The worm starts on an infected system (A) a TFTP-server and attacks other Windows systems (B) on port 135. If an attack was succesful the infiltrated code will be executed, which opens a shell on port 4444 on system B. System A prompts system B via TFTP (tftp get msblast.exe) to download the file msblast.exe into the directory %WinDir%\system32 and execute it. After it, the worm installs itself on system B, closes port 4444, and opens a TFTP-server and attacks other systems.
The worm needs to know which system it attacks to be succesful. As it can't do that it uses offsets for Win2k and WinXP so far. In 80% of the cases it chooses WinXP, which causes the RPC service on Win2k to crash.
The microsoft patch for this exist since mid july. One problem is that the patch doesn't solve a problem in the RPC service which enables the ability for DoS attacks, therefor all ports UDP and TCP 135-139, 445 and 593 should be closed.
FYI, w32.blaster attacks also non-Windows systems if they have the Distributed Computing Environment (DCE) installed. DCE enables communication between different systems and uses also RPCs on port 135. It's often used in heterogeneous enviroments.
As w32.blaster is not able to detect what system he attacks, he attacks all systems with open port 135 and can crash the DCE-service on non-windows systems. Patches from IBM and Entegrity are available.
