Lovsan is a network worm that spreads by exploiting the RPC/DCOM (MS03-026) vulnerability in Windows.
CAUTION Manual disinfection is a risky process; it is recommended only for advanced users.
F-Secure's special removal tool will remove A, B, C and E variants of Lovsan. The tool can be downloaded from:
Documentation on the tool is available from:
System administrators who are using F-Secure Policy Manager, can distribute the F-LOVSAN tool as a JAR package automatically to all workstations. System administrators can download the JAR version from:
For general instructions on disinfecting a local network infection, please see Eliminating A Local Network Outbreak.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Lovsan exploits a vulnerability, "Buffer Overrun In RPC Interface" which is also known as DCOM/RPC and MS03-026. This vulnerability was discovered on July 16th, 2003. More information is available on this vulnerability at http://www.microsoft.com/technet/security/bulletin/MS03-026.asp.
This version of the worm will only infect Windows 2000 and Windows XP machines. Systems such as Windows 95, 98 and Me are unaffected.
The worm might try to exploit Windows XP machines with Windows 2000 exploit. In many cases the worm causes XP machines to start rebooting periodically with this error message:
This system is being shut down in 60 seconds by NT Authority/System due to an interrupted Remote Procedure Call (RPC)
This dialog is coming from Windows itself, and will show the error message in the localized language.
Note: you might see a similar error message on Windows 2003 too. Also, this might happen on Windows XP and 2003 even if you've applied the right patches. However, the machine won't get infected in these cases - just rebooted.
YOU CAN STOP THE SHUTDOWN TIMER. If you're machine keeps rebooting so often you can't even download the patches, use the 'shutdown' command to abort the reboot. When you see the Shutdown dialog, click Start / Run and type 'shutdown -a' and hit Enter.
Windows 2000 users won't see the timer. However, they might see other effects from the RPC exploit. Such as:
The worm uses a sequential scanning algorithm with random starting points. The algorithm has a mode when it favors networks surrounding the infected host. Note: An IP address has a following structure: A.B.C.D
First the worm fetches the IP address of the infected host and puts it into the variables above. Based on a random number between 1 and 20 either the hosts IP is used as a basis of scanning or a totally random IP is generated.
If random number is greater or equal to 12 the host IP is used. In this case if C is greater then 20 the worm subtracts 20 from it. D is always set to 0.
If the worm chooses to use a totally random start IP it generates A B and C from random numbers:
Using these base addresses Lovsan starts to scan for vulnerable hosts. The algorithm scans 20 hosts at a time, the targets are successive IP address starting from the base address. The worm tries to connect to port 135 on all the 20 hosts and check if the connection is successful. In that case Lovsan uses one of many different DCOM exploits to infiltrate the host.
There are two hardcoded values in the exploit which are randomly chosen. These values make the exploit work on either Windows 2000 or Windows XP systems. When the exploit starts on the remote machine it opens a shell through which the worm copies itself to the host using TFTP (Trivial File Transfer Protocol). The client for FTPS comes with Windows 2000/XP systems and the worm has a built-in TFTP server. After the worm is copied to the remote host it is started there through the shell.
In the following graphic, showing the relative amount of TCP Syn packets that our network sensor system received between 1st and 20th of August, can be appreciated an clear increase in the number of occurrences of packets in the port 135 (In red).
When Lovsan enters a vulnerable system it is called 'msblast.exe' which it adds to the registry as:
This way the worm will be started every time Windows starts up.
Starting from 16th of August machines infected with Lovsan will send massive amount of packets to windowsupdate.com. 40 byte packets are sent in 20 millisecond intervals to port 80. This will perform a Distributed Denial-of-Service attack on that website.
The payload trigger routine checks the day of the month first. If the day is 16 or later it triggers immediately otherwise it checks the month. If the month is September or later the payload is activated.
In practice this logic will start the DDoS attacks on 16th of August and will continue until the end of the year. Next year it will attack from 16th to the end of each month until 16th of August when it starts the non-stop attack until the end of the year.
The payload trigger is checked only once when the worm is started so computers running the worm will start the DDoS attack only when the Windows is first restarted after 16th of August. This might mean that the attack volume will start growing on August 16th and continues growing until Monday the 18th - when people come back to work on Monday and boot up their work computers.
The attack packets will be difficult to filter without filtering normal web access to windowsupdate.com. However, at least Windows 98, Me, 2000 and Windows XP machines do NOT connect to windowsupdate.com when "Windows Update" function is selected from the Start menu.
These machines connect either to:
or to URLs like:
So, in a nutshell: unless Microsoft changes the IP address of windowsupdate.com before the attack starts to 127.0.0.1, windowsupdate.com will most likely go down under DDoS. If they change the IP, the site will be inaccessible anyway. However, Windows Update service will probably stay up, as it's not running on that machine in the first place.
The worm contains these texts (which are not displayed):