Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Blaster-C, Win32.Poza.B
Type:Worm 
Size:5,360 kbytes 
Origin:unknown 
Date:08-13-2003 
Damage:DDOS attack 
VDF Version:6.21.0.14 
Danger:Medium 
Distribution:High 

General DescriptionWorm/Lovsan.B makes use of RPC DCOM buffer overflow. This security hole allows it complete control over Windows NT/2000/XP systems. The computer worm scans for potentially vulnerable IP addresses and transfers his files to other systems on the network or Internet by port 135. The worm starts a DDoS attack on the windowsupdate.com website on certain days of the month.

SymptomsA file named TEEKIDS.EXE appears in Windows System32 directory.

DistributionThe worm uses the security hole of RPC DCOM for getting full control over the Windows system. The spreading is done over network and Internet.

Technical DetailsThe worm tries to make a connection using the port 135. It scans the network and if it finds a vulnerable system, it sends special commands to the TFTP program (Trivial File Transfer Protocol).

This program starts the download of the worm program and runs it. In most of the cases Worm/Lovsan.B comes with the help of a dropper. This dropper named Index.exe (32,045 bytes) makes the files TEEKIDS.EXE (5,360 bytes) and ROOT32.EXE (19,798 bytes) in the Windows system 32 directory (C:\Windows\System32\ or C:\WINNT\System32\).

In order to be run by the next system start, the worm makes the following registry entry:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run]
"Windows Root Account"="teekids.exe"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunServices]
"Windows Root Account"="Root32.exe"

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* C:\%Windows%\System32\TEEKIDS.EXE
* C:\%Windows%\System32\ROOT32.EXE
* C:\%Windows%\TEMP\LS.EXE

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run]
"Windows Root Account"="teekids.exe"

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\RunServices]
"Windows Root Account"="Root32.exe"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .