WIN32/BLASTER: A CASE STUDY FROM MICROSOFT’S PERSPECTIVE BRAVERMAN
WIN32/BLASTER: A CASE STUDY was exploited, an attacker could run arbitrary code with Local
FROM MICROSOFT’S
PERSPECTIVE
Matthew Braverman
Microsoft Corporation, 1 Microsoft Way,
Redmond, WA 98052, USA
Tel +1 425 703 2229 • Email
mattbrav@microsoft.com
ABSTRACT
On August 11, 2003, the world of mobile malicious code
changed with the release of the Blaster worm. Using a
vulnerability in the Microsoft Windows 2000 and Windows XP
operating systems to infect a computer, the threat replicated
to more computer systems than any other malicious software
in history.
Since the release of Blaster almost two years ago, Microsoft
has invested considerable resources in reducing the number of
users infected with this threat, in addition to putting
mechanisms in place to help prevent the class of vulnerability
that Blaster exploited.
This paper provides deeply quantitative details and statistics
that Microsoft has observed regarding the initial and continued
effects of the worm on the global computing infrastructure and
Internet users worldwide.
INTRODUCTION
The first variant of the Win32/Msblast worm (Win32/Blaster)
appeared in the wild on August 11, 2003. Subsequently,
several variants of Msblast.A (with minor changes) were
released over the course of August and September 2003. Other
threats that exploited the same vulnerability appeared
following Msblast, including the Nachi/Welchia worm,
although Msblast is clearly the most prevalent and prominent
of these threats.
To infect a computer, Msblast exploited a security
vulnerability in certain versions of the Windows operating
system. A bulletin describing and patching this vulnerability,
Microsoft Security Bulletin MS03-026 (KB 823980) [1], was
released on July 16, 2003, 26 days prior to the appearance of
Msblast in the wild. The bulletin described a critical security
vulnerability in a Windows Distributed Computing Model
(DCOM) Remote Procedure Call (RPC) interface. By default,
all versions of Windows NT 4.0, Windows 2000, Windows XP,
and Windows Server 2003 were susceptible to this
vulnerability [1]. However, it is important to note that only
Windows 2000 and Windows XP were susceptible to being
infected by Msblast. Infection under Windows Server 2003
could not occur because the vulnerable components were
compiled with the /GS flag [2, 3]. MS03-026 was superseded
by MS03-039 on September 10, 2003, which included patches
for additional vulnerabilities in RPC DCOM, discovered
through subsequent, internal code reviews of that component.
To exploit the original vulnerability described in MS03-026,
an attacker needed to send a specially formed request to the
remote computer on specific RPC ports. Once the vulnerability
200 VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be
reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
System privileges on an affected computer [1].
After developing information related to the continued
prevalence of Msblast in late 2003, Microsoft released the
Windows Blaster Worm Removal Tool, also known as
BlastCln, on January 13, 2004. The tool, released through
Windows Update (WU) and Automatic Updates (AU),
identified and cleaned millions of computers infected with
Msblast, despite being released over five months after the
appearance of the original threat.
About nine months following the release of Msblast, on
May 5, 2004, the Sasser worm appeared in the wild. Sasser
exploited a vulnerability (MS04-011) with attack vectors
similar to MS03-026, meaning it had the potential to spread as
widely as Msblast. However, in the time between these two
attacks, Microsoft had introduced a series of internal
engineering and process improvements, that enabled the
company to develop and widely distribute a cleaner tool only
days after the appearance of this worm. These improvements,
combined with other post-Msblast, Microsoft-sponsored
security initiatives focused on customer support, product
development, and user education, helped to significantly slow
the spread and reduce the number of users affected by Sasser.
The regularly updated Windows Malicious Software Removal
Tool, first released on January 11, 2005, enables Microsoft to
continue to respond quickly to high-priority malware attacks
in the future.
This paper evaluates the impact of the Msblast worm, details
the initiatives created as a result of this threat, and reviews how
the positive impact of these initiatives helped to limit the
spread of the Sasser worm.
MSBLAST BACKGROUND
In mid-November 2003, almost three months after the release
of Msblast, Microsoft worked with key ISP partners
participating in the newly formed Global Infrastructure
Alliance for Internet Safety (GIAIS), to determine that
Msblast was likely still active on a large number of computers
running Microsoft Windows. Network traffic data obtained
from the ISP partners indicated that the threat had not
significantly decreased in prevalence, despite the time elapsed
since the initial release of the threat.
GIAIS members also noted the significant detrimental effect of
the Nachi worm (labelled as a ‘good worm’ in some press
statements) on the Internet backbones. Nachi sent ICMP ping
commands to a set of computers before trying to infect them,
which essentially caused an ICMP flood on a network.
The Msblast network data contrasted with prevalence
indicators assigned by anti-virus vendors, which had indicated
that Msblast was decreasing in prevalence at that time. For
example, Symantec downgraded the Msblast threat level from
4 to 3 [4], and McAfee lowered their risk assessment from high
to medium in October 2003 [5]. Also, Microsoft support call
volumes related to Msblast had significantly decreased over
the past few months.
Investigating the possible causes for this discrepancy and
reviewing a sample of Msblast-related incident resolutions,
Microsoft determined that the incongruity was likely related to
customers patching their computers with MS03-026 or
MS03-039, effectively stopping the computers from constantly
 WIN32/BLASTER: A CASE STUDY FROM MICROSOFT’S PERSPECTIVE BRAVERMAN
rebooting and preventing reinfection, but not removing the
current infection of Msblast. As long as the computer was
infected with Msblast, it continued to generate traffic to
attempt to infect vulnerable computers. Because the infection
did not impact the performance of the computer significantly,
the user may not have realized the computer was still infected,
especially if the computer did not have an up-to-date
anti-virus product installed.
In response to these findings, members of the anti-malware
team within Microsoft’s Security Business & Technology Unit
designed a small removal tool, named BlastCln, which would
detect and remove all known variants of Msblast and Nachi
from a computer. The tool targeted only threats that were
active in memory or referenced from a set of registry
auto-start points. The tool did not scan the hard drive for these
threats and thus ran in a relatively small amount of time,
compared to a full scan with an anti-virus product.
The tool was posted to the Microsoft Download Center on
January 5, 2004 and to Windows Update (WU) / Automatic
Updates (AU) / Software Update Services (SUS) on January
13, 2004. Through WU/AU/SUS, the cleaner tool was offered
to users running Windows 2000 or Windows XP, which was
consistent with the platforms affected by this worm.
Using specific WU detection logic associated with registry
keys and files created by Msblast and Nachi, the BlastCln tool
was offered only to computers likely to be infected with these
threats. By leveraging this logic, Microsoft targeted the
delivery of the tool to computers that needed it (that is, if a
computer wasn’t infected with Msblast or Nachi, the user
wouldn’t be prompted to download or install the update,
which conserved bandwidth), and obtained effective infection
and cleaning statistics by measuring the download and
execution metrics for the update.
Also, the tool was offered only to computers that had been
patched by MS03-026 or MS03-039. This verification
ensured that users who ran the tool and removed Msblast
would not have to re-run the tool, because their computer
could not be reinfected through the main infection vector.
Without this check, an unpatched computer that ran the tool
and then connected to an infected network could be reinfected
within minutes.
Over the first six months, Microsoft recorded approximately
25 million downloads and 12 million executions of the tool
via WU/AU. In other words, over 25 million unique computers
were identified as being infected by Msblast, and the tool
removed over 12 million of these infections. Nine million of
the 25 million downloads were completed in the first nine days.
