LovSan Clone Let Loose 631
JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."
Already slow as hell, so just in case... (Score:3, Informative)
Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.
Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.
Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.
Blaster.B and Blaster.C (Score:5, Informative)
B:
C:
The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.
MS Releases Network Scanning Tool (Score:5, Informative)
Download [microsoft.com]
Network admins have fun.
Re:MS Releases Network Scanning Tool (Score:1, Informative)
Re:Phew (Score:3, Informative)
Aside from a few stability issues that took them bloody forever to work out on 2K (BSOD's once a week for a few months on my box as a result) - it's been a great product for years. I've gotten to laugh at the people using McAfee's and Norton's several times and say 'I told you so' when they got hit
Unfortunately - I think they have the price for the personal edition set too high, and can't market in the U.S. for shit.
Re:who came up with "lovesan"? (Score:2, Informative)
Re:Ugh, lazy patchings (Score:5, Informative)
Your network is misconfigure. 239.255.0.0/16 is a local scope multicast address. (RFC2365) The message sent is to let other uPNP devices know your computer is there.
Re:It's a little fishy (Score:5, Informative)
http://www.f-secure.com/v-descs/msblast.shtml
http://securityresponse.symantec.com/
http://us.mcafee.com/virusInfo/default.asp
Re: Cloning.. (Score:5, Informative)
Basically, the concept is that an encryptor is built up in memory randomly, while the inverted code (e.g. add vs. sub, rol vs. ror) is built up in reverse. The virus is encrypted with the encryptor, and the decryptor is prepended.
There were a ton of them in the early 90's. There are polymorphic Word viruses that use different techniques - running their script through a randomizer for variable names and such. Some viruses have also mutated their own opcodes as you suggest, although it's less common - but its been done.
Detecting such viruses is challanging, but usually there are static bytes with known (although possibly variable) distances between them. One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus, or just blast any existing crypto around the body and look to see what's there. If the virus just flips between equivalent opcodes, then just scan with a regular expression that includes each equivalent as an alternative. Another method is analysing the opcodes - if an exe's entry point is at the end of the file where you have a 1k decryptor right before 2k of garbage, and all the decryptor's opcodes fall within what one virus can produce, chances are....
There are a lot more complex and hybrid techniques for it -those are just a few that can be described quickly.
Obligatory +5 SCO reference (Score:3, Informative)
Just my opinion. I'm tired of this same "joke" showing up in every article.
Re:And while you all get easy 5, funnies. (Score:2, Informative)
Re:Benevolent Virii (Score:3, Informative)
August 16: The Day Elvis Died (Score:1, Informative)
Of Course there are lots of famous events, etc. that have aniversaries every day, so this might be a coincidence. Also, since it's a Saturday, and "everybody's off" then that might be why the attack is on the 16th, more people will be surfing, and if infected, send out the virus to more machines, and IT and repair folks will be called in on an off day.
MSBlast attacks Friday MORNING (Score:3, Informative)
Re: Cloning.. (Score:5, Informative)
And, to be fair, US intelligence service works occasionally closely with US corporations (there were some cases related to airplane industry where EU was investigating how come US company had found out what some european company was bidding).
Point being that perspective certainly matters, like you say, but also that few government agencies if any are completely above using illegal and/or immoral practices to help "their" companies, anywhere in the world.
Open democracies, and especially free press lessen likelihood of such stunts (by retroactively uncovering them, usually leading to scandals... which act as deterrent in the long run). Unfortunately those 'antidotes' are being threatened especially in US, by latest legislations (from "Patriot" act to DMCA).
Re:Oh, it's not that bad! (Score:3, Informative)
Re:Questions... (Score:1, Informative)
Re:Download of patch still works. (Score:1, Informative)
NT4 Server and Workstation [microsoft.com]
NT4 Terminal Server [microsoft.com]
Windows XP 32bit [microsoft.com]
Windows XP 64bit [microsoft.com]
Windows 2003 32bit [microsoft.com]
Windows 2003 64bit [microsoft.com]
And this line of text because otherwise I would post too few characters per line...
A little late (Score:3, Informative)
Source: http://www.sarc.com