LovSan Clone Let Loose

JMullins writes "According to Kaspersky Labs the LovSan virus has been re-released in a new form that has changed the appearance of the worm. It looks like the outbreak continues to get worse and worse, with no real end in sight until people can patch their systems. Net slowdowns are expected over the weekend when both versions of the virus start their attack."

Already slow as hell, so just in case...

[Anonymous Coward]

Kaspersky Labs, a leading expert in information security, has identified a new modification of the notorious Lovesan worm (also know as "Blaster").

Kaspersky Labs' experts anticipate that in the short run a repeated outbreak of the global scale may occur. This is because the two versions of "Lovesan" exploit the same vulnerability in Windows and may co-exist on the same computer. "In other words, all computers infected by the original "Lovesan" will soon be attacked by its revamped versio," commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, "Taking into consideration that the amount of infected systems is now reaching 300,000 the return of the worm will imply a doubling of this number and lead to unpredictable results." In the worst case scenario the world community might face a global Internet slow-down and regional disruption of access to the World Wide Web: just as it happened in January 2003 due to the "Slammer" worm.

Technologically, the new modification of "Lovesan" is a copycat of the original. Slight changes were made only to the appearance of the worm: a new name of the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), a different method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.

Users of Kaspersky(R) Anti-Virus can be sure that this new worm will not harm to their computers. All Kaspersky Labs products effectively detect both modifications of "Lovesan", without requiring an update.

Blaster.B and Blaster.C

[SimplexO]

This post is about what Symantec [sarc.com] calls W32.Blaster.C.Worm [sarc.com]. Don't forget that there is also a W32.Blaster.B.Worm [sarc.com].

B:

Adds the value:

"windows auto update"="penis32.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

C:

Adds the value:

"Microsoft Inet Xp.."="teekids.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run so that the worm runs when you start Windows.

The new C means that the scan that we use to get the original out of the registry has to be modified so we can find this C variant.

MS Releases Network Scanning Tool

[MacrosTheBlack]

Microsoft have released a tool to scan your local network (or the whole net if u really wanted to).
Download [microsoft.com]
Network admins have fun.

Re:MS Releases Network Scanning Tool

[MacrosTheBlack]

Oops, to clarify, the tool allows scanning for machines with & without the patch. Have fun.

Re:Phew

[Satan's Librarian]

If past performance is any indication, it's because Kaspersky takes multiple strings from harder to modify areas and also supports wildcards - the guy who started it (Eugene Kaspersky) is a badass at assembler and has generally produced some of the best virus analysis in the industry. I use and recommend F-Secure [datafellows.com], which uses a combination of his engine and Fridrik Skulason's for scanning - that way you get the advantage of having two sets of seperately picked virus signatures plus different heuristical scanning methods.

Aside from a few stability issues that took them bloody forever to work out on 2K (BSOD's once a week for a few months on my box as a result) - it's been a great product for years. I've gotten to laugh at the people using McAfee's and Norton's several times and say 'I told you so' when they got hit

Unfortunately - I think they have the price for the personal edition set too high, and can't market in the U.S. for shit.

Re:who came up with "lovesan"?

[MacrosTheBlack]

A text string in the virus says "love you san". There's also one having a go at "billy gates".

Re:Ugh, lazy patchings

[wfberg]

Today I noticed that every morning our couple XP computers at work send out a few uPnP related packets to 239.255.255.250:1900. They're going beyond our lan and out through our gateway to the internet. It's probably not worth the effort to investigate further and correct, but it bugs me a little.

Your network is misconfigure. 239.255.0.0/16 is a local scope multicast address. (RFC2365) The message sent is to let other uPNP devices know your computer is there.

Re:It's a little fishy

[heli0]

The same warning about the new clone has been released by dozens of other groups including...

http://www.f-secure.com/v-descs/msblast.shtml

http://securityresponse.symantec.com/

http://us.mcafee.com/virusInfo/default.asp

Re: Cloning..

[Satan's Librarian]

Uhm - they've been doing that for years. Early types were called polymorphism, an idea pioneered by the 'Dark Avenger'. Search for "MtE Dark Avenger" on the net. Old stuff.

