[cobalt-security] W32/Lovsan.worm Attacking Port 135

["Rex Gaylord" <rex@xxxxxxxxxxxxxx>]

Is anybody else getting attacks on Port 135 that is related to this new
virus and do you know if we are vulnerable.  It looks like it only
infects windows machines to me so far?

Thanks, Rex Gaylord
============================
A NEW VIRUS HAS BEEN DETECTED, NAMED    W32/Lovsan.worm
 
Symptoms of Infection :  
 
- Presence of unusual TFTP* files 
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory 
- Error messages about the RPC service failing (causes system to reboot)


This worm spreads by exploiting a recent vulnerability in Microsoft
Windows. The worm scans random ranges of IP addresses on port 135.

A definition file will be sent to me from our virus lab in about 2
hours.  Please go to ftp://65.3.178.52 at around 5:15pm PDT.  After
downloading it, extract it to a folder, such as PANDA, and then update
from the program with the update source pointing to the folder you
extracted the signature file to.

In the meantime, here is a manual solution for it in case you did get in
case you already got infect:

1.  As soon as you get into windows, go to task manager and end process
on msblast.exe

2.  Run regedit and remove the key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
Run "windows auto update" = msblast.exe 

3.  Search for msblast.exe on the system drive and delete any copy that
is found.

4.  Disconnect any connection to the internet or to the network.

5.  Reboot the computer.

 

Steve Demogines, Director
Panda Software Technical Support
sdemo@xxxxxxxxxxxxxxxxx
818-543-6901 

This e-mail message is virus free, having been scanned and cleaned by
Panda Software, the leading international antivirus company declared
"The Undisputed Champ" by PC World Magazine! For more information, go
to: www.pandasoftware.com