Name: Blaster
Also known as: Lovsan, MSBlast, Poza, Welchi, and Nachi
Type: Internet worm
Affects: Microsoft IIS, Windows 2000, Windows NT, and Windows XP
Discovered: August 11, 2003
Description: The Blaster worm and variants exploit a critical RPC/DCOM flaw in Microsoft software affecting Microsoft IIS, Windows 2000, Windows NT, and Windows XP.
Within a week of the initial Blaster worm discovery, several new variants had been released - including MSBlast.D, a.k.a. Welchi or Nachi, which used the same exploit to discover, disinfect, and patch susceptible systems. However, these actions had many unpleasant side affects that made a Welchi infection more undesirable than one from the original Blaster.
Vulnerability details: Details on vulnerability, patch, and workaround
Detailed description:
- Blaster.A Description - The original Blaster worm. File dropped: MSBLAST.EXE
- Blaster.B Description - This is not the variant for which Parson's was arrested. File dropped: PENIS32.EXE
- Blaster.C Description - The variant for which Parson's was arrested. File dropped: TEEKIDS.EXE
- Blaster.D Description - This is the so-called "good" Blaster that allegedly tried to patch infectable systems. In fact, it did nearly as much damage as the original Blaster. Aliases: Welchi, Welchia, Nachi. Files dropped: SVCHOST.EXE, DLLHOST.EXE. Note: These are also the names of perfectly legitimate and necessary system files. Infected files would be found in the Windows\Systems\WINS directory. Valid files are found in Windows\System32\ and Windows\System32\dllcache directories.
- Blaster.E Description - Dropped file: MSPATCH.EXE
- Blaster.F Description - Dropped file: MSLAUGH.EXE
- Blaster.G Description - Dropped file: ENBIEI.EXE
Related info:
- August 29, 2003: Blaster.B/C author arrested - The variant Parson is accused of creating is referred to as Blaster.B by most vendors, Blaster.C by Trend Micro.
- September, 2003: Student implicated in Blaster.F
- September 17, 2003: Parson enters not guilty plea
