The emergence of Lovesan has brought huge impact to the interconnect, which can initiate attacks and spread rapidly, and have caused some system crashes.
Worm.win32.lovesan is written in C language, using LCC compiles, is a Windows PE executable file, a size of approximately 6KB (with UPX compression tool, 11KB after decompression). In the infected system, Lovesan downloads and runs named Blast.exe file, which is the following text: "i Just Want to Say Love You San !! Billy Gates Why Do You make this Possible? Stop Making Money And fix Your Software "(I just want to say love you San !! Bill Gates, why do you have to make this attack? Don't make more money, fix your software.) After infecting the virus System phenomenon:
l There is a MSBLAST.EXE file in the Windows System32 folder.
l Tip error message: RPC service failed. This causes the system to restart.
Viral communication mechanism:
LOVESAN will register the following key values in the system registry: hkey_local_machine / currentversion / runwindows auto update = "msblast.exe"
The worm then starts scanning the IP address in the network, randomly selects 20 IP addresses to connect, and infects the computer with this vulnerability, and then scans the additional 20 IP addresses after intermittent 1.8 seconds.
Worm.win32.lovesan one of the following methods Scan IP address:
1. In the case of 60%, LOVESAN randomly selects the basic IP address (A.b.c.d), where A, B, C are random values between 0-255, and the D value is zero.
2. In the rest, Lovesan scans the subnet and obtains the IP address of the local pending machine. Remove the values of A and B from these IP addresses and set the D value of 0, and the virus obtains the value of C in the following manner:
If the C value is less than or equal to 20, the LOVESAN does not make changes. That is, if the local IP address is 207.46.14.1, the worm will be scanned from 207.46.14.0.
If the C value is greater than 20, the LOVESAN will select a random value between C and C minus 19. That is, if the IP address of the dyed machine is 207.46.134.191, the worm will be scanned between 207.46. {115-134} .0.
Worm.win32.lovesan will send buffers to the victim overflow request through the TCP 135 port, and then turn on the TCP 4444 port on the just infected computer to start the remote shell.
LOVESAN runs a thread to the connection to the 4444 port, waiting for the "GET" request from the victim to send FTP. The LoveSan is then forced to send the "FTP Get" request to run worms from the dyed computer. In this way, the victim machine is also infected.
Once the computer is infected with the Lovesan, the system will send an error message that the RPC service failed and may restart the computer.
On August 16, 2003, Lovesan would initiate a distributed denial of service (DDoS) attack on Microsoft's Windowsupdate.com.
Manual cleaning method:
1. Disconnect the network connection;
2. Terminate the msblast.exe process of the worm: For Windows 95/98 / ME system, press Ctrl Alt Delete; for Windows NT / 2000 / XP system, press CTRL SHIFT ESC to select Process Tabs; 3. In the list of running programs, look up the MSBLast.exe process and terminate this process;
4. Click "Start" "Run", enter the regedit, click the "Confirm" button to open the Registry Manager window;
5. Expand the following items of the registry:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Run
6. Remove the key value in the list on the right side of the window: Windows Auto Update = MSBLAST.EXE
Virus Prevention: If you can't install system patches,
The ports 69, 135, 4444: port 135 are prohibited in the firewall to initiate an RPC connection with the remote computer. It is forbidden port 135 in the firewall to prevent some people from attempting to use this vulnerability to attack the system behind the firewall.
Internet Connection Firewall: If you use Internet Connection Firewall feature in Windows XP or Windows Server 2003 to help protect your Internet connection by default, it will disable inbound RPC communication from Internet.
Disabling DCOM on all unmatted patch: When the computer belongs to a part of a network, the DCOM network protocol allows the COM object on the computer to communicate with COM objects on other computers. You can disable DCOM for specific computers to help prevent others to use this vulnerability attack, but this will cause objects on the computer to communicate with objects on other computers. If DCOM is disabled on a remote computer, you cannot remotely access the computer to re-enable DCOM.
