The worm 32 virus (W32.Blaster.Worm) has a number of versions and all are hazardous to your computer. In fact, these pesky little viruses may make it difficult to connect to the Internet to download malicious software removal tools. According to Symantec, “Because of the way the worm works, it may be difficult to connect to the Internet to obtain the patch, definitions, or removal tool before the worm shuts down the computer. It has been reported that, for users of Windows XP, activating the Windows XP firewall may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.”
The in addition to W32.Blaster.Worm the Worm 32 Virus group includes:
All versions exploit the DCOM RPC vulnerability. Microsoft Security Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution (823980) described the severity rating as “critical,” for Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003. Microsoft offers the following detailed description of the worm and how it works:
“Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions.”
|No Paywall Here!
All About Worms is and always has been a free resource. We don't hide our articles behind a paywall, or make you give us your email address, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to pay our research authors, and to run and maintain the site, so if something you read here was helpful or useful, won't you consider donating something to help keep All About Worms free?
“There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on RPC enabled ports. This interface handles DCOM object activation requests that are sent by client machines to the server. An attacker who successfully exploited this vulnerability would be able to run code with Local System privileges on an affected system. The attacker would be able to take any action on the system, including installing programs, viewing changing or deleting data, or creating new accounts with full privileges.”
“To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on specific RPC ports.”
To get rid of the virus, systems administrators must download the Microsoft patch. You can access the download by clicking here or following this link: http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx. If you are having problems accessing the Internet, Symantec offers the following solution: “users of Windows XP should activate the Windows XP firewall. This may allow you to download and install the patch, obtain virus definitions, and run the removal tool. This may also work with other firewalls, although this has not been confirmed.”
For more information about how computer worms and viruses work, please review the following articles from our archives: