Bits & P.C.s: W32.Blaster.Worm

Over that past week, the phrase W32.Blaster.Worm has come to describe one of the worst computer threats to date. If your computer was running Windows NT, 2000, 2003 Server or XP, you stood a good chance of being infected by the worm.

Because of the way the worm was spread, any of the Windows operating systems named could easily be infected over the Internet. It is not necessary for you to actually download anything to have the worm infect your system. By accessing a couple of open “ports” on the computer, the worm can install itself.

To prevent the infection, it is necessary to block these ports through a firewall program or through patches available through Microsoft. If the worm does get installed on your computer, it will download and run a program named MSBLAST.EXE.

The program will attempt to perform a Denial of Service attack (DoS) against the Microsoft Windows update site What this means is that your computer will attempt to contact this web site many times per second. With thousands of other infected computers doing exactly the same thing, the Web site becomes overloaded and shuts down. This blocks people that are really trying to access the site from reaching it. This vast amount of Web traffic causes the entire Internet to slow down, disrupting e-commerce and other Web activity.

The following are some of the technical details of what the worm does to your computer when it is executed.

It first creates a Mutex named “BILLY.” If it already exists, the worm will exit. The next thing that it does is to add a value to the system registry that causes the worm to execute when the computer is restarted.

The next step is to calculate IP addresses, that is, the location of the computers on the Internet or your office network. AfterAC it has calculated the addresses, it will then attempt to contact these other computers in an effort to infect them also. The worm then sends data to port 135 in an effort to exploit the DCOM RPC vulnerability by causing a hidden process to listen to port 4444. When this occurs, your computer may crash.

It then listens on port 69, and when it receives a request, it will send the MSBLAST.EXE file to the other computer where it gets installed and run, thus infecting that computer.

Once the worm has infected a computer system, it will check the date. If it is after Aug. 15 of this year, it will launch the attack against the Microsoft Web site. This attack will continue until the end of the year.

All of the major anti-virus companies have released cleaner programs and instructions on how to remove the infection from your system. Manual removal is quite involved, but the cleaner program makes it fairly simple.

In the past, a firewall program was not usually necessary for Internet users who used a dial-up connection. With this latest attack, it now means that no one is safe without a firewall and an up-to-date anti-virus program.

Richard Heller is an independent computer specialist who specializes in repairs, installation, upgrades, technical support, Internet sharing, data recovery and diagnostics. If you have any computer or service-related questions, please send them to The Rock River Times, e-mail, or call 243-1162.

Enjoy The Rock River Times? Help spread the word!