Security company Symantec, which directly measures the spread of the worm via sensors distributed throughout the Internet, said the number of computers compromised by MSBlast--aka W32/Lovsan and W32.Blaster--had reached 228,000 by midmorning Wednesday. Alfred Huger, senior director of engineering for the company's security response team, estimated that millions of computers may still be vulnerable to the flaw, leaving administrators scrambling to patch systems before they fall victim to the worm's relentless spread.
"If people don't patch, there could be millions of infections," Huger said.
Symantec and rival antivirus companies Network Associates, Kaspersky Labs and Central Command all warned users of a modified version of the worm that apparently differs by only a few file names but otherwise is identical to the original. Network Associates also discovered a third version of the worm that apparently changes a file name and a registry key.
Because the variants don't repair the worm's flawed method of selecting new targets, they won't change the overall properties of the current epidemic, Huger said. "The variant spreads roughly at the same speed" as the original worm, he said.
The introduction of the MSBlast worm ended nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm that takes advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools such as the Tiny, or Trivial, File Transfer Protocol (TFTP) server.
Estimates of the size of the MSBlast epidemic vary widely.
The Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information on Internet threats, said as many as 1.4 million Internet addresses seemed to be the home of computers the worm--or an earlier attack program on which the worm was based--had compromised.
My XP system yesterday 8/13/03 was infected with this worm. I did not have AV software.
I renewed my AV software and indeed had this blaster32 worm.
I installed the MS patch.
I ran the AV software, and I indeed still had the worm.
This morning 8/14/03 I ran the fixblast.exe removal tool from Symantec and it said I did not have the worm. I ran Norton AV full scan again, and it said I did not have the worm
How is this possible that one day I have it, and then it is not there?
Could it have morphed into something else?
Does it just die in certain cases?
Thanks