Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


Lovsan.worm aka Blaster Worm

8/12/2003 Lovsan.worm aka Blaster Worm Alert
There is an internet worm that has effected a number of users at the HSC. This exploit is based on a hole discovered in the Microsoft Operating System a number of weeks ago. Anyone who is running autoupdate a few times a week, or who has used Microsoft's Windows Update Website in the past week or two should not be vulnerable to attach. However, since there are others out there who were infected it is impacting network performance.

Tulane Users who do not believe that they have installed this update, please look below to download this patch for your operating systems. Non-Tulane users please use the automatic update feature in your operating system or go to Microsoft's Website for more information on how to get these patches: http://windowsupdate.microsoft.com

How to fix yourself:
1. Download the RPC Overrun patch below for your operating system.

2. Run the RPC Overrun patch you just downloaded, agreeing to all the questions it asks you. Your machine will then reboot once it has finished.

3. Once you have logged back into your computer download Stinger (link is below).

4. Run Stinger, allowing it to completely scan your computer. If you are infected with the virus Stinger should remove it for you.

* If you find yourself still having problems after this, please call the helpdesk.

As always, Tulane University users can call the Help-Desk at 862-8888 for assistance if needed.

RPC Overrun Patch for Windows:
Windows 2000: Click Here
Windows XP: Click Here
Windows NT4.0: Click Here

Download Stinger to Scan for infection AFTER installing the patch:
http://vil.nai.com/vil/stinger

More info on this worm:
http://www.microsoft.com/security/incident/blast.asp

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100547

What to look for if you think you are infected with Blaster:
Indications of Infection

- Presence of unusual TFTP* files
- Presence of the file msblast.exe in the WINDOWS SYSTEM32 directory
- Error messages about the RPC service failing (causes system to reboot)
- The worm randomly opens 20 sequential TCP ports for listening. This is a constantly revolving range (ie. 2500-2520, 2501-2521, 2502-2522). The purpose of this action is unknown

Back to the top