Networks must counter triple threat
John McCormick
Published: 21 Aug 2003 12:40 BST
After several months of relative calm on the virus front, with only low-level threats, last week the MSBlast worm assaulted many networks and wreaked havoc on a lot of PCs. This week, the Welchia worm -- which is actually supposed to remove Blaster -- arrived and began causing additional problems. Not only that, but a hot new version of the old Sobig mass-mailing worm has turned lethal and begun infecting many systems with its own brand of mischief.
MSBlast
Despite repeated warnings from Microsoft, columnists, and even the US federal government, a lot of systems are experiencing serious denial of service (DoS) attacks from the worm (also know as Msblast.exe, Blaster, Lovesan, and Posa) worm. Blaster takes advantage of a DCOM RPC vulnerability in newer Microsoft Windows operating systems. If an unpatched system with an open port 135 is attacked, the worm will attempt to install and run msblast.exe.
Fortunately, the initial worm was poorly designed. However, by Wednesday 13 August, Kapersky Labs reported that its security team had already seen a slightly "improved" version that could coexist in the same computer with the original version -- meaning that you can have two Blaster infections simultaneously. Files in the new version are teekids.exe (5.3K) and penis32.exe (7.2K).
As CNET News.com reported, "MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer. MSBlast contains a denial-of-service (DoS) attack aimed at Microsoft's windowsupdate.com. The attack will start on 15 August and continues throughout the end of the year."
Fix
This worm is easy to block by closing port 135 or by applying the Microsoft patch provided in Microsoft Security Bulletin MS03-026. But what if you have an infected system? Many users with the infection report their computers are rebooting so often and generating so many error reports that they are unable to download the patch.
Simply activating Windows XP's minimal Internet Connection Firewall (ICF) appears to make it possible for XP-based systems to stay online and download removal tools or the patch. Symantec reports that other firewalls may be able to provide the necessary protection to help repair the system even after infection.
Previous
Did you find this article useful?
183 out of 356 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