As indicated in these figures, slightly less than 50% of users
who downloaded the tool from WU/AU actually ran the tool
on their computers. This is mainly due to AU users who
downloaded the tool automatically, but had their settings
configured to install updates manually and had not yet clicked
to install the tool. Many of these users will eventually install
the update or remove the threat from their computer with
another technique (anti-virus software, reinstalling their
operating system). Data in the ‘post-Sasser virus cleaner
tools’ section supports this statement and indicates that the
number of new Msblast infections has decreased significantly
since this time.
It is unlikely that any computers were counted more than once
or became reinfected because the prerequisite logic relied on
VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be
reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
MS03-026/MS03-039 being installed. If this update was
installed, a computer would not be reinfected by these threats
through normal propagation vectors.
ACTIONS TAKEN AS A RESULT OF MSBLAST
Customer support
The most noticeable effect of Msblast occurred when an
unpatched computer connected to an infected network,
whereupon the RPC service on the computer would terminate,
triggering a managed shut-down of the operating system and
preventing the user from using the computer.
When Msblast was released in mid-August 2003, the number
of support calls spiked significantly. In the first five days after
the release of Msblast, Microsoft’s Customer Service and
Support (CSS) organization received over three million calls
(only a subset of which were answered) from end-user and
enterprise customers, who were looking to prevent their
computers from rebooting continuously. Each support call
averaged about an hour, while the support professional
walked the user through enabling a firewall or extending the
managed shut-down timer and then updating the computer
with MS03-026/MS03-039. If possible, the support
professional would also help the user turn on AU and run a
third-party disinfection tool to remove Msblast from the
infected computer.
As the call volume increased, CSS management realized that
additional resources were required to handle customer
inquiries. CSS mobilized a program to solicit volunteers from
other Microsoft departments, especially product groups, to
help answer calls. After several hours of training, over 1,000
volunteers (including executives from various departments)
spent at least eight hours each on the phone, working
alongside permanent support professionals, through the end
of August, helping customers bring computers back to a
stable state.
As a result of the Msblast incident, CSS implemented several
changes to their support infrastructure (especially directed at
end users) to help respond to similar incidents in the future.
The most significant changes are:
• The establishment of a formal ‘CSS Reservist’ program
to organize and facilitate product group volunteers in the
case of future incidents. This program ensures that
participants are always up-to-date with training,
logistical information, and privileges (e.g. account
information) necessary to interact with Microsoft’s
support incident system and provides CSS with several
hundred trained volunteers to mobilize quickly.
• The establishment of the 24-hour PC Safety phone line at
1-866-PCSAFETY (international numbers are listed at
http://support.microsoft.com/?pr=SecurityHome). This
no-charge service provides consumers with an easy way
to get reliable information and support about top security
threats currently in the wild. The phone line has been
instrumental in helping Microsoft provide customers with
support for such threats as Mydoom and Sasser.
‘Protect Your PC’ campaign
Microsoft also launched its ‘Protect Your PC’ campaign at the
end of August 2003. The campaign spanned several media
201
 WIN32/BLASTER: A CASE STUDY FROM MICROSOFT’S PERSPECTIVE BRAVERMAN
venues – including a strong web presence, several full-page
advertisements in major newspapers such as USA Today,
in-store promotions, and information pamphlets – and centred
on three steps designed to help prevent users from being
affected by threats such as Msblast. The three Protect Your PC
steps are:
1. Enable a firewall on your computer.
2. Get the latest computer software updates.
3. Use up-to-date anti-virus software.
On the Protect Your PC website at www.microsoft.com/
protect/, Microsoft created the Windows Security Advisor
(WSA). This online tool detects whether a user has enabled
the Windows Internet Connection Firewall (ICF) and AU. If
not, the tool provides a simple one-click interface to enable
each feature. The tool was updated at the end of 2004 to
verify that Windows XP Service Pack 2 was installed.
This campaign is likely a contributing factor to the increase in
update downloads following the release of a security bulletin.