Basically, the concept is that an encryptor is built up in memory randomly, while the inverted code (e.g. add vs. sub, rol vs. ror) is built up in reverse. The virus is encrypted with the encryptor, and the decryptor is prepended.

There were a ton of them in the early 90's. There are polymorphic Word viruses that use different techniques - running their script through a randomizer for variable names and such. Some viruses have also mutated their own opcodes as you suggest, although it's less common - but its been done.

Detecting such viruses is challanging, but usually there are static bytes with known (although possibly variable) distances between them. One can also run an interpreter over a file and pseudo-execute it until it can be proven that it is or is not a virus, or just blast any existing crypto around the body and look to see what's there. If the virus just flips between equivalent opcodes, then just scan with a regular expression that includes each equivalent as an alternative. Another method is analysing the opcodes - if an exe's entry point is at the end of the file where you have a 1k decryptor right before 2k of garbage, and all the decryptor's opcodes fall within what one virus can produce, chances are....

There are a lot more complex and hybrid techniques for it -those are just a few that can be described quickly.

Obligatory +5 SCO reference

[Overly Critical Guy]

It's getting a little too easy to randomly reference SCO in some way for a +5 Funny.

Just my opinion. I'm tired of this same "joke" showing up in every article.

Re:And while you all get easy 5, funnies.

[platipusrc]

It is very easy to configure OpenSSH to not allow remote root login. 'PermitRootLogin no'. Newer versions of OpenSSH have that as a default, so you would have to actively allow root logon.

Re:Benevolent Virii

[Trogre]

"Virii" isn't a real word [reference.com].

August 16: The Day Elvis Died

[Anonymous Coward]

Strange that these virus/worms, etc. are set to attack the Microsoft website on August 16, the day Elvis Presley [k12.ms.us] died.

Of Course there are lots of famous events, etc. that have aniversaries every day, so this might be a coincidence. Also, since it's a Saturday, and "everybody's off" then that might be why the attack is on the 16th, more people will be surfing, and if infected, send out the virus to more machines, and IT and repair folks will be called in on an off day.

MSBlast attacks Friday MORNING

[seattlenerd]

Just in case others got misled by the general press reports: The MSBlast (and its two known variants) worm attack against WindowsUpdate.com will really start at 4 a.m. Pacific Friday (Redmond time). As noted in this News.com piece [news.com] the widely-reported "midnight" is really "when a PC clock shows midnight" -- whenever Friday becomes Saturday, starting across the International Date Line [timeanddate.com] in Anadyr, Russia. Set your TiVos accordingly, assuming you have power.

Re: Cloning..

[Doomdark]

The French intelligence services work very closely with French businesses.

And, to be fair, US intelligence service works occasionally closely with US corporations (there were some cases related to airplane industry where EU was investigating how come US company had found out what some european company was bidding).

Point being that perspective certainly matters, like you say, but also that few government agencies if any are completely above using illegal and/or immoral practices to help "their" companies, anywhere in the world.

Open democracies, and especially free press lessen likelihood of such stunts (by retroactively uncovering them, usually leading to scandals... which act as deterrent in the long run). Unfortunately those 'antidotes' are being threatened especially in US, by latest legislations (from "Patriot" act to DMCA).

Re:Oh, it's not that bad!

[abcxyz]

Actually the DDOS attempt should have be to windowsupdate.microsoft.com. Windowsupdate.com is not the correct alias and currently does a redirect to the correct website. I suspect they will make sure that the DNS settings are modified so that any hits from the worm don't impact their website.

Re:Questions...

[Anonymous Coward]

A lot of things in windows use RPC.

Re:Download of patch still works.

[Anonymous Coward]

For completeness:

NT4 Server and Workstation [microsoft.com]
NT4 Terminal Server [microsoft.com]
Windows XP 32bit [microsoft.com]
Windows XP 64bit [microsoft.com]
Windows 2003 32bit [microsoft.com]
Windows 2003 64bit [microsoft.com]
And this line of text because otherwise I would post too few characters per line...

A little late

[einhverfr]

Symantec lists *three* versions on their web site. One of which has its executable named penis32.exe (the B worm uses penis32.exe and the C worm uses teekids.exe)

Source: http://www.sarc.com