Advertisement
Promo

Security management Toolkit

Networks must counter triple threat

John McCormick

Published: 21 Aug 2003 12:40 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

After several months of relative calm on the virus front, with only low-level threats, last week the MSBlast worm assaulted many networks and wreaked havoc on a lot of PCs. This week, the Welchia worm -- which is actually supposed to remove Blaster -- arrived and began causing additional problems. Not only that, but a hot new version of the old Sobig mass-mailing worm has turned lethal and begun infecting many systems with its own brand of mischief.

MSBlast
Despite repeated warnings from Microsoft, columnists, and even the US federal government, a lot of systems are experiencing serious denial of service (DoS) attacks from the worm (also know as Msblast.exe, Blaster, Lovesan, and Posa) worm. Blaster takes advantage of a DCOM RPC vulnerability in newer Microsoft Windows operating systems. If an unpatched system with an open port 135 is attacked, the worm will attempt to install and run msblast.exe.

Fortunately, the initial worm was poorly designed. However, by Wednesday 13 August, Kapersky Labs reported that its security team had already seen a slightly "improved" version that could coexist in the same computer with the original version -- meaning that you can have two Blaster infections simultaneously. Files in the new version are teekids.exe (5.3K) and penis32.exe (7.2K).

As CNET News.com reported, "MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer. MSBlast contains a denial-of-service (DoS) attack aimed at Microsoft's windowsupdate.com. The attack will start on 15 August and continues throughout the end of the year."

Fix
This worm is easy to block by closing port 135 or by applying the Microsoft patch provided in Microsoft Security Bulletin MS03-026. But what if you have an infected system? Many users with the infection report their computers are rebooting so often and generating so many error reports that they are unable to download the patch.

Simply activating Windows XP's minimal Internet Connection Firewall (ICF) appears to make it possible for XP-based systems to stay online and download removal tools or the patch. Symantec reports that other firewalls may be able to provide the necessary protection to help repair the system even after infection.

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
184 out of 358 people found this useful


Full Talkback thread

0 comments

Company/Topic Alerts

Create a new alert from the list below:



Video icon

Video

Sentry Posts Blog

Opera censors Chinese content

Opera has updated the Chinese version of its mobile browser to stop users accessing restricted content. Opera Mini was updated on Friday from an international to a Chinese version,... More

2 comments

Symantec website breached

Security company Symantec has said that one of its websites was successfully breached. Romanian security researcher 'Unu' posted details of the breach in a blog post on Monday. Unu... More

Post a comment

Campaigners criticise '£10bn NHS IT ov...

The National Health Service's flagship IT project has been criticised by a tax campaign group for running billions of pounds over budget. The NHS National Programme for IT (NPfIT)... More

2 comments

Featured Talkback

In association with Network Liberation Movement
It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

Newsletters