Blaster, also known as LovSan, began spreading early Monday afternoon Eastern time and quickly gained momentum. The worm exploits the RPC DCOM (Distributed Component Object Model) vulnerability in all of the current versions of Windows, except ME. The worm scans the Internet and attempts to connect to TCP port 135. After establishing a connection, Blaster spawns a remote shell on port 4444 and then uses TFTP (Trivial File Transfer Protocol) to download the actual binary containing the worm. The worm is self-extracting and immediately begins scanning for other machines to infect.
For users who cannot free up enough bandwidth to download the patch from Microsoft Corp., CERT recommends an alternative remedy. Users should physically disconnect the infected machine from the Internet or network. Then, kill the running copy of "msblast.exe" in the Task Manager utility. Users should then disable DCOM and reconnect to the Internet and download the patch.
For users who cannot free up enough bandwidth to download the patch from Microsoft Corp., CERT recommends an alternative remedy. Users should physically disconnect the infected machine from the Internet or network. Then, kill the running copy of "msblast.exe" in the Task Manager utility. Users should then disable DCOM and reconnect to the Internet and download the patch.