The Lovesan worm attacks the DCOM RPC vulnerability in Windows
Kaspersky Lab, a leading expert in information security warns users of a large-scale attack by a new Internet worm. Lovesan has become one of the top three malware programs worldwide in a matter of hours. Lovesan exploits the DCOM RPC vulnerability in Windows which was identified about a month ago. In theory, Lovesan can infect computers without the users knowledge and proceed to wreak havoc in their system. In practice, the worm focuses on infecting new machines. Lovesan is the second malware program 'in the wild' that exploits this vulnerability. Autorooter, a worm identified only a week ago was the first contender to utilize this breach. However, since Autorooter did not have a functioning self-replication module it did not cause any large-scale damage. Last week Kaspersky Lab predicted that virus writers might perceive the potential capabilities of Autorooter and create a fully functional version. Unfortunately, it took only a week for Lovesan to surface. "Virus writers have focused on the DCOM RPC vulnerability for two reasons: the intense interest evinced by the media in Autorooter and the easy to use instructions for building a complete version that are available on many second-rate websites today," comments Eugene Kaspersky, Head of Anti-Virus Reasearch at Kaspersky Lab. Lovesan scans the Internet searching for vulnerable computers. It checks TCP port 135 and if the Microsoft patch has not been downloaded the worm initiates its' attack. The worm proceeds to download the main carrier - Msblast.exe which is then registered in the Windows system autorun key. Lovesan is potentially dangerous for individual users if their computers have already been breached. Today, however, the danger lies in the massive increase in excess Internet traffic caused by the worm's self-replication rate. Eugene Kaspersky warns "The Internet is still in danger. Even though the 1.8 second pause built into Lovesan has prevented a repeat of the Slammer scenario, when the Internet was significantly slowed and even fragmented, Lovesan continues to be a real threat." As a matter of fact, we have not seen the last of Lovesan: the worm has a built-in DDoS attack on the Windowsupdate.com server scheduled for August 16, 2003. The server, which is the definitive source for all Microsoft patches, will be flooded with data from infected computers and may become dysfunctional or even crash. Kaspesky Labs has already updated all Kaspersky® anti-virus databases. Detailed information about Lovesan is available in the Virus Encyclopedia. Kaspersky Lab recommends:
- downloading the Microsoft patch
- blocking ports 69, 135 and 4444 using a firewall such as Kaspersky® Anti-Hacker.
