MBlast Worm spreads through flaw in Windows; Macintosh unaffected

Central Command, a leading provider of PC anti-virus software and services, today warns Internet users of Worm/Lovsan.A, or MBlast, an Internet worm circulating worldwide. Discovered on August 11, 2003, Worm/Lovsan.A, attempts to use the RPC Buffer Overrun vulnerability (a security hole) within un-patched Microsoft Windows NT, Windows 2000, Windows XP and Microsoft Windows server(TM) 2003 operating systems. This Internet worm does not affect Apple Macintosh users.

Worm/Lovsan.A is an Internet worm that exploits known security vulnerability in Microsoft’s Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. This security breach allows someone with malicious intent to run code of his or her choice. TCP port directly affected by this exploit includes: 135.

The worm contains two messages in its code. The first apparently is a “greet”–a message of greeting or recognition to a friend or peer–while the second takes aim at Microsoft: “billy gates why do you make this possible?” the second part of the message says. “Stop making money and fix your software!!”

Worm/Lovsan.A will download and run the file msblast.exe using the Trivial File Transfer Protocol (Tftp).

“Unfortunately, un-patched [Windows] systems are again proving to be a vector for fast spreading Internet based worms. Updating antivirus software and patching systems against the latest exploits and vulnerabilities should become standard habit,” said Steven Sundermeier, Vice President of Products and Services at Central Command, Inc. in the press release. “A properly patched system would prevent someone with malicious intent from successfully gaining control over a compromised computer under the scope of this vulnerability.”

A detailed analysis can be found at http://www.centralcommand.com

A patch has been available for since July 2003. More information about this vulnerability can be found in Microsoft Security Bulletin MS03-026.

More information from CNET News.com here.


  1. If you have msblast on your computer already and was wondering how to get rid of the little devil, you have to go to your start menu and select “run” Then type MSConfig and then go to your start-up tab.

    Deselect MSBlast.exe to start-up with Windows and then you can physically delete the program from C:WindowsSystem32. If you have virus software you might want to disable it while you do all this as the MSBlast.exe worm starts up with Windows and makes Windows think that it can’t be deleted… but the virus software still wants to delete it and so you get a looping error saying that the virus has been found, “do you want to delete it?” You say yes and it says, “can’t delete virus”… Again… and again… and again. So there you go. By the way, download the patch from Windows so you can’t be infected again, since all this started as a vulnerability in the RPC in the Windows program. Look at Microsoft’s website under “Microsoft Security Bulletin MS03-026”

    So there you go. Hope this helps and by the way, to whoever wrote this worm and to all of those who write worms (as unlikely as it will be that you will read this), I can’t understand why you waste your time inconviencing other people. How it must feel to waste your lives away in some darkened room… I pity you.

    – Moridin

  2. What is a virus? Is this something I should worry about? I’ve been using macs for 20 years. Do macs ever get viruses? Or is this just a Windows-only feature? Is that what they mean by a “killer app?” What am I missing?

  3. Assuming that was a serious question (?) Yes, Macs have occasionally had a virus. Never over the Internet to my knowledge, never in the past several years, and never in Mac OS X. Sooner or later one is bound to arise, but with far less frequency then Windows: Windows is a larger and more tempting target, and apparently a more flawed product as well.

  4. That was the worst attack I have ever had, came straight through my Kerrio firewall.

    If you have this worm MAKE SURE you download the pacth from microsoft after cleaning other wise you will be still affected.

  5. Thank you for giving me that warm smug feeling by being able to tell our sys admin about the virus ;o) The Register hadn’t picked up on the story, so he was blissfully unaware!

  6. “The infection was quickly dubbed “LovSan” because of a love note left behind on vulnerable computers: “I just want to say LOVE YOU SAN!” Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: “billy gates why do you make this possible? Stop making money and fix your software!”



  7. The best part is that if you run Windows Update, the worm tries a DoS attack to keep you from downloading the patch. And on the 15th of this month the exe file is supposed to automatically start a DoS attack on the Windows Update servers. This thing may be around for a while. Many news sites haven’t even mentioned the problems with Windows Update.

  8. Comment to Nagromme regarding your response to maconly on viruses – pleeze don’t put people down for asking reasonable questions! Remember, not everyone lives for this stuff, and how else is anybody going to learn? I hope you can still remember when all of this was new to you, too. You are fortunate to know what you know, and thanks for sharing it with the class.

    For maconly – as I understand it, a “killer app” is an application which renders a technology worth acquiring – for instance, instant contact with someone who lived too far away to visit was a “killer app” for the telephone. Let’s keep our fingers crossed that no Mac viruses will show up!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.