For example, Microsoft estimates that approximately 36
million users downloaded MS03-026 in the seven days
following its release and 19 days prior to the release of
Msblast. Compare this with MS04-011, the vulnerability that
Win32/Sasser exploited, released months after the launch of
the PYPC campaign. This bulletin had approximately 95
million downloads after the same amount of time. Assuming
that a proportional amount of users installed the downloads in
both cases, it is likely that almost three times as many users
were protected from Sasser than from Msblast.
Software development
Msblast significantly affected Microsoft software design and
development, including specific impacts on Windows XP
Service Pack 2 (SP2).
These developments included:
• Enabling the Windows Firewall by default. In addition to
enabling the Windows Firewall by default for Windows
XP users, Windows XP SP2 also closed a vulnerability in
previous versions of Windows XP, where, as Windows
started up, there was a small period of time for which
networking was enabled but the firewall was not yet
active.
• Making it easier for users to enable Automatic Updates
(AU). Immediately after installing Windows XP SP2,
users are presented with a full-screen dialog box that
prompts them explicitly to choose whether to enable AU.
• Windows Security Center (WSC). The WSC feature in
Windows XP SP2 alerts users if they have not chosen to
enable AU, a firewall, or real-time anti-virus protection.
WSC also alerts users if the anti-virus product they have
installed is out of date.
• RPC/DCOM authentication. The RPC interface was
significantly locked down in Windows XP SP2 to prevent
unauthenticated connections, such as the one that
allowed Msblast to infect a computer.
Faster release of cleaner tools for high-priority
malware attacks
Following the release of BlastCln and a review of associated
statistics, it became clear to the SBTU that targeting threats
202 VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be
reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
that replicate easily and widely, such as Msblast, must be
done as soon as possible to stem the spread of the threat and
help minimize the number of infections. Indeed, the SBTU
determined that, in the event of a threat with similar
characteristics to Msblast, a cleaner tool similar to BlastCln
should be widely deployed to consumers as soon as possible.
Consequently, the Microsoft anti-malware team worked to
generalize and standardize the creation and release of cleaner
tools. Essentially, the BlastCln tool became the basis for these
tools and could be modified as appropriate to remove newly
targeted threats. This work was also integrated into the
Microsoft Software Security Incident Response Process
(SSIRP), which is managed by the Microsoft Security
Response Center (MSRC). For more information about
SSIRP and the MSRC, see http://www.microsoft.com/
security/msrc/.
Figure 1 depicts the release timelines for the Msblast tool and
the two main virus cleaner tools released in 2004 to combat
the Mydoom and Sasser worms.
The Mydoom worm first appeared on January 26, 2004.
Microsoft released a cleaner tool capable of removing the
initial Mydoom variants to the Microsoft Download Center 11
days following the release of the threat. Eight days later (a
total of 19 days after the release of the threat), the tool was
made available on WU/AU.
Microsoft built on this progress when the Sasser worm
appeared on April 30, 2004. Sasser exploited a vulnerability,
MS04-011, with attack vectors similar to MS03-026, meaning
it had the potential to spread as widely and as quickly as
Msblast. Aware of these similarities, members of the SSIRP
team (including representatives from the anti-malware team)
were on watch for signs of an in-the-wild threat when
MS04-011 was published. The team monitored a variety of
forums and network indicators, and was ready to develop and
release a cleaner tool if necessary.
When Sasser was released, the team moved quickly to build a
cleaner tool, SassCln, capable of detecting and removing all
variants of Sasser known at the time. The team released the
cleaner tool to the Microsoft Download Center within two
days of the threat being released in the wild. Two days later (a
total of four days following the release of Sasser), Microsoft
made the tool available on WU/AU.
EFFECT OF SASSER
Similar to the process followed for BlastCln, Microsoft
monitored download and execution data for SassCln
continuously during its release to WU/AU. About six months
following the release of SassCln, Microsoft recorded a total
of 1.2 million downloads and about 750 thousand executions.
