Central Command, a leading provider of PC anti-virus software and services, today warns Internet users of Worm/Lovsan.A, or MBlast, an Internet worm circulating worldwide. Discovered on August 11, 2003, Worm/Lovsan.A, attempts to use the RPC Buffer Overrun vulnerability (a security hole) within un-patched Microsoft Windows NT, Windows 2000, Windows XP and Microsoft Windows server(TM) 2003 operating systems. This Internet worm does not affect Apple Macintosh users.
Worm/Lovsan.A is an Internet worm that exploits known security vulnerability in Microsoft’s Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. This security breach allows someone with malicious intent to run code of his or her choice. TCP port directly affected by this exploit includes: 135.
The worm contains two messages in its code. The first apparently is a “greet”–a message of greeting or recognition to a friend or peer–while the second takes aim at Microsoft: “billy gates why do you make this possible?” the second part of the message says. “Stop making money and fix your software!!”
Worm/Lovsan.A will download and run the file msblast.exe using the Trivial File Transfer Protocol (Tftp).
“Unfortunately, un-patched [Windows] systems are again proving to be a vector for fast spreading Internet based worms. Updating antivirus software and patching systems against the latest exploits and vulnerabilities should become standard habit,” said Steven Sundermeier, Vice President of Products and Services at Central Command, Inc. in the press release. “A properly patched system would prevent someone with malicious intent from successfully gaining control over a compromised computer under the scope of this vulnerability.”
A detailed analysis can be found at http://www.centralcommand.com
A patch has been available for since July 2003. More information about this vulnerability can be found in Microsoft Security Bulletin MS03-026.
More information from CNET News.com here.