Worm.Win32.Lovesan.a

saROMan · Mar 5, 2005

ok from last few days....my AV is giving me this message that a comp on IP 59.95.0.163 s trying to attack ur TCP/IP ...attack type is Lovesan
google told me that it is Worm.Win32.Lovesan.a ....hmm and the info is

Lovesan downloads and attempts to run a file named msblast.exe.

The text is as follows:

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible? Stop making money and fix your software!!
Symptoms of Infection:

MSBLAST.Exe in the Windows system32 folder.
Error message: RPC service failure. This causes the system to reboot.

How the Worm Spreads

Lovesan registers itself in the autorun key when the system reboots and launches itself every time the computer reboots in the future:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run windows auto update="msblast.exe"

so searched my pc for any traces...but found none....

also the fix at MS Patch can be found here *www.microsoft.com/security/security_bulletins/ms03-026.asp is not working.....
it says..sorry page cannot be found....

SO my PC is at risk??? any precautions i sud take???thx

digen · Mar 5, 2005

May I ask you which anti-virus your using?
Did you try to crosscheck for any symptoms from this page here:*www.viruslist.com/en/viruslist.html?id=61577 ?
What does the netstat -ano command at the prompt show you ?

enoonmai · Mar 5, 2005

@saROMan: Yup, please post the info Digen is asking for. Plus, the fix for Windows cannot be found at the link you mentioned, download it from here:

*www.microsoft.com/downloads/detail...6C-C5B6-44AC-9532-3DE40F69C074&displaylang=en

saROMan · Mar 5, 2005

OK the netstat command gaved me a big list....which has my IP also...so sud i put it here???

enoonmai · Mar 5, 2005

Do you have any of the symptoms of the Lovesan attack? ie do you have an MsBlast.exe in your computer or does your computer keep restarting with an RPC service failure error? If it doesn't then you're not infected and its just your firewall working normally and alerting you to an attack inititated from an infected system.

digen · Mar 5, 2005

@saROMan Yeah it would be better if you could post the entire contents from the issued command,that should erase any possibility of malicious activity.But make sure you blank out your IP from the list.

yehmeriidhain · Mar 5, 2005

yes! post ur list .. plus download the FIX tools from symatec's website .. they R gud & effective ..

But first of all U need which Virus R u infected with .. paste ur list first .... in case U came to know abt the virus name .. go the mentioned site & download the FIX tool ..

Tht must do .. i think its just blaster or might just be ur firewall also .... which is promting U abt the removed attack ..

saROMan · Mar 5, 2005

OK here u go ......

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 1180
TCP 0.0.0.0:1110 0.0.0.0:0 LISTENING 1980
TCP 0.0.0.0:1125 0.0.0.0:0 LISTENING 1980
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING 1200
TCP 0.0.0.0:2882 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2928 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2936 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2947 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2949 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2950 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2951 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2953 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2955 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2956 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2957 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2958 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2961 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2962 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2963 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2964 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2965 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2968 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2969 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2984 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2985 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2986 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2989 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2991 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2992 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2994 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:2995 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2996 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2997 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:2998 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3000 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3002 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3003 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3004 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3005 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3006 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3007 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3008 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3009 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3010 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3011 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3012 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3013 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3014 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:3015 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:3017 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3018 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:3019 0.0.0.0:0 LISTENING 2496
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1200
TCP **.**.*.***:135 59.95.0.163:3557 ESTABLISHED 924
TCP **.**.*.***:2882 213.205.40.153:80 FIN_WAIT_1 2496
TCP **.**.*.***:2928 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2936 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2947 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2949 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2950 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2951 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2953 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2955 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2956 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2957 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2958 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2961 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2962 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2963 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2964 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2965 213.205.40.153:80 FIN_WAIT_1 2496
TCP **.**.*.***:2968 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2969 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:2982 207.46.156.188:80 TIME_WAIT 0
TCP **.**.*.***:2984 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2985 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2986 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2989 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2991 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2992 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2994 207.46.156.188:80 ESTABLISHED 820
TCP **.**.*.***:2995 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2996 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2997 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:2998 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3000 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3002 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:3003 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3004 213.205.40.153:80 FIN_WAIT_2 2496
TCP **.**.*.***:3005 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3006 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3007 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3008 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3009 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3010 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3011 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3012 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3013 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3014 63.218.23.134:80 ESTABLISHED 820
TCP **.**.*.***:3015 207.46.156.188:80 ESTABLISHED 820
TCP **.**.*.***:3017 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3018 213.205.40.153:80 ESTABLISHED 2496
TCP **.**.*.***:3019 213.205.40.153:80 ESTABLISHED 2496
TCP 127.0.0.1:1041 127.0.0.1:3016 TIME_WAIT 0
TCP 169.254.241.124:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:500 *:* 756
UDP 0.0.0.0:1033 *:* 1172
UDP 0.0.0.0:1050 *:* 1172
UDP 0.0.0.0:1256 *:* 1172
UDP 0.0.0.0:1579 *:* 1172
UDP **.**.*.***:1900 *:* 1200
UDP 127.0.0.1:1049 *:* 1456
UDP 127.0.0.1:1083 *:* 1044
UDP 127.0.0.1:1900 *:* 1200
UDP 169.254.241.124:137 *:* 4
UDP 169.254.241.124:138 *:* 4
UDP 169.254.241.124:1900 *:* 1200

also chked no sign of any infetction ...ie no msblast.exe ..nor any reg entry....d/led the hotfix ....

enoonmai · Mar 6, 2005

Nothing really suspicious here. Looks like it was just your firewall warning you of another system trying to infect yours. It probably just blocked the attack and alerted you as to what it did!

Worm.Win32.Lovesan.a

saROMan

QA Juggler

digen

Youngling

enoonmai

Cyborg Agent

saROMan

QA Juggler

enoonmai

Cyborg Agent

digen

Youngling

yehmeriidhain

In the zone

saROMan

QA Juggler

enoonmai

Cyborg Agent