[austechwriter] Fwd: VIRUS ADVISORY - W32/Lovsan.worm

• From: Michael Edward Granat <megranat@xxxxxxxx>
• To: austechwriter@xxxxxxxxxxxxx
• Date: Wed, 13 Aug 2003 16:37:04 +1000 (EST)

From: McAfee Dispatch [mailto:dispatch@xxxxxxxxxx]
Sent: Wednesday, 13 August 2003 8:50 AM
Subject: VIRUS ADVISORY - W32/Lovsan.worm


(((((((((((((((((((( McAfee Dispatch )))))))))))))))))))))))


[This message is brought to you as a subscriber to the
McAfee Dispatch. To unsubscribe, please follow the
instructions at the bottom of the page.]

------------------------------------------------------------
          ** VIRUS ADVISORY - W32/Lovsan.worm **
------------------------------------------------------------



W32/Lovsan.worm is a Medium-On-Watch Internet Worm.

This worm spreads by exploiting a recent vulnerability in
Microsoft Windows. The worm scans random ranges of IP
addresses on TCP port 135. Discovered systems are targeted.
Exploit code is sent to those systems, instructing them to
download and execute the file MSBLAST.EXE from a remote
system via TFTP.

Once run, the worm creates the registry key (may be either
of the following):

* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Run \"windows auto update\" = msblast.exe
* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Run \"windows auto update\" = msblast.exe I
just want to say LOVE YOU SAN!! bill

Indications of Infection

- Presence of unusual TFTP files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32
  directory
- Error messages about the RPC service failing (causes
  system to reboot)

IMPORTANT SECURITY NOTE: Up-to-date McAfee VirusScan users
are protected from this threat. For dial-up connections,
we also recommend McAfee Personal Firewall Plus. An extra
layer of protection, it helps render your system invisible
to malicious code and break-ins like Lovsan.

Learn More about W32/Lovsan.worm:
==> http://us.mcafee.com/root/campaign.asp?cid=8340

Scan for W32/Lovsan.worm:
==> http://us.mcafee.com/root/campaign.asp?cid=8341



----- End forwarded message -----
**************************************************
To post a message to austechwriter, send the message to 
austechwriter@xxxxxxxxxxxxxx

To subscribe to austechwriter, send a message to 
austechwriter-request@xxxxxxxxxxxxx with "subscribe" in the Subject field.

To unsubscribe, send a message to austechwriter-request@xxxxxxxxxxxxx with 
"unsubscribe" in the Subject field.

To search the austechwriter archives, go to 
www.freelist.org/archives/austechwriter

To contact the list administrator, send a message to 
austechwriter-admins@xxxxxxxxxxxxx
**************************************************

• Follow-Ups:
  • [austechwriter] More info on that virus from Symantec
    • From: Charles Cave

Other related posts:

• » [austechwriter] Fwd: VIRUS ADVISORY - W32/Lovsan.worm

1. Home
2. austechwriter
3. Archive
4. 08-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---