Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of September 2003 

 Home > Security
 Print Friendly Page ||  Email this story

Security Watch

Blaster worm: A mid-summer's nightmare

It seems the hottest thing this August (apart from the heat-wave in Europe) was a certain Internet worm that spread rapidly and infected thousands of computers within a few hours. But there's no need to panic now as this one doesn't gobble up whole databases.

The worm known as Blaster or MSBlast takes advantage of a vulnerability in a component of Microsoft's operating system that allows people to remotely access certain functions on a computer such as printing and file sharing. Microsoft had warned the public about this hole on 16 July, 2003 and also offered the patch around that time.

Here are a few interesting facts about the Blaster worm:

  • Systems won't be infected unless they run operating systems like Windows XP (both 32-bit and 64-bit editions), Windows NT 4.0, Windows 2000, and Windows Server 2003.
  • This worm is unique in the sense that it does not spread only through e-mail. Any system (running the above OSes) when connected to the Net can be potentially infected. It has been reported that the worm enters the system through port 135.
  • Symantec has determined that MSBlast contains code to launch a Denial-of-Service attack against a Windows update site during a specific time period. Microsoft has retaliated by discontinuing that site and setting up an alternate site.
  • MSBlast infected some 1,20,000 computers around the world within 24 hours.

There are certain ways to tell whether a system has been infected by this worm. Typical symptoms may include Windows XP and Windows Server 2003 systems rebooting every few minutes without user input, or Windows NT 4.0 and Windows 2000 systems becoming unresponsive.

In the past year there have been growing concerns about security at Microsoft. The software giant's concerns are evident from the various initiatives it has taken.

Under the link 'Specific Actions for the Blaster worm' Microsoft advises home and corporate users on preventive and removal measures. More information (and other facts about the Blaster worm) are available at:

Those who did not download the patch that Microsoft offered can still do so from: OR

And those who just got 'bitten' by the Blaster worm, can get a fix from various anti-virus websites. Symantec for instance is offering a removal tool on its website:

W32/Welchia Worm

A new worm targeting systems vulnerable to the same vulnerability as W32/Blaster has been reported. This worm, known alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported to: -

  • Kill and remove the msblast.exe artifact left behind by W32/Blaster
  • Perform ICMP scanning to identify systems to target for exploitation
  • Apply the patch from Microsoft described in Microsoft Security Bulletin MS03-026
  • Reboot the system

The greatest impact of this worm appears to be the potential for denial-of-service conditions within an organization due to high levels of ICMP traffic.

Sites are encouraged to apply the patch from Microsoft described in Microsoft Security Bulletin MS03-026 and apply network filters as necessary to reduce the impact of this worm.

Sites can find specific information on how to recover a system which has been compromised by W32/Welchia by consulting an anti-virus vendor.

The top ten hoaxes reported during July 2003

1. Bill Gates Fortune 14.1% New Entry
2. JDBGMGR 12.1%.
3. Hotmail Hoax 10.8%.
4. Meninas da Playboy 10.0%.
5. Bonsai Kitten 5.9%.
6. Budweiser frogs screensaver 4.7%.
7. Free Flight 3.5%.
8. Frog in a blender / Fish in a bowl 3.4%.
9. Virtual card for you 3.4%.
10. WTC Survivor 2.7%.
Others: 29.4%

An old chain letter promising that Bill Gates will share his personal fortune with anyone who forwards the e-mail onto friends and family has stormed to the top of the chart in July. Chain letters and hoaxes waste valuable e-mail bandwidth and can scare people into panicking about non-existent virus threats.



W32.Mimail.A@mm mailto: W32.Mimail.A@mm, which spreads via e-mail; appears to be sent from the network administrator. The e-mail will have the following characteristics and will include this

Subject: your account %s


Hello there,
I would like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details.

Best regards,


The Mimail worm attempts to exploit a vulnerability in Internet Explorer that allows a script to execute in the local computer. The worm creates a mass-mailing of itself, which may clog mail servers or degrade network performance. Strongly encourage enterprises and consumers to update their virus definitions and apply the latest Microsoft patches.


Position Last month Virus Percentage of reports
1 New W32/Sobig-E 47.80%
2 1 W32/Bugbear-B 11.0%.
3 3 W32/Klez-H 5.90%
4 Re-entry W32/Sobig-A 2.7%.
5 New W32/Parite-B 0.90%
6 3 W32/Sobig-B 0.90%
7 New W32/Ganda-A 0.80%
8 8 W32/Opaserv-G 0.70%
9 New W32/Sobig-D 0.70%
10 New W95/Dupator 0.70%
Others     27.90%
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.