Worm: Win32.HLLW.LoveSan
- Virus type: Family of mass-mailing worm
- Affects: Windows 2000, Windows XP
- Other names for Win32.HLLW.LoveSan: W32/Blaster-A, W32.Blaster.Worm, W32/MSBlaster, W32/Msblast.A, W32/Lovsan.worm.a
Description
Win32.HLLW.LoveSan is an Internet worm that exploits a software flaw called the RPC DCOM Buffer Overrun Vulnerability using TCP port 135 to infect systems running Windows 2000 and Windows XP.
The worm attempts to install a file called msblast.exe in the folder %systemroot%\system32 and then execute it. Once active, the worm attempts to prevent access to the Windows Update web site so as to prevent the user from downloading the security patch that closes the vulnerability.
The worm may also be the cause of apparent system errors such as "Svchost has generated errors and will be shut down" or "The system is shutting down ... initiated by NT AUTHORITY/SYSTEM ... because the Remote Procedure Call (RPC) service terminated unexpectedly."
Prevention
To prevent another infection by Win32.HLLW.LoveSan worms or similar viruses:
- Use a firewall to prevent external access to TCP ports 135 and 4444 and UDP port 69.
- Always keep your system up to date with Windows security patches.
- Use a good anti-virus such as Kaspersky AntiVirus or Dr.Web anti-virus.
Removal
Manual removal
To remove the Win32.HLLW.LoveSan worm manually:
- Press Ctrl+Alt+Del to bring up the Task List, and terminate the process msblast.exe.
- Using the Registry Editor, expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete windowsautoupdate.
- Disable System Restore, in order that copies of the worm are not saved to the restore folder. (Note: this may cause Windows to restart and you will lose your earlier restore points.)
- Delete the file msblast.exe from the folder %systemroot%\system32.
- Update and run your virus scanner to remove any other worm files from the system.
- Re-enable System Restore and force a restore point.
- Apply the security patch "Microsoft Security Bulletin MS03-026". If you receive a "Cryptographic Service Error" when trying to install the patch, this article explains how to resolve it.
To remove variants of the Win32.HLLW.LoveSan that have different filenames:
- Press Ctrl+Alt+Del to bring up the Task List, then look for any unusual processes and terminate them. Some examples are: rpc.exe, rpctest.exe, dcomx.exe, lolx.exe and worm.exe.
- Using the Registry Editor, expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, look for entries relating to the files you just terminated, and delete them. Warning: deleting Registry entries that do not relate to the worm could have a harmful effect on operation of the system.
- Disable System Restore, run your virus scanner and apply the security patches as described above.
Automated removal
To remove the virus Win32.HLLW.LoveSan please see our tutorial Help! I've got a virus!
Professional hands-on removal
If you are not confident about being able to remove the Trojan yourself, you can purchase the Virus Removal and Computer Tune-Up package and a professional technician will connect to your computer via your Internet connection and remove it for you.