In other words, over one million computers infected with the
Initial outbreak Tool live on Tool live on
Download Center WU/AU
Msblast 8/11/2003 1/5/2004 1/13/2004
Mydoom 1/26/2004 2/5/2004 2/13/2004
Sasser 4/30/2004 5/2/2004 5/4/2004
Figure 1: Release schedule for individual malware cleaner
tools.
 WIN32/BLASTER: A CASE STUDY FROM MICROSOFT’S PERSPECTIVE BRAVERMAN

worm were identified and the threat was removed from 1. The Malicious Software Removal Tool is a cumulative
three quarters of a million computers. cleaner tool. A virus family added to the first version of
The importance of these figures, when compared to the the tool is also included in subsequent releases.
respective figures from the BlastCln tool, is critical. 2. The Malicious Software Removal Tool is updated with
Specifically, the number of Sasser infections was smaller than support for removing additional malware and re-released
the number of Msblast infections by a factor of about 20. In on the second Tuesday of every month, along with
fact, Microsoft identified more Msblast infections in the first security bulletins. Sharing the same release day as the
six days following the release of the BlastCln tool than for bulletins enables users to deploy and execute the tool
Sasser throughout the entire release of the SassCln tool. along with other high-priority updates.
The reasons for this dramatic decrease include: 3. Due to the number of virus families detected and
• More users were able to protect their computers from removed by the Malicious Software Removal Tool, it was
Sasser infection prior to the worm’s release by installing not possible or desirable to target the delivery of the tool
the update for the vulnerability, enabling a firewall, and only to computers likely infected with these viruses.
installing an up-to-date anti-virus product, largely thanks Thus, via WU/AU, the Malicious Software Removal Tool
to Microsoft’s Protect Your PC campaign and support is delivered as a high-priority update to all computers.
from key security vendors. The first release of the Malicious Software Removal Tool
• Microsoft increased the speed with which it widely targeted an aggregation of all the malware that Microsoft had
distributed a cleaner tool for Sasser. The more computers removed with previous cleaner tools, with the addition of the
that are infected with worms such as Msblast and Sasser, Gaobot family. This list included Msblast, Mydoom, Nachi,
the more the worms will spread to other vulnerable and Sasser.
computers. Because a widely distributed Msblast By leveraging a more robust reporting mechanism, Microsoft
removal tool was not released for months after the obtained more information about infections found by the tool.
appearance of the original threat, the worm was able to All information communicated to Microsoft from the tool is
spread to a much larger number of computers, when anonymous and does not contain personally-identifiable
compared to Sasser, for which a cleaner tool was information. Also, users can set a registry key if they want to
available only days after the release of the threat. opt out of sending this information to Microsoft. For more
Another important point derived from the SassCln download information, see http://support.microsoft.com/kb/890830.
and installation figures is that the proportion of users who Figure 2 shows the prevalence of the Msblast and Sasser
installed the tool after downloading it via WU/AU rose from families, which are highlighted, contrasted with the rest of the
50% with BlastCln to 65% with SassCln. This difference was top 25 malware families that the Malicious Software Removal
likely influenced by the PYPC campaign, which urged Tool, as of June 21, 2005, detects and removes. The numbers
computer users to enable automatic installation of critical reflect the cumulative removals since the initial release of the
updates, and to the on-going outreach that occurred during the
Sasser incident.
