[cobalt-security] W32/Lovsan.worm Attacking Port 135

["Rex Gaylord" <rgaylord@xxxxxxxxxxxxxxx>]

Is anybody else getting attacks on Port 135 that is related to this new
virus and do you know if we are vulnerable.  It looks like it only infects
windows machines to me so far?

Thanks, Rex Gaylord
============================
A NEW VIRUS HAS BEEN DETECTED, NAMED    W32/Lovsan.worm
 
Symptoms of Infection :  
 
- Presence of unusual TFTP* files 
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory 
- Error messages about the RPC service failing (causes system to reboot) 

This worm spreads by exploiting a recent vulnerability in Microsoft Windows.
The worm scans random ranges of IP addresses on port 135.

A definition file will be sent to me from our virus lab in about 2 hours.
Please go to ftp://65.3.178.52 at around 5:15pm PDT.  After downloading it,
extract it to a folder, such as PANDA, and then update from the program with
the update source pointing to the folder you extracted the signature file
to.

In the meantime, here is a manual solution for it in case you did get in
case you already got infect:

1.  As soon as you get into windows, go to task manager and end process on
msblast.exe

2.  Run regedit and remove the key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ 
Run "windows auto update" = msblast.exe 

3.  Search for msblast.exe on the system drive and delete any copy that is
found.

4.  Disconnect any connection to the internet or to the network.

5.  Reboot the computer.

 

Steve Demogines, Director
Panda Software Technical Support
sdemo@xxxxxxxxxxxxxxxxx
818-543-6901 

This e-mail message is virus free, having been scanned and cleaned by Panda
Software, the leading international antivirus company declared "The
Undisputed Champ" by PC World Magazine! For more information, go to:
www.pandasoftware.com