http://www.nwfusion.com/news/2003/0818unblast.html By Ellen Messmer Network World Fusion 08/18/03 As if last week's Blaster worm didn't cause enough damage, there are now reports of a worm that breaks into Windows-based computers to try to delete any trace of the Blaster worm infection, and then downloads the patch Microsoft developed to fix the vulnerability that Blaster exploits. First spotted in Asia, the worm is being called Nachi, Welchia or MSBlast.B, according to at least three antivirus firms that have analyzed its code. Ian Hameroff, security strategist at Computer Associates, which has named the worm Nachi, said it can break into any Windows XP, 2000, NT or 2003 machine that hasn't been patched for the Remote Procedure Call (RPC) vulnerability identified last month. This is the technique exploited by the Blaster worm first seen last week, which infected hundreds of thousands, if not millions, of computers worldwide. Blaster's main purpose was to launch a denial-of-service attack against Microsoft's Windows Update site via compromised machines. But that had very limited success since Microsoft disabled the windowsupdate.com URL that Blaster specifically targeted. This URL was a redirect link to the main Microsoft site windowsupdate.microsoft.com, which Microsoft protected. Chris Thompson, vice president of marketing at Network Associates, noted that the Blaster worm couldn't start a DoS attack when it couldn't find the target URL, and would instead try to hit an IP address 255.255.255.255 five times afterward. But Windows machines aren't prepared to handle that request anyway, he added. The Blaster worm failed to affect Microsoft substantially. However, many corporate networks have faced paralyzing congestion due to scanning caused by Blaster infections of unpatched machines. Now, a new worm is on the loose to infect vulnerable machines in the same way Blaster does. But its purpose is thought to be to find Blaster code, eradicate it, and install the Microsoft patch. However, trying to install a patch without the network administratorís oversight can "have repercussions," such as causing machines to fail, noted David Perry, Trend Micro's global director on education issues. It represents a break-in of a different sort that must be prevented through proper patching and other means, such as antivirus software. The Nachi/Welchia/MSBlast worm does not seem to be moving fast, but security firms are keeping a close eye on evidence of its spread since it could also become a problem this week as Blaster was last week. - ISN is currently hosted by Attrition.org To unsubscribe email firstname.lastname@example.org with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 11:02:44 PDT