The worm has many differing names: MSBLAST (Trend),
BLASTER (Symantec), LOVSAN (McAfee).

When the worm is executed, it scans a random IP range to
look for vulnerable systems on TCP port 135. The worm
attempts to exploit the DCOM RPC vulnerability on the
found systems to create a remote shell on TCP port 4444,
and then pass a TFTP command to download the worm to the %
WinDir%\system32 directory and execute it. The worm
then creates the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersi
on\
Run "windows auto update" = msblast.exe I just want to
say LOVE YOU SAN!! bill

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html

If anyone as a problem keeping there system up long enough to remove the

virus try this first, you may have to be quick!
To end the Trojan process:
1. Press Ctrl+Alt+Delete once.
2. Click Task Manager.
3. Click the Processes tab.
4. Double-click the Image Name column header to alphabetically sort the
processes.
5. Scroll down the list and look for msblast.exe.
6. If you find the file, click it, and then click End Process.
7. Exit the Task Manager.

















Ryan York wrote:

> The worm has many differing names: MSBLAST (Trend),
> BLASTER (Symantec), LOVSAN (McAfee).
>
> When the worm is executed, it scans a random IP range to
> look for vulnerable systems on TCP port 135. The worm
> attempts to exploit the DCOM RPC vulnerability on the
> found systems to create a remote shell on TCP port 4444,
> and then pass a TFTP command to download the worm to the %
> WinDir%\system32 directory and execute it. The worm
> then creates the registry key:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersi
> on\
> Run "windows auto update" = msblast.exe I just want to
> say LOVE YOU SAN!! bill