Rank Family Removals
Post-Sasser virus cleaner tools 1 Rbot 800,422
On January 11, 2005, Microsoft released the first version of 2 Sdbot 381,094
the Windows Malicious Software Removal Tool. The purpose 3 Gaobot 309,108
of this tool is to remove specific, prevalent malicious software 4 Netsky 292,316
from computers, on a consistent basis. The tool is intended 5 Msblast 251,467
6 Korgo 213,081
mainly for consumers and home users who do not have
7 Ispro 174,060
up-to-date anti-virus software installed. Despite efforts from
8 Berbew 167,030
Microsoft and the security industry, the reality is that many
9 Bagle 86,647
users still do not install up-to-date anti-virus software, thus
10 FURootkit 84,920
increasing the number of infected computers if malware goes
11 Spybot 75,983
unchecked. However, this tool is not intended as a
12 Sasser 59,644
replacement for up-to-date anti-virus software, due to its lack 13 Bropia 45,163
of an ‘on-access’ protection component and because it targets 14 Mydoom 41,835
only a specific subset of the full virus library. 15 Sober 30,050
The tool was released simultaneously to WU/AU, the 16 Mytob 24,691
Download Center, and www.microsoft.com (as an ActiveX 17 Zafi 21,026
control). The version posted to WU/AU was delivered initially 18 Nachi 18,838
to Windows XP computers only, although, in later months, 19 Hackdef 18,682
Windows 2000 and Windows Server 2003 computers could 20 Sobig 11,573
also download the tool from WU/AU. Users could also 21 Startpage 8,206
download and run a standalone version of the tool from the 22 Lovgate 7,947
Download Center and www.microsoft.com. By releasing the 23 Kelvir 2,693
tool to the Download Center, Microsoft enabled corporate 24 Mimail 1,367
users to download and deploy the tool to their enterprises. 25 Randex 1,226

The three main differences between the Malicious Software Figure 2: Prevalence of the Msblast and Sasser families (as of
Removal Tool and previous cleaner tools are: 6/21/05).

VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be 203
reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
 WIN32/BLASTER: A CASE STUDY FROM MICROSOFT’S PERSPECTIVE BRAVERMAN

tool in January and are recent as of June 21, 2005. Over this From the total number of Msblast infections removed, there is
period of time, the tool was executed approximately 750 only a 0.06% chance that the removal will be from a Windows
million times. XP SP2 computer vs. a 78.85% chance that the removal will
Note that, in the removals column, multiple files infected with be from a Windows XP Gold computer. The high skew
the same malware are counted only once, for each execution towards Windows XP Gold/SP1 for Msblast is expected, since
of the tool. For example, if a single execution of the tool Windows XP SP2 computers cannot be infected by Msblast
cleaned 100 files on one computer, all infected with the through its main replication vector (MS03-026/MS03-039),
Bagle.O virus, this counts as one removal in the table. which was updated in Windows XP SP2, and since the
BlastCln tool runs as part of upgrading to Windows XP SP2.
This figure shows that Msblast continues to be moderately In fact, it is surprising that the Windows XP SP2 removal
prevalent almost two years after its release. This number number is greater than zero; this is likely due to malware that
continues to grow, with about 800 new Msblast removals per replicates through other mechanisms (for example, email) and
day. However, these figures are relatively small compared to drops Msblast on a computer.
the total number of executions of the tool, approximately 750
million. Therefore, only about 0.03% of users who run the A similar pattern exists for Sasser, although the Windows XP
tool are infected with Msblast. This value represents a SP2 figure is slightly higher because SassCln, unlike
significant decrease from the number of Msblast detections BlastCln, is not run as part of Windows XP SP2 setup. In fact,
recorded by the BlastCln tool. most malware listed in the table are more likely to be found
on a Windows XP Gold or Windows XP SP1 computer than on
The continued prevalence of Msblast is likely due to infected
a Windows XP SP2 computer. Malware with the lowest
computers which, for one reason or another, will never be
removal percentages for Windows XP SP2 (Rbot, Sdbot,
updated or disinfected. These computers will serve as eternal
Gaobot, Msblast, Sasser, etc.) mostly exploit software
carriers for the worm, infecting vulnerable computers, which
vulnerabilities that were patched in Windows XP SP2.
are subsequently connected to WU to download the update
Malware that rely more on social engineering techniques
and cleaner tool, as reflected in the figures above.
(Netsky, Mydoom, Sober, and so on) to replicate have
Sasser removals are only a fraction of those for Msblast, Windows XP SP2 removal percentages closer to those for
consistent with the discussion in the previous section. Only Windows XP and Windows SP1.
about 200 removals per day are reported.
