Blaster worm: A mid-summer's nightmare
It seems the hottest thing this August
(apart from the heat-wave in Europe) was a certain Internet worm that spread
rapidly and infected thousands of computers within a few hours. But there's
no need to panic now as this one doesn't gobble up whole databases.
The worm known as Blaster or MSBlast takes
advantage of a vulnerability in a component of Microsoft's operating system
that allows people to remotely access certain functions on a computer such as
printing and file sharing. Microsoft had warned the public about this hole on
16 July, 2003 and also offered the patch around that time.
Here are a few interesting facts about
the Blaster worm:
- Systems won't be infected unless they run operating
systems like Windows XP (both 32-bit and 64-bit editions), Windows NT 4.0,
Windows 2000, and Windows Server 2003.
- This worm is unique in the sense that it does not
spread only through e-mail. Any system (running the above OSes) when connected
to the Net can be potentially infected. It has been reported that the worm
enters the system through port 135.
- Symantec has determined that MSBlast contains code
to launch a Denial-of-Service attack against a Windows update site during
a specific time period. Microsoft has retaliated by discontinuing that site
and setting up an alternate site.
- MSBlast infected some 1,20,000 computers around
the world within 24 hours.
There are certain ways to tell whether
a system has been infected by this worm. Typical symptoms may include Windows
XP and Windows Server 2003 systems rebooting every few minutes without user
input, or Windows NT 4.0 and Windows 2000 systems becoming unresponsive.
In the past year there have been growing
concerns about security at Microsoft. The software giant's concerns are evident
from the various initiatives it has taken.
Under the link 'Specific Actions for the
Blaster worm' Microsoft advises home and corporate users on preventive and removal
measures. More information (and other facts about the Blaster worm) are available
Those who did not download the patch that
Microsoft offered can still do so from: www.microsoft.com/downloads OR www.microsoft.com/technet/
And those who just got 'bitten' by the
Blaster worm, can get a fix from various anti-virus websites. Symantec for instance
is offering a removal tool on its website: www.symantec.com/avcenter.
A new worm targeting systems vulnerable
to the same vulnerability as W32/Blaster has been reported. This worm, known
alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported
- Kill and remove the msblast.exe artifact left behind
- Perform ICMP scanning to identify systems to target
- Apply the patch from Microsoft described in Microsoft
Security Bulletin MS03-026
- Reboot the system
The greatest impact of this worm appears
to be the potential for denial-of-service conditions within an organization
due to high levels of ICMP traffic.
Sites are encouraged to apply the patch
from Microsoft described in Microsoft Security Bulletin MS03-026 and apply network
filters as necessary to reduce the impact of this worm.
Sites can find specific information on
how to recover a system which has been compromised by W32/Welchia by consulting
an anti-virus vendor.
1. Bill Gates Fortune 14.1% New Entry
2. JDBGMGR 12.1%.
3. Hotmail Hoax 10.8%.
4. Meninas da Playboy 10.0%.
5. Bonsai Kitten 5.9%.
6. Budweiser frogs screensaver 4.7%.
7. Free Flight 3.5%.
8. Frog in a blender / Fish in a bowl 3.4%.
9. Virtual card for you 3.4%.
10. WTC Survivor 2.7%.
An old chain letter promising that Bill Gates will share his personal
fortune with anyone who forwards the e-mail onto friends and family has
stormed to the top of the chart in July. Chain letters and hoaxes waste
valuable e-mail bandwidth and can scare people into panicking about non-existent
W32.Mimail.A@mm mailto: W32.Mimail.A@mm, which spreads via e-mail; appears
to be sent from the network administrator. The e-mail will have the following
characteristics and will include this
Subject: your account %s
I would like to inform you about important information regarding your
e-mail address. This e-mail address will be expiring. Please read attachment
The Mimail worm attempts to exploit a vulnerability in Internet Explorer
that allows a script to execute in the local computer. The worm creates
a mass-mailing of itself, which may clog mail servers or degrade network
performance. Strongly encourage enterprises and consumers to update their
virus definitions and apply the latest Microsoft patches.
TOP TEN VIRUSES for JULY 2003