chevron_left chevron_right
Login Register invert_colors photo_library

Stay updated and chat with others! - Join the Discord!
Thread Rating:
  • 0 Vote(s) - 0 Average

W32.Blaster.Worm (Source Code) filter_list
W32.Blaster.Worm (Source Code) #1
For research purposes only.  Do not attempt to compile and run malicious code unless you know exactly what you are doing.

The Blaster worm, also known as Lovesan or MSBlast, created havoc in late summer of 2003 with widespread Distributed Denial of Service (DDoS) attacks, with damage totaling in the hundreds of millions. It is also notable for two hidden text strings, one that says "I just want to say LOVE YOU SAN!" (from which it receives one of its aliases) and a message to Microsoft CEO Bill Gates. It appeared within less than a month before one of the major variants of the Sobig worm.

The system will receive code that exploits a DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) from the Blaster worm on an already infected computer coming through TCP port 135. There is an 80% chance that the worm will send exploit code specific to Windows XP and 20% that it will be specific to Windows 2000. If the exploit code does not match the system, the RPC subsystem will fail. On Windows XP and Server 2003, this causes a system reboot. In Windows 2000 and NT 4.0, this causes the system to be unresponsive.

After the exploit code is successfully sent to the target machine, the target opens a remote command shell that listens on TCP port 4444. The worm on the infecting computer starts a Trivial File Transfer Protocol (TFTP)server listening on UDP port 69. It sends a command to the target machine over port 4444 to download the worm and run it, then immediately disconnects that port.

On the target computer, the command shell is closed and it issues a TFTP "get" command, which downloads the worm from the infecting machine's system folder through port 69 and runs it. After the worm is downloaded, the worm on the infecting computer will close the TFTP server.

When run, Blaster adds the value "windows auto update = msblast.exe" to the local machine registry key that causes the worm to run when Windows starts (the registry value may also be msblast.exe I just want to say LOVE YOU SAN!! bill). It attempts to create a mutex named BILLY and will abort if it finds one already running, avoiding infection of one computer more than once. It checks the Winsock version, only working on versions 1.0, 1.01, and 2.02. If Blaster finds an active network connection, it will begin looking for new machines to infect. The worm sleeps for 20-second intervals and awakens to look for new machines to infect.

Blaster uses two methods of searching for IP addresses to infect new machines. The first method will occur 40% of the time, using the IP address of the infected machine as its base address. The first two numbers of the address are left the same while the fourth value is set to zero and the worm checks the third. If the third number in the IP address is greater than 20, there is a 40% chance that the worm will subtract a random number that is less than 20 and changes its base address to that number. For example, if the infected computer has an IP address of, the worm may decide to turn it into if it decides to decrease the third number by 19. The worm will then begin to increment the last number to scan the entire subnet. The second method will occur 60% of the time, selecting a completely random base and incrementing the number from there.

The Worm starts a SYN Flood on August 15 against port 80 of, creating a distributed DDoS attack against the site after August 16. It may also perform one from the 15th to the last day of every month from January to August and any day from September to December.

Blaster cannot spread to the Windows NT or Windows Server 2003, unpatched computers running these operating systems may crash as a result of the worm's attempts to exploit them. However, if the worm is manually placed and executed on a computer running these operating systems, it can run and spread.

You can find the source here:
[Image: Y3jduas.png]


RE: W32.Blaster.Worm #2
4444? Isn't that default for MSF?
Scientia potentia est

[Image: inkexplosion.jpg]


RE: W32.Blaster.Worm (Source Code) #3
(02-16-2017, 01:23 AM)DarkMuse Wrote: 4444? Isn't that default for MSF?

That is the default listen port for metasploit framework. It also looks like a number of malware use that port. Interesting.
[Image: Y3jduas.png]

[+] 1 user Likes Skullmeat's post

RE: W32.Blaster.Worm (Source Code) #4
(02-16-2017, 01:27 AM)Skullmeat Wrote:
(02-16-2017, 01:23 AM)DarkMuse Wrote: 4444? Isn't that default for MSF?

That is the default listen port for metasploit framework. It also looks like a number of malware use that port. Interesting.

Oh, idea! Make a dummy program that continually listens on :4444 so any malware that uses it (which is apparently a pretty big chunk) can't connect to its master Tongue


Users browsing this thread: 1 Guest(s)