The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

Trend Micro: WORM_BLASTER.N – New Blaster variant spreads by MS03-026

We haven’t seen this virus in a while, but there is nothing new here. This virus spreads by using the vulnerability out lined in Microsoft Security Bulletin MS03-026.  If you are patched up, you should be fine. 

WORM_BLASTER.N – Description and solution.


This worm propagates using the RPC/DCOM vulnerability found in Windows, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.

Upon execution, this worm drops a copy of itself in the hardcoded location, %Windows%\System32.

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

For Windows NT, this worm modifies a Winlogon Shell registry entry to ensure its automatic execution at every system startup.

This worm downloads and executes the file WINBAL.EXE from the Web site,{BLOCKED}/csrsscs.bmp.

The aforementioned file is not a valid .EXE file. It only contains HTML tags and other strings. However, the malware author may modify the downloaded file to contain a valid .EXE file with a destructive payload.


December 21, 2005 - Posted by | Antivirus News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: