracts 20 from it.
D is always set to 0.
If the worm chooses to use a totally random start IP it generates
A B and C from random numbers:
A from 1 to 254
B from 0 to 253
C from 0 to 253
D is always 0
Using these base addresses Lovsan starts to scan for vulnerable
hosts. The algorithm scans 20 hosts at a time, the targets are
successive IP address starting from the base address. The worm
tries to connect to port 135 on all the 20 hosts and check if
the connection is successful. In that case Lovsan uses one of
many different DCOM exploits to infiltrate the host. There are
two hardcoded values in the exploit which are randomly chosen.
These values make the exploit work on either Windows 2000 or
Windows XP systems. When the exploit starts on the remote
machine it opens a shell through which the worm copies itself
to the host using TFTP (Trivial File Transfer Protocol). The
client for FTPS comes with Windows 2000/XP systems and the
worm has a built-in TFTP server. After the worm is copied to
the remote host it is started there through the shell.
In the following graphic, showing the relative amount of TCP Syn
packets that our network sensor system received between 1st and
20th of August, can be appreciated an clear increase in the number
of occurrences of packets in the port 135 (In red).
System infection
When Lovsan enters a vulnerable system it is called 'msblast.exe'
which it adds to the registry as
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update'
This way the worm will be started every time Windows starts up.
Payload
Starting from 16th of August machines infected with Lovsan will send massive
amount of packets to windowsupdate.com. 40 byte packets are sent in 20
millisecond intervals to port 80. This will perform a Distributed
Denial-of-Service attack on that website.
The payload trigger routine checks the day of the month first. If the day
is 16 or later it triggers immediately otherwise it checks the month. If
the month is September or later the payload is activated.
In practice this logic will start the DDoS attacks on 16th of August and will
continue until the end of the year. Next year it will attack from 16th to the
end of each month until 16th of August when it starts the non-stop attack until
the end of the year.
The payload trigger is checked only once when the worm is started so computers
running the worm will start the DDoS attack only when the Windows is first
restarted after 16th of August. This might mean that the attack volume will
start growing on August 16th and continues growing until Monday the 18th - when
people come back to work on Monday and boot up their work computers.
The attack packets will be difficult to filter without filtering normal web
access to windowsupdate.com. However, at least Windows 98, Me, 2000 and Windows XP
machines do NOT connect to windowsupdate.com when "Windows Update" function
is selected from the Start menu. These machines connect either to
windowsupdate.microsoft.com or to URLs like www.microsoft.com/isapi/redir.dll?prd=Win2000&ar=WinUpdate
So, in a nutshell: unless Microsoft changes the IP address of windowsupdate.com
before the attack starts to 127.0.0.1, windowsupdate.com will most likely go down
under DDoS. If they change the IP, the site will be inaccessible anyway. However,
Windows Update service will probably stay up, as it's not running on that machine
in the first place.
The worm contains these texts (which are not displayed):
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
![](/images/pixel.gif"){kind=tracking}