Figure 3 shows the prevalence of Msblast, Sasser, and other CONCLUSION
malware families across Windows XP service packs. The
percentages in the figure are normalized with the number of In summary:
executions of the tool across these service packs. • In response to the impact of Msblast, Microsoft invested
in a number of customer-focused initiatives such as
Windows XP Windows XP SP2 and the Protect Your PC campaign.
Malware family Gold SP1 SP2 • Microsoft released a cleaner tool to detect and remove
Rbot 61.87% 33.80% 4.33%
Msblast approximately five months following the
Sdbot 65.10% 28.89% 6.01% appearance of the worm in the wild. Data from this
Gaobot 62.22% 34.98% 2.80% release indicated that the worm had spread to over 25
Netsky 59.26% 29.79% 10.95% million computers, in the year following the release of
Msblast 78.85% 21.09% 0.06% the threat.
Korgo 55.06% 42.86% 2.07% • Microsoft recognized the positive impact and value that
Ispro 49.07% 28.16% 22.77% widely deployed virus removal tools could have with
Berbew 45.96% 49.04% 5.00% respect to curtailing the spread of worms such as
Bagle 53.22% 40.80% 5.98% Msblast, which can spread extensively.
FURootkit 70.04% 28.47% 1.49% As a result, Microsoft streamlined the development and
Spybot 49.22% 26.08% 24.70% release process for these tools.
Sasser 52.56% 45.65% 1.79%
Bropia 36.21% 31.34% 32.45% • As a result of many improvements, including the release
Mydoom 52.23% 37.85% 9.92% of a cleaner tool only days after the Sasser worm was
Sober 53.44% 31.87% 14.70% found in the wild, Sasser infected only a fraction of the
Mytob 52.58% 28.25% 19.17% computers infected by Msblast.
Zafi 55.05% 36.04% 8.90%
• With the release of the Windows Malicious Software
Nachi 66.96% 32.52% 0.51%
Removal Tool, Microsoft will continue to be in a position
Hackdef 38.75% 41.16% 20.09%
to respond quickly to widespread malware, with a
Sobig 71.18% 20.27% 8.54%
cleaner tool. The release of this tool also enables
Startpage 60.96% 29.96% 9.09%
Lovgate 38.74% 19.71% 41.55%
Microsoft to measure the prevalence of threats that are in
Kelvir 41.74% 16.03% 42.23% the wild.
Mimail 67.35% 24.74% 7.91%
Randex 60.71% 31.19% 8.10%
REFERENCES
Total 62.37% 32.71% 4.93%
[1] Microsoft Security Bulletin MS03-026,
Figure 3: Normalized prevalence across Windows XP service http://www.microsoft.com/technet/security/bulletin/
packs. MS03-026.mspx.

204 VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be
reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.
 WIN32/BLASTER: A CASE STUDY FROM MICROSOFT’S PERSPECTIVE BRAVERMAN

[2] Howard, Michael; ‘Michael Howard’s Web Log:

Why Blaster did not Infect Window Server 2003’,
http://blogs.msdn.com/michael_howard/archive/
2004/05/23/139987.aspx.
[3] Microsoft Malicious Software Encyclopedia:
Win32/Msblast, http://www.microsoft.com/security/
encyclopedia/details.aspx?name=Win32%2fMsblast.
[4] Symantec Security Response: W32.Blaster.Worm,
http://securityresponse.symantec.com/avcenter/venc/
data/w32.blaster.worm.html.
[5] Mcafee Virus Profile: W32/Lovsan.worm.a,
http://us.mcafee.com/virusInfo/
default.asp?id=description&virus_k=100547.

VIRUS BULLETIN CONFERENCE OCTOBER 2005 ©2005 Virus Bulletin Ltd. No part of this reprint may be 205
reproduced, stored in a retrieval system, or transmitted in any form without the prior written permission of the publishers.