Users race against worm, variants - News - Security

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

Users race against worm, variants

By Robert Lemos, Special to ZDNet
August 14, 2003
URL: http://www.zdnet.com.au/news/security/soa/Users-race-against-worm-variants/0,130061744,120277214,00.htm

As the MSBlast worm continues its spread--to approximately 2,500 new computers each hour--antivirus firms said Wednesday that a new variant had been released.

Security company Symantec, which directly measures the spread of the worm via sensors distributed throughout the Internet, said the number of computers compromised by MSBlast--aka W32/Lovsan and W32.Blaster--had reached 228,000 by midmorning Wednesday. Alfred Huger, senior director of engineering for the company's security response team, estimated that millions of computers may still be vulnerable to the flaw, leaving administrators scrambling to patch systems before they fall victim to the worm's relentless spread.

"If people don't patch, there could be millions of infections," Huger said.

Symantec and rival antivirus companies Network Associates, Kaspersky Labs and Central Command all warned users of a modified version of the worm that apparently differs by only a few file names but otherwise is identical to the original. Network Associates also discovered a third version of the worm that apparently changes a file name and a registry key.

Because the variants don't repair the worm's flawed method of selecting new targets, they won't change the overall properties of the current epidemic, Huger said. "The variant spreads roughly at the same speed" as the original worm, he said.

The introduction of the MSBlast worm ended nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm that takes advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools such as the Tiny, or Trivial, File Transfer Protocol (TFTP) server.

Estimates of the size of the MSBlast epidemic vary widely.

The Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information on Internet threats, said as many as 1.4 million Internet addresses seemed to be the home of computers the worm--or an earlier attack program on which the worm was based--had compromised.