Detecting and Disinfecting Lovesan...
Detecting and Disinfecting Lovesan
- What is the difference between Lovesan, Lovsan, Blaster, Msblast and Poza?
- None - these are all aliases for the same malicious program. Experts at Kaspersky Lab named this Win.32 type worm Lovesan. As of today, there are three modifications of Lovesan that some antivirus software vendors label 'a', 'b' or 'c'.
- How do I know if my computer is infected?
- You know that your computer is infected when:
- You find the files, Msblast.exe, Teekids.exe or Penis32.exe in your Windows system directory (usually in the folder C:\Windows\Systems32\).
- Your computer unexpectedly starts rebooting every couple minutes after you have connected to the Internet.
- Numerous problems and failures occur when you use MS Word, Excel or Outlook.
- Error messages about failures caused by the svchost.exe file
- You get an error message about RPC Service Failure.
- How can Lovesan damage my computer?
- Lovesan does not damage infected individual computers. The worm neither deletes, nor changes nor even captures data. Lovesan does, however, interfere with worldwide Internet service due to the volume of excess traffic it produces during replication. As a result data transmission channels jam and the global Internet slows down or fragments. In addition, Lovesan carries a payload that will activate on August 16, when the worm will launch a DDoS attack on the Windowsupdate.com web-site. As a result, this server, which provides free patches for Windows users, may crash, leaving users without an important resource. In view of this situation Kaspersky Lab continues to urge all Windows users to download the appropriate patch before 16 August.
- Which versions of Windows does Lovesan attack?
- Lovesan attacks the following versions of Windows NT, 2000 and XP:
- Windows NT 4.0 Server
- Windows NT 4.0 Terminal Server Edition
- Windows 2000
- Windows XP 32 bit Edition
- Windows XP 64 bit Edition
- Windows Server 2003 32 bit Edition
- Windows Server 2003 64 bit Edition
- How can I protect my computer?
- There are several steps you need to take in order to protect your computer:
- Update your anti-virus and do not disable it during all Internet connections.
- Install a firewall and block ports 69, 135 and 4444.
- Download the patch provided by Microsoft to eliminate the DCOM RPC vulnerability used by Lovesan to breach your computer.
- Please note that downloading the Microsoft patch is vital, since this patch protects your computer against all attacks via the DCOM RPC vulnerability.
- What is a firewall and where can I get one?
- A firewall is a special program that protects your computer against hackers by controlling data movement between the Internet and your computer. Firewalls filter malware packages and prevent unauthorized data and applications from exiting the protected area into the Internet. There are two basic types of firewalls: the first type is for closed or private networks and the second for workstations. For home users we recommend the Kaspersky Anti-Hacker.
- How do I install the Windows patch?
- Microsoft provides the following patches:
- Windows NT 4.0 Server
(English, German, French, Spanish) - Windows NT 4.0 Terminal Server Edition
(English, German, French, Spanish) - Windows 2000
(English, German, French, Spanish) - Windows XP 32 bit Edition
(English, German, French, Spanish) - Windows XP 64 bit Edition
(English, German, French) - Windows Server 2003 32 bit Edition
(English, German, French, Spanish) - Windows Server 2003 64 bit Edition
(English, German, French)
- Windows NT 4.0 Server
- You will need to download and execute the file provided. A wizard will guide you through the necessary steps.
- I can't download the Microsoft patch because my computer is constantly re-booting.
- If your computer begins re-booting constantly, it is probably infected with Lovesan. In this case you need to find and rename the TFTP.EXE file in the Windows system folders (usually in folder c:\Windows\System32\) and check your cache as well (\Windows\System32\dllcache). You may restore the original TFTP.EXE filename after you download and install the Microsoft patch.
- What do I do if my computer is already infected by Lovesan?
- In this case you need to run your anti-virus program. First make sure that your anti-virus database has been updated to include a description of Lovesan. Kaspersky Lab offers a free removal tool to disinfect your computer. This utility locates Lovesan in your system, and deactivates it, deletes infected files from both hard drives and network drives and restores the Windows system directory. Once this program completes the clean-up, you should reboot your computer and launch your anti-virus scanner.
- I used the free Lovesan removal tool, but my computer is infected again.
- The utility disinfects your computer. It does not protect your computer from further attacks. Please see above - 5. How can I protect my computer?
- Detailed description of Lovesan
- Kaspersky® Anti-Hacker(a firewall)
- Recommendations from Microsoft
- CERT Advisories 2003-19 and 2003-